Abstract
Risk management is coordinated activities to direct and control an organization with regard to risk, and includes the identification, analysis and mitigation of unacceptable risks. For critical infrastructures consisting of interdependent systems, risk analysis and mitigation is challenging because the overall risk picture can be strongly affected by changes in only a few of the systems. In order to continuously manage risks and maintain an adequate level of protection, there is a need to continuously maintain the validity of risk models while systems change and evolve. This paper presents a risk analysis tool that supports the modeling and analysis of changing and evolving risks. The tool supports the traceability of system changes to risk models, as well as the explicit modeling of the impact on the risk picture. The tool, as well as the underlying risk analysis method, is exemplified and validated in the domain of air traffic management.
Chapter PDF
Similar content being viewed by others
References
Alberts, C.J., Davey, J.: OCTAVE criteria version 2.0. Technical report CMU/SEI-2001-TR-016, Carnegie Mellon University (2004)
Barber, B., Davey, J.: The use of the CCTA risk analysis and management methodology CRAMM in health information systems. In: 7th International Congress on Medical Informatics (MEDINFO 1992), pp. 1589–1593. North-Holland (1992)
Brændeland, G., Refsdal, A., Stølen, K.: Modular analysis and modelling of risk scenarios with dependencies. Journal of Systems and Software 83(10), 1995–2013 (2010)
Breu, M., Breu, R., Löw, S.: MoVEing forward: Towards an architecture and processes for a Living Models infrastructure. International Journal On Advances in Life Sciences 3(1-2), 12–22 (2011)
Communication from the Commission on a European programme for critical infrastructure protection. In: The European Commission, COM, 786 final (2006)
EUROCONTROL: Air traffic management strategy for the years 2000+ (2003)
Innerhofer-Oberperfler, F., Breu, R.: Using an enterprise architecture for IT risk management. In: Information Security South Africa Conference, ISSA 2006 (2006)
International Organization for Standardization: ISO 31000 Risk management – Principles and guidelines (2009)
Ligaarden, O.S., Refsdal, A., Stølen, K.: Using indicators to monitor security risk in systems of systems: How to capture and measure the impact of service dependencies on the security of provided services. In: IT Security Governance Innovations: Theory and Research. IGI Global (to appear, 2012)
Lund, M.S., Solhaug, B., Stølen, K.: Evolution in relation to risk and trust management. Computer 43(5), 49–55 (2010)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer (2011)
Lund, M.S., Solhaug, B., Stølen, K.: Risk Analysis of Changing and Evolving Systems Using CORAS. In: Aldini, A., Gorrieri, R. (eds.) FOSAD VI. LNCS, vol. 6858, pp. 231–274. Springer, Heidelberg (2011)
Massacci, F., Mylopoulos, J., Zannone, N.: Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology. In: Ras, Z.W., Tsay, L.-S. (eds.) Advances in Intelligent Information Systems. SCI, vol. 265, pp. 147–174. Springer, Heidelberg (2010)
Microsoft Solutions for Security and Compliance and Microsoft Security Center of Excellence: The Security Risk Management Guide (2006)
Object Management Group: OMG Unified Modeling Language (OMG UML), Superstructure. Version 2.2, OMG Document: formal/2009-02-02 (2009)
Peltier, T.R.: Information Security Risk Analysis, 2nd edn. Auerbach Publications (2005)
Report on the industrial validation of SecureChange solutions. SecureChange project deliverable D1.3 (2012)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Seehusen, F., Solhaug, B. (2012). Tool-Supported Risk Modeling and Analysis of Evolving Critical Infrastructures. In: Quirchmayr, G., Basl, J., You, I., Xu, L., Weippl, E. (eds) Multidisciplinary Research and Practice for Information Systems. CD-ARES 2012. Lecture Notes in Computer Science, vol 7465. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-32498-7_43
Download citation
DOI: https://doi.org/10.1007/978-3-642-32498-7_43
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-32497-0
Online ISBN: 978-3-642-32498-7
eBook Packages: Computer ScienceComputer Science (R0)