《模型驱动的经济学风险分析:CORAS方法 Model-Driven Risk Analysis The CORAS Approach.pdf》由会员分享,可在线阅读,更多相关《模型驱动的经济学风险分析:CORAS方法 Model-Driven Risk Analysis The CORAS Approach.pdf(226页珍藏版)》请在taowenge.com淘文阁网|工程机械CAD图纸|机械工程制图|CAD装配图下载|SolidWorks_CaTia_CAD_UG_PROE_设计图分享下载上搜索。
1、Mass Soldal Lund?Bjrnar Solhaug?Ketil StlenModel-DrivenRisk AnalysisThe CORAS ApproachMass Soldal LundBjrnar SolhaugKetil StlenSINTEF ICTP.O.box 124 Blindern0314 OsloNorwayMass.S.Lundsintef.noBjornar.Solhaugsintef.noKetil.Stolensintef.noISBN 978-3-642-12322-1e-ISBN 978-3-642-12323-8DOI 10.1007/978-3
2、-642-12323-8Springer Heidelberg Dordrecht London New YorkLibrary of Congress Control Number:2010936190ACM Computing Classification(1998):K.6,D.2.9 Springer-Verlag Berlin Heidelberg 2011This work is subject to copyright.All rights are reserved,whether the whole or part of the material isconcerned,spe
3、cifically the rights of translation,reprinting,reuse of illustrations,recitation,broadcasting,reproduction on microfilm or in any other way,and storage in data banks.Duplication of this publicationor parts thereof is permitted only under the provisions of the German Copyright Law of September 9,1965
4、,in its current version,and permission for use must always be obtained from Springer.Violationsare liable to prosecution under the German Copyright Law.The use of general descriptive names,registered names,trademarks,etc.in this publication does notimply,evenintheabsenceofaspecificstatement,thatsuch
5、namesareexempt fromtherelevantprotectivelaws and regulations and therefore free for general use.Cover design:KnkelLopka GmbH,HeidelbergPrinted on acid-free paperSpringer is part of Springer Science+Business Media()PrefaceExposure to risk is inescapable in most domains.People and families,enterprises
6、,governments,private and public organisations,infrastructure providers,serviceproviders,and so forth all encounter risks on an ongoing and frequent basis.Thekinds of risks however vary from domain to domain,be it safety,economy,informa-tion and ICT security,politics,civil protection,emergency planni
7、ng,defence,law,health,and so on.The need for understanding and managing risk is self-evident.Risk management is moreover in many cases imposed as a prerequisite,be it bylaw and legal regulations or from the public opinion,in particular within criticalareas that may affect privacy and welfare,or even
8、 health and human life.In othercases,the lack of good routines,cultures and processes for managing risk may be adecisive factor for risks to emerge that should or could have been avoided.In this book,we present CORAS,which is a model-driven approach to risk anal-ysis.Risk analysis is a core part of
9、the overall process of risk management.In orderto conduct risk analysis in practice,there is clearly a need for well-defined methods,techniques and guidelines for how to do this,and this is precisely what CORASoffers.Risk analysts,or for that matter anyone with a need for identifying and un-derstand
10、ing risks,will in this book find guidance on how to conduct a stepwise,structured and systematic analysis and documentation of risks.The book also serves as an introduction to risk analysis in general,and as an in-troduction to the central and well-established underlying concepts and terminology.Pra
11、ctitioners,as well as graduate or undergraduate students,particularly within theIT domain,are therefore main target groups of this book.CORAS is strongly relatedto international standards on risk management,and this book therefore serves as anintroduction to many of the issues that are addressed in
12、these standards.An important objective of this book is to accompany standardised risk manage-ment guidelines and terminology with comprehensive pragmatic support.Interna-tional standards generally focus on the what,but say little or nothing about the how.This book is a self-contained contribution no
