Model-based Risk Assessment to Improve Enterprise SecurityJan Øyvind Aagedal*, Folker den Braber*, Theo Dimitrakos§,Bjørn Axel Gran#, Dimitris Raptis‡, Ketil Stølen**SINTEF Telecom and Informatics, P.O.Box 124, Blindern, N-0314 Oslo, Norway§ CLRC Rutherford Appleton Laboratory, Oxfordshire, OX11 0QX, UK#Institute for Energy Technology, P.O. Box 173, N-1751 Halden, Norway‡INTRACOM, 19.5 Km Markopoulou Av., GR-19002, Peania Athens, Greece{Jan.Aagedal | Folker.den.Braber | Ketil.Stoelen}@[email protected], [email protected], [email protected] main objective of the CORAS project is to providemethods and tools for precise, unambiguous, and efficientrisk assessment of security critical systems. To this end,we advocate a model-based approach to risk assessment,and this paper attempts to define the required models forthis.Whereas traditional risk assessment is performedwithout any formal description of the target of evaluationor results of the risk assessment, CORAS aims to provide awell defined set of models well suited to (1) describe thetarget of assessment at the right level of abstraction, (2) asa medium for communication between different groups ofstakeholders involved in a risk assessment, and (3) todocument risk assessment results and the assumptions onwhich these results depend.We propose here models for each step in a riskassessment process and report results of use.1. IntroductionCORAS [1] is a research and development projectunder the European Information Society TechnologiesProgramme. CORAS started in January 2001 and runsuntil July 2003. The consortium consists of threecommercial companies: Intracom (Greece), Solinet(Germany) and Telenor (Norway); seven researchinstitutes: CTI and FORTH (Greece), IFE, NCT, NR, andSintef (Norway) and RAL (UK); as well as one university:QMUL (UK). Telenor and Sintef are administrative andscientific co-ordinators, respectively.CORAS aims to produce an improved methodology forprecise, unambiguous, and efficient risk analysis ofsecurity critical systems. The focus of the CORAS projectis on the tight integration of viewpoint-oriented modellingin the risk assessment process. An important aspect of theCORAS project is the practical use of UML [2] in thecontext of security and risk assessment.CORAS addresses security-critical systems in general,but puts particular emphasis on IT security. IT securityincludes all aspects related to defining, achieving, andmaintaining confidentiality, integrity, availability, non-repudiation, accountability, authenticity, and reliability ofIT systems [3]. An IT system in the sense of CORAS isnot just technology, but also the humans interacting withthe technology and all relevant aspects of the surroundingorganisation and society.The remainder of this paper is structured as follows.Section 2 provides background information on riskassessment and modelling. Section 3 presents the model-based risk assessment process and introduces the modelsthat should be created as part of the model-based riskassessment process. Section 4 illustrates how the model-based risk assessment can be used by an e-commerce case.Finally, section 5 points to related work while section 6summarises our results and identifies future work.2. BackgroundIn this section, we briefly present relevant backgroundinformation on risk assessment and modelling.2.1. Risk assessmentRisk assessment incorporates risk analysis and riskmanagement, i.e., it combines systematic processes forrisk identification and determination of theirconsequences, and how to deal with these risks. Manyrisk assessment methodologies exist, focussing ondifferent types of risks or different areas of concern. TheCORAS methodology builds on: HAZard and OPerabilitystudy (HazOp); Fault Tree Analysis (FTA); Failure Modeand Effect Criticality Analysis (FMECA); Markovanalysis (Markov); CCTA Risk Analysis and ManagementMethodology (CRAMM).The methods are to a great extent complementary.They address all types of risks associated with the targetsystem. They also cover all phases in the systemProceedings of the Sixth International ENTERPRISE DISTRIBUTED OBJECT COMPUTING Conference (EDOC’02) 0-7695-1656-4/02 $17.00 © 2002 IEEEdevelopment and maintenance process. In general,qualitative methodologies for analysing risk are effectivein identifying threats and failures in trust within thesystem, but they lack the ability to account for thedependencies between events. Tree-based techniques,however, take into consideration the dependenciesbetween events. Risk assessment is generallyaccompanied by volumes of documents where attemptingto find relationships and links is difficult.2.1.1. ProcessThe Australian/New Zealand standard AS/NZS [4] is awidely recognised standard within the field of riskassessment. Figure 1 shows an overview of the riskassessment process in this standard. In CORAS, we usethis process to position models within risk assessment.Identify ContextIdentify RisksEvaluate RisksTreat RisksAccept RisksMonitor and ReviewCommunicate and ConsultDeterminelikelihoodDetermineconsequenceEstimate level of riskAnalyse RisksyesