Model-driven risk analysis of evolving critical infrastructures

Original Research


The protection and security of critical infrastructures are important parts of Homeland Defense. Adequate means for analyzing the security risks of such infrastructures is a prerequisite for properly understanding the security needs and for maintaining appropriate incident preparedness. Risk management is coordinated activities to direct and control an organization with regard to risk, and includes the identification, analysis and mitigation of unacceptable risks. For critical infrastructures consisting of interdependent systems, risk analysis and mitigation is challenging because the overall risk picture may be strongly affected by changes in only a few of the systems. In order to continuously manage risks and maintain an adequate level of protection, there is a need to continuously maintain the validity of risk models while systems change and evolve. This paper addresses these challenges by presenting an approach to model-driven security risk analysis of changing and evolving systems. The approach is a tool-supported method with techniques and modeling support for traceability of system changes to risk models, as well as the explicit modeling of the impact of changes on the current risk picture. The presented artifacts are exemplified and validated in the domain of air traffic management.


Risk analysis Security Interdependencies Evolution Critical infrastructures Incident preparedness ATM 


  1. Alberts CJ, Davey J (2004) OCTAVE criteria version 2.0. Technical report CMU/SEI-2001-TR-016. Mellon University, Carnegie Google Scholar
  2. Aven T, Sklet S, Vinnem JE (2006) Barrier and operational risk analysis of hydrocarbon releases (BORA-Release). Part I. Method description. J Hazard Mater A 137:681–691CrossRefGoogle Scholar
  3. Barber B, Davey J (1992) The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: 7th international congress on medical informatics (MEDINFO’92), North-Holland, pp 1589–1593Google Scholar
  4. Ben-Gal I (2007) Bayesian networks. In: Ruggeri F, Kenett RS, Faltin FW (eds) Encyclopedia of statistics in quality and reliability. Wiley, New YorkGoogle Scholar
  5. Brændeland G, Refsdal A, Stølen K (2010) Modular analysis and modelling of risk scenarios with dependencies. J Syst Softw 83(10):1995–2013CrossRefGoogle Scholar
  6. Breu M, Breu R, Löw S (2011) MoVEing forward: towards an architecture and processes for a living models infrastructure. Int J Adv Life Sci 3(1–2):12–22Google Scholar
  7. Buchmayr M, Kurschl W (2011) A survey on situation-aware ambient intelligence systems. J Ambient Intell Human Comput 2(3):175–183CrossRefGoogle Scholar
  8. De Amicis R, Conti G, Piffer S, Prandi F (2011) Service oriented computing for Ambient Intelligence to support management of transport infrastructures. J Ambient Intell Human Comput 2(3):201–211CrossRefGoogle Scholar
  9. De Maio C, Fenza G, Gaeta M, Loia V, Orciuoli F (2011) A knowledge-based framework for emergency DSS. Knowl Based Syst 24(8):1372–1379CrossRefGoogle Scholar
  10. EU (2006) Communication from the Commission on a European programme for critical infrastructure protection. The European Commission, COM (2006) 786 finalGoogle Scholar
  11. EUROCONTROL (2003) Air traffic management strategy for the years 2000+Google Scholar
  12. EUROCONTROL (2006) Methodology report for the 2005/2012 integrated risk picture for Air Traffic Management in Europe. EUROCONTROL, EEC Technical/Scientific Report No. 2006-041Google Scholar
  13. Felici M, Meduri V, Solhaug B, Tedeschi A (2011) Evolutionary risk analysis: Expert judgment. In: 30th international conference on computer safety, reliability, and security (SAFECOMP’11), Springer, LNCS, 6894, pp 99–112Google Scholar
  14. Howard RA (1971) Dynamic probabilistic systems, vol I. Markov models. Wiley, New YorkGoogle Scholar
  15. Howard RA, Matheson JE (2005) Influence diagrams. Decis Anal 2(3):127–143CrossRefGoogle Scholar