13、t only to understand what risk man-agement,risk analysis and risk related concepts are,but also to learn how to do riskanalysis in practice.Extensive use of practical and illustrative examples furthermorefacilitates a deep understanding of both the pragmatics and the conceptual aspects.vviPrefaceThe
14、 comprehensiveness of CORAS is manifested by the three complementaryparts of the approach.CORAS consists of a customised language for risk mod-elling,a tool supporting the language,and a risk analysis method into which thetool-supported risk modelling language is tightly interwoven.It is particularl
15、y thespecialised support for risk modelling that distinguishes CORAS from other ap-proaches to risk analysis.The CORAS language provides explicit support for therisk analysis steps and tasks,and is furthermore closely related to the underlyingrisk analysis concepts.The CORAS approach as presented in
16、 this book is the result of work that was ini-tiated in 2001,and that draws upon academic research,empirical studies,thoroughexperience,as well as close interaction and cooperation with actors from severalindustrial domains.Along the way,we have benefited greatly from fruitful coop-eration with many
17、 colleagues,and much work on different aspects of CORAS hasalready been published in articles,papers,reports and doctoral theses.Several col-leagues have also contributed to this book by coauthoring some of the chapters,orby giving valuable criticism,suggestions and feedback,and for this we owe them
18、great thanks.We are deeply grateful to Ida Hogganvik Grndahl for her influential doctoralwork.Many aspects of the CORAS approach as presented in this book are stronglyinspired by her work,in particular the basic CORAS language.WeoweourgreatthankstoGyrdBrndeland,AtleRefsdalandFredrikSeehusenfor each
19、coauthoring a chapter in this book,and for their valuable suggestions andcomments.Fredrik Seehusen has moreover contributed by being the main developerof the current version of the CORAS tool.Many thanks also to Folker den Braber,Heidi Dahl and Fredrik Vraalsen for their contributions over the past
20、years,and toOlav Ligaarden for helping us with the index and for making valuable suggestions.Many thanks to Tobias Mahler for his many comments and fruitful criticism,inparticular on the chapter on legal aspects.His doctoral work on legal risk manage-ment served as a valuable source of inspiration,a
21、nd we acknowledge the synergiesbetween his work and the work that has led to this book.We are thankful to Jan yvind Aagedal,Iselin Engan,Bjrn Axel Gran,JanHeim,Siv Hilde Houmb,Tormod Hvaldsrud,Tom Lysemose,Aida Omerovic,EvaSkipnes and Jan Hvard Skjetne,each of which has contributed by valuable sugge
22、s-tions or via fruitful cooperation in CORAS related work.We are thankful to our colleagues at SINTEF ICT,including our Head of De-partment Bjrn Skjellaug.Many thanks also to the colleagues that we have workedwith in several national and international projects that have been related to CORAS.These p
23、eople include Demissie Aredo,Gustav Dahll,Theo Dimitrakos,Ivan Djord-jevic,Rune Fredriksen,Chingwoei Gan,Eva Henriksen,Erik Mork Knutsen,Mon-ica Kristiansen,Simon Lambert,Katerina Papadaki,Xavier Parent,AthanasiosPoulakidas,Dimitris Raptis,Brian Ritchie,Yannis Stamatiou,Nikos Stathiakis,Atoosa Thune
24、m,Erik Wislff and Bjarte stvold.We also recognise the valuable feedback and knowledge acquired from many in-dustrial field trials and commercial risk analyses based on CORAS.In relation tothis,we would like to thank Tor Aalborg,Semming Austin,Nils Inge Brubrerg,Pet-ter Christensen,Sten Vidar Eikrem,
