A Graphical Approach to Risk Identification, Motivated by Empirical Investigations

  • Ida Hogganvik
  • Ketil Stølen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4199)


We propose a graphical approach to identify, explain and document security threats and risk scenarios. Security risk analysis can be time consuming and expensive, hence, it is of great importance that involved parties quickly understand the risk picture. Risk analysis methods often make use of brainstorming sessions to identify risks, threats and vulnerabilities. These sessions involve system users, developers and decision makers. They typically often have completely different backgrounds and view the system from different perspectives. To facilitate communication and understanding among them, we have developed a graphical approach to document and explain the overall security risk picture. The development of the language and the guidelines for its use have been based on a combination of empirical investigations and experiences gathered from utilizing the approach in large scale industrial field trials. The investigations involved both professionals and students, and each field trial was in the order of 250 person hours.


Unify Modeling Language Graphical Approach Risk Identification Unify Modeling Language Model Fault Tree Analysis 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alexander, I.: Misuse cases: Use cases with hostile intent. IEEE Software 20(1), 58–66 (2003)CrossRefGoogle Scholar
  2. 2.
    AS/NZS4360, Australian/New Zealand Standard for Risk Management, Standards Australia/Standards, New Zealand (2004)Google Scholar
  3. 3.
    HB231, Information security risk management guidelines. Standards Australia/Standards New Zealand (2004)Google Scholar
  4. 4.
    Hogganvik, I., Stølen, K.: Investigating Preferences in Graphical Risk Modeling (Tech. report SINTEF A57). SINTEF ICT (2006),
  5. 5.
    Hogganvik, I., Stølen, K.: On the Comprehension of Security Risk Scenarios. In: Proc. of 13th Int. Workshop on Program Comprehension (IWPC 2005), pp. 115–124 (2005)Google Scholar
  6. 6.
    Hogganvik, I., Stølen, K.: Risk Analysis Terminology for IT-systems: does it match intuition? In: Proc. of Int. Symposium on Empirical Software Engineering (ISESE 2005), pp. 13–23 (2005)Google Scholar
  7. 7.
    IEC60300-3-9, Event Tree Analysis in Dependability management - Part 3: Application guide - Section 9: Risk analysis of technological systems(1995) Google Scholar
  8. 8.
    IEC61025, Fault Tree Analysis (FTA) (1990)Google Scholar
  9. 9.
    ISO/IEC13335, Information technology - Guidelines for management of IT Security (1996-2000)Google Scholar
  10. 10.
    Jacobson, I., et al.: Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley, Reading (1992)MATHGoogle Scholar
  11. 11.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)MATHGoogle Scholar
  12. 12.
    Kontio, J.: Software Engineering Risk Management: A Method, Improvement Framework, and Empirical Evaluation. PhD thesis, Dept. of Computer Science and Engineering, Helsinki University of Technology (2001)Google Scholar
  13. 13.
    Kuzniarz, L., Staron, M., Wohlin, C.: An Empirical Study on Using Stereotypes to Improve Understanding of UML Models. In: Proc. of 12th Int. Workshop on Program Comprehension (IWPC 2004), pp. 14–23 (2004)Google Scholar
  14. 14.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  15. 15.
    Lund, M.S., et al.: UML profile for security assessment Tech. report STF40 A03066. SINTEF ICT (2003)Google Scholar
  16. 16.
    OMG, UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms. Object Management Group (2005)Google Scholar
  17. 17.
    OMG, The Unified Modeling Language (UML) 2.0. (2004)Google Scholar
  18. 18.
    Redmill, F., Chudleigh, M., Catmur, J.: HAZOP and Software HAZOP. Wiley, Chichester (1999)Google Scholar
  19. 19.
    Schneier, B.: Attack trees: Modeling security threats. Dr. Dobb’s Journal 24(12), 21–29 (1999)Google Scholar
  20. 20.
    Seehusen, F., Stølen, K.: Graphical specification of dynamic network structure. In: Proc. of 7th Int. Conference on Enterprise Information Systems (ICEIS 2005), pp. 203–209 (2005)Google Scholar
  21. 21.
    Sindre, G., Opdahl, A.L.: Eliciting Security Requirements by Misuse Cases. In: Proc. of TOOLS-PACIFIC, pp. 120–131 (2000)Google Scholar
  22. 22.
    Sindre, G., Opdahl, A.L.: Templates for Misuse Case Description. In: Proc. of Workshop of Requirements Engineering: Foundation of Software Quality (REFSQ 2001), pp. 125–136 (2001)Google Scholar
  23. 23.
    Ware, C.: Information Visualization: Perception for Design, 2nd edn. Elsevier, Amsterdam (2004)Google Scholar
  24. 24.
    Aagedal, J.Ø., et al.: Model-based risk assessment to improve enterprise security. In: Proc. of Enterprise Distributed Object Communication (EDOC 2002), pp. 51–64 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ida Hogganvik
    • 1
  • Ketil Stølen
    • 1
  1. 1.SINTEF ICT and Department of InformaticsUniversity of Oslo 

Personalised recommendations