  16. IEC (1990) IEC 61025 Fault Tree Analysis (FTA). International Electrotechnical CommissionGoogle Scholar
  17. IEC (1995) IEC 61165 Application of Markov Techniques. International Electrotechnical CommissionGoogle Scholar
  18. Innerhofer-Oberperfler F, Breu R (2006) Using an enterprise architecture for IT risk management. In: Information Security South Africa conference (ISSA’06)Google Scholar
  19. ISO (2009) ISO 31000 Risk management—principles and guidelines. International Organization for StandardizationGoogle Scholar
  20. Ligaarden OS, Lund MS, Refsdal A, Seehusen F, Stølen K (2011) An architectural pattern for enterprise level monitoring tools. In: Maintenance and evolution of service-oriented and cloud-based systems (MESOCA’11). IEEE Computer Society, pp 1–10Google Scholar
  21. Ligaarden OS, Refsdal A, Stølen K (2012) Using indicators to monitor security risk in systems of systems: How to capture and measure the impact of service dependencies on the security of provided services. In: IT Security Governance Innovations: Theory and Research, IGI Global, pp 256–292Google Scholar
  22. Lund MS, Refsdal A (2013) BRIDGE risk analyzer: a collaborative tool for enhanced risk analysis in crisis situations. In: Proceedings of the international workshop on AmI for Crisis Management, CEUR Workshop Proceedings (to appear)Google Scholar
  23. Lund MS, Solhaug B, Stølen K (2010) Evolution in relation to risk and trust management. Computer 43(5):49–55CrossRefGoogle Scholar
  24. Lund MS, Solhaug B, Stølen K (2011a) Model-driven risk analysis—the CORAS approach. Springer, BerlinGoogle Scholar
  25. Lund MS, Solhaug B, Stølen K (2011b) Risk analysis of changing and evolving systems using CORAS. In: Foundations of Security Analysis and Design VI (FOSAD VI), Springer, LNCS 6858, pp 231–274Google Scholar
  26. Massacci F, Mylopoulos J, Zannone N (2010) Security requirements engineering: the SI* modeling language and the secure tropos methodology. In: Advances in intelligent information systems, studies in computational intelligence, vol 265, pp 147–174Google Scholar
  27. Microsoft (2006) The security risk management guide. Microsoft Solutions for Security and Compliance and Microsoft Security Center of ExcellenceGoogle Scholar
  28. OMG (2009) OMG Unified Modeling Language (OMG UML), Superstructure. Version 2.2. Object Management Group, OMG Document: formal/2009-02-02Google Scholar
  29. OMG (2011a) Business process model and notation (BPMN). Version 2.0. Object Management Group, OMG Document: formal/2011-01-03Google Scholar
  30. OMG (2011b) Meta object facility (MOF) 2.0 Query/View/Transformation Specification. Version 1.1. Object Management Group, OMG Document: formal/2011-01-01Google Scholar
  31. Peltier TR (2005) Information security risk analysis, 2nd edn. Auerbach PublicationsGoogle Scholar
  32. Refsdal A, Stølen K (2009) Employing key indicators to provide a dynamic risk picture with a notion of confidence. In: Trust management III. IFIP advances in information and communication technology, vol 300. Springer, Berlin, pp 215–233Google Scholar
  33. SecureChange (2011a) Assessment method. SecureChange project deliverable D5.3Google Scholar
  34. SecureChange (2011b) Integrability of design modelling solution. SecureChange project deliverable D4.4bGoogle Scholar
  35. SecureChange (2012) Report on the industrial validation of SecureChange solutions. SecureChange project deliverable D1.3Google Scholar
  36. Seehusen F, Solhaug B (2012) Tool-supported risk modeling and analysis of evolving critical infrastructures. In: Multidisciplinary research and practice for information systems (CD-ARES 2012), Springer, LNCS 7465, pp 562–577Google Scholar
  37. Voirin JL (2008) Method and tools for constrained system architecting. In: 18th annual international symposium of the international council on systems engineering (INCOSE’08). Curran Associates, Inc., pp 775–789Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  1. 1.SINTEF ICTOsloNorway

Personalised recommendations