25、Hvard Fridheim,Are Torstein Gimnes,DavidPrefaceviiGoldby,Janne Hagen,Rune Hagen,Tor-Gaute Indsty,Hege Jacobsen,Ole JarlKvammen,Arne Bjrn Mildal,Per Myrseth,Mikkel Skou,Petter Taugbl,AnneKarin Wahlfjord,Hermann Steen Wiencke and Jon lnes.We are also in debt to the many students who have followed our
26、course INF5150at the University of Oslo since it was started up in 2001,as well as the to the MScstudents who have addressed various aspects of CORAS in their thesis work.Inparticular,we would like to thank Emese L.Bogya,Jenny Beate Haugen,VikashKatta,Igor Kodrik,Mihail Korabelnikov,Stig Torsbakken,
27、and Shahbaz ChaudharyYaqub.Our work on developing the CORAS approach has benefited from research injoint projects with a number of good partners.The initial CORAS approach wasdeveloped within the CORAS project funded by the European Commission that ranfrom 2001 until 2003.We are thankful to the proj
28、ect coordinator Yves Paindaveine,as well as the project leaders Tom Arthur Opperud and Tony Price,for providing agood environment for fruitful research.We are also grateful to Habtamu Abie whotogether with Eva Skipnes in 1999 invited us to join the consortium that later startedthe CORAS project.Some
29、 of the research results that is reported in this book has partly been fundedby the Research Council of Norway through the projects COBRA,COMA,DIGIT,EMERGENCY,ENFORCE and SECURIS.The research has also partly beenfunded by the European Commission through the projects iTrust,MASTER,MOD-ELWARE,SecureCh
30、ange,S3MS and TrustCoM.Oslo,NorwayMass Soldal LundBjrnar SolhaugKetil StlenContentsPart IIntroductory Overview1Introduction.31.1The Importance of Risk Analysis.31.2Asset Identification.41.3Risk Modelling.51.4The CORAS Approach.51.4.1The CORAS Language.61.4.2The CORAS Tool.61.4.3The CORAS Method.61.5
31、The Generality of CORAS.71.6Overall Aim and Emphasis.81.7Organisation.81.7.1Part I:Introductory Overview.91.7.2Part II:Core Approach.91.7.3Part III:Selected Issues.111.7.4Appendices.121.8Colours in CORAS and in this Book.132Background and Related Approaches.152.1Basic Terminology.152.2Related Approa
32、ches.172.2.1Risk Analysis Methods.172.2.2Table-based Risk Analysis Techniques.182.2.3Tree-based Risk Analysis Techniques.182.2.4Graph-based Risk Analysis Techniques.192.2.5Situating CORAS Within this Picture.203A Guided Tour of the CORAS Method.233.1Preparations for the Analysis.233.2Customer Presen
33、tation of the Target.253.3Refining the Target Description Using Asset Diagrams.26ixxContents3.4Approval of the Target Description.313.5Risk Identification Using Threat Diagrams.333.6Risk Estimation Using Threat Diagrams.373.7Risk Evaluation Using Risk Diagrams.393.8Risk Treatment Using Treatment Dia
34、grams.41Part IICore Approach4The CORAS Risk Modelling Language.474.1Central Concepts.484.1.1What is a Threat?.484.1.2What is a Threat Scenario?.494.1.3What is a Vulnerability?.514.1.4What is an Unwanted Incident?.534.1.5What is an Asset?.554.2The Diagrams of the CORAS language.564.2.1Asset Diagrams.
35、564.2.2Threat Diagrams.584.2.3Risk Diagrams.604.2.4Treatment Diagrams.624.2.5Treatment Overview Diagrams.644.3How to Schematically Translate CORAS Diagrams into EnglishProse.654.3.1How to Translate Asset Diagrams.654.3.2How to Translate Threat Diagrams.674.3.3How to Translate Risk Diagrams.694.3.4Ho
36、w to Translate Treatment Diagrams.694.3.5How to Translate Treatment Overview Diagrams.704.4Summary.715Preparations for the Analysis.735.1Overview of Step 1.735.2Conducting the Tasks of Step 1.765.3Summary of Step 1.786Customer Presentation of the Target.816.1Overview of Step 2.816.2Conducting the Ta
37、sks of Step 2.836.2.1Presentation of the CORAS Terminology and Method.836.2.2Presentation of the Goals and Target of the Analysis.866.2.3Setting the Focus and Scope of the Analysis.896.2.4Determining the Meeting Plan.916.3Summary of Step 2.947Refining the Target Description Using Asset Diagrams.957.
