Abstract
Systematic security risk analysis requires an information model which integrates the system design, the security environment (the attackers, security goals etc) and proposed security requirements. Such a model must be scalable to accommodate large systems, and support the efficient discovery of threat paths and the production of risk-based metrics; the modeling approach must balance complexity, scalability and expressiveness. This paper describes such a model; novel features include combining formal information modeling with informal requirements traceability to support the specification of security requirements on incompletely specified services, and the typing of information flow to quantify path exploitability and model communications security.
Chapter PDF
Similar content being viewed by others
References
Information Security Management Part 2 Specification for information security management systems, British Standards Institution, BS 7799-2 (1999)
Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology (NIST), SP 800-30 (January 2002) (accessed January 2006), http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Chivers, H., Fletcher, M.: Applying Security Design Analysis to a Service Based System. Software Practice and Experience: Special Issue on Grid Security 35(9), 873–897 (2005)
Chivers, H., Jacob, J.: Specifying Information-Flow Controls. In: Proceedings of the Second International Workshop on Security in Distributed Computing Systems (SDCS) (ICDCSW 2005), pp. 114–120. IEEE Computer Society, Columbus, Ohio, USA (2005)
Chivers, H.: Security Design Analysis, Thesis at Department of Computer Science, The University of York, York, UK, accessed July 2006, p. 484 (2006), available online at: http://www.cs.york.ac.uk/ftpdir/reports/YCST-2006-06.pdf
Baskerville, R.: Information Systems Security Design Methods: Implications for Information Systems Development. ACM Computing Surveys 25(4), 375–414 (1993)
CRAMM Risk Assessment Tool Overview, Insight Consulting Limited (accessed May 2005), available at: http://www.cramm.com/riskassesment.htm
Dimitrakos, T., Raptis, D., Ritchie, B., Stølen, K.: Model-Based Security Risk Analysis for Web Applications: The CORAS approach. In: Proceedings of the EuroWeb 2002, (accessed January 2006) (Electronic Workshops in Computing). British Computer Society, St Anne’s College, Oxford, UK (2002), available on-line at: http://ewic.bcs.org/conferences/2002/euroweb/index.htm
Swiderski, F. and Snyder, W., Threat Modelling. Microsoft Professional. 2004: Microsoft Press.
Jürjens, J.: Towards Development of Secure Systems Using UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, p. 187. Springer, Heidelberg (2001)
Kalloniatis, C.: Security Requirements Engineering for e-Government Applications: Analysis of Current Frameworks. In: Traunmüller, R. (ed.) EGOV 2004. LNCS, vol. 3183, pp. 66–71. Springer, Heidelberg (2004)
Schaefer, M.: Symbol Security Condition Considered Harmful. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 20–46. IEEE Computer Society, Oakland, CA (1989)
Mayfield, T., Roskos, J.E., Welke, S.R., Boone, J.M.: Integrity in Automated Information Systems, National Computer Security Center (NCSC), Technical Report 79-91 (accessed January 2006), http://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.txt
Jacob, J.L.: On The Derivation of Secure Components. In: Proceedings of the 1989 IEEE Symposium on Security and Privacy, pp. 242–247. IEEE Computer Society, Los Alamitos (1989)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Chivers, H. (2006). Information Modeling for Automated Risk Analysis. In: Leitold, H., Markatos, E.P. (eds) Communications and Multimedia Security. CMS 2006. Lecture Notes in Computer Science, vol 4237. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11909033_21
Download citation
DOI: https://doi.org/10.1007/11909033_21
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-47820-1
Online ISBN: 978-3-540-47823-2
eBook Packages: Computer ScienceComputer Science (R0)