Skip to main content

The Coras Approach for Model-Based Risk Management Applied to E-Commerce Domain

  • Chapter

Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT,volume 100)


The CORAS project develops a practical framework for model-based risk management of security critical systems by exploiting the synthesis of risk analysis methods with semiformal specification methods, supported by an adaptable tool-integration platform. The framework is also accompanied by the CORAS process, which is a systems development process based on the integration of RUP and a standardised security risk management process, and it is supported by an XML-based tool-integration platform. The CORAS framework and process are being validated in extensive user trials in the areas of e-commerce and telemedicine. This paper presents an overview of the CORAS framework, emphasising on the modelling approach followed in the first of the user trials (concerning the authentication mechanism of an e-commerce platform) and it provides some examples of the risk analyses employed in this context.

Key words

  • Security
  • risk analysis
  • modeling
  • e-Commerce.

The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35612-9_23


  1. Australian/New Zealand Standard AS/NZS 4360:1999: Risk Management.

    Google Scholar 

  2. Barber, B., Davey, J. The use of the CCTA risk analysis and management methodology CRAMM. Proc. MEDINF092, North Holland, 1589 —1593, 1992.

    Google Scholar 

  3. R. Baskerville, Information Systems Security Design Methods: Implications for Information Systems Development, ACM Computing Surveys, Vol. 25, No 4, Dec. 1993, pp. 375–414.

    CrossRef  Google Scholar 

  4. den Braber, F., Dimitrakos, T., Gran, B.A., Stolen K., Aagedal, J.Q. Model-based Risk Management using UML and RUP, Issues and Trends of Information Technology Management in Contemporary Organizations 2002, Information Resources Management Association International Conference, May 2002. (To appear).

    Google Scholar 

  5. Bouti, A., Ait Kadi, D. A state-of-the-art review of FMEA/FMECA. International Journal of Reliability, Quality and Safety Engineering 1: 515–543, 1994.

    CrossRef  Google Scholar 

  6. EP–27046–ACTIVE, Final Prototype and User Manual,D4.2.2, Ver. 2.0, 2001–02–22.

    Google Scholar 

  7. K. Fu, E. Sit, K. Smith and N. Feamster, Dos and Don’t of Client Authentication on the Web,MIT Technical Report 818, MIT Laboratory for Computer Science, 2001. tr.pdf

    Google Scholar 

  8. ISO/IEC 10746 series: 1995 Basic reference model for open distributed processing.

    Google Scholar 

  9. ISO/IEC TR 13335–1:2001: Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security.

    Google Scholar 

  10. ISO/IEC 17799: 2000 Information technology — Code of practise for information security management.

    Google Scholar 

  11. IEC 1025: 1990 Fault tree analysis (FTA).

    Google Scholar 

  12. Krutchten, P. The Rational unified process, an introduction. Addison-Wesley, 1999.

    Google Scholar 

  13. OMG, Unified Modeling Language (UML) Specification,Ver. 1.3, Mar. 2000.

    Google Scholar 

  14. OMG, XML Metadata Interchange (XMI) Specification,Ver. 1.1, Nov. 2000.

    Google Scholar 

  15. Redmill, F., Chudleigh, M., Catmur, J. Hazop and Software Hazop. Wiley, 1999.

    Google Scholar 

  16. World Wide Web Consortium, Extensible Markup Language (XML) v1.0,W3C Recommendation, Second Edition, 6 Oct. 2000.

    Google Scholar 

Download references

Author information

Authors and Affiliations


Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2002 IFIP International Federation for Information Processing

About this chapter

Cite this chapter

Raptis, D., Dimitrakos, T., Gran, B.A., Stølen, K. (2002). The Coras Approach for Model-Based Risk Management Applied to E-Commerce Domain. In: Jerman-Blažič, B., Klobučar, T. (eds) Advanced Communications and Multimedia Security. IFIP — The International Federation for Information Processing, vol 100. Springer, Boston, MA.

Download citation

  • DOI:

  • Publisher Name: Springer, Boston, MA

  • Print ISBN: 978-1-4757-4405-7

  • Online ISBN: 978-0-387-35612-9

  • eBook Packages: Springer Book Archive