38、1Overview of Step 3.95Contentsxi7.2Conducting the Tasks of Step 3.977.2.1Presentation of the Target by the Analysis Team.977.2.2Asset Identification.1017.2.3High-level Analysis.1067.3Summary of Step 3.1098Approval of the Target Description.1118.1Overview of Step 4.1118.2Conducting the Tasks of Step
39、4.1138.2.1Approval of the Target Description.1148.2.2Ranking of Assets.1158.2.3Setting the Consequence Scales.1168.2.4Setting the Likelihood Scale.1188.2.5Defining the Risk Function.1208.2.6Deciding the Risk Evaluation Criteria.1228.3Summary of Step 4.1249Risk Identification Using Threat Diagrams.12
40、59.1Overview of Step 5.1259.2Conducting the Tasks of Step 5.1289.2.1Categorising Threat Diagrams.1289.2.2Identification of Threats and Unwanted Incidents.1299.2.3Identification of Threat Scenarios.1339.2.4Identification of Vulnerabilities.1379.3Summary of Step 5.14410Risk Estimation Using Threat Dia
41、grams.14710.1 Overview of Step 6.14710.2 Conducting the Tasks of Step 6.14910.2.1 Likelihood Estimation.15010.2.2 Consequence Estimation.15410.2.3 Risk Estimation.15710.3 Summary of Step 6.16311Risk Evaluation Using Risk Diagrams.16511.1 Overview of Step 7.16511.2 Conducting the Tasks of Step 7.1671
42、1.2.1 Confirming the Risk Estimates.16711.2.2 Confirming the Risk Evaluation Criteria.16811.2.3 Providing a Risk Overview.16911.2.4 Accumulating Risks.17011.2.5 Estimating Risks with Respect to Indirect Assets.17311.2.6 Evaluating the Risks.18211.3 Summary of Step 7.185xiiContents12Risk Treatment Us
43、ing Treatment Diagrams.18712.1 Overview of Step 8.18712.2 Conducting the Risk Treatment.18812.2.1 Grouping of Risks.18912.2.2 Treatment Identification.19112.2.3 Treatment Evaluation.19612.3 Summary of Step 8.203Part IIISelected Issues13Analysing Likelihood Using CORAS Diagrams.20713.1 Using CORAS Di
44、agrams to Calculate Likelihood.20813.1.1 Specifying Likelihood Using CORAS Diagrams.20813.1.2 Rules for Calculating Probability in CORAS Diagrams.21013.1.3 Rules for Calculating Frequency in CORAS Diagrams.22213.1.4 Likelihood as Probability or Frequency.22613.1.5 Generalisation to Intervals and Dis
45、tributions.22713.2 Using CORAS Diagrams to Check Consistency.22913.3 Using CORAS to Analyse Scenarios with Logical Connectives.23313.3.1 Using CORAS to Analyse Scenarios with LogicalConjunction.23313.3.2 Using CORAS to Analyse Scenarios with LogicalDisjunction.23613.4 How to Structure a Threat Diagr
46、am to Exploit the Potential forLikelihood Analysis.23713.4.1 Enabling Application of Rules by Composition.23713.4.2 Enabling Application of Rules by Decomposition.23913.5 Summary.24314The High-level CORAS Language.24514.1 Referring Elements and Referenced Diagrams.24614.1.1 Threat Scenarios.24714.1.
47、2 Unwanted Incidents.25014.1.3 Risks.25114.1.4 Treatment Scenarios.25314.2 Likelihoods in High-level CORAS.25714.2.1 Reasoning About the Likelihoods in a High-level Diagram.26014.2.2 Reasoning About the Likelihoods in a Referenced Diagram 26114.2.3 Analysing the Relation Between the Likelihoods of a
48、Referring Element and the Likelihoods in the ReferencedDiagrams.26314.3 Consequences in High-level CORAS.26414.4 Risk Levels in High-level CORAS.26614.5 How to Schematically Translate High-level CORAS Diagramsinto English Prose.267Contentsxiii14.5.1 Referring Elements.26714.5.2 Referenced Diagrams.2
49、7014.6 Example Case in High-level CORAS.27114.6.1 Threat Diagram.27214.6.2 Risk Diagram.27514.6.3 Treatment Diagram.27714.7 Summary.27915Using CORAS to Support Change Management.28315.1 Classification of Changes.28315.1.1 Target of Analysis.28415.1.2 Scope and Focus.28515.1.3 Environment.28515.1.4 A
50、ssumptions.28515.1.5 Parties and Assets.28615.1.6 Context.28615.1.7 Changes in our Knowledge.28715.2 Managing Change.28715.2.1 Maintenance Perspective.28815.2.2 Before-after Perspective.29015.2.3 Continuous Evolution Perspective.29415.3 Summary.29616The Dependent CORAS Language.29716.1 Modelling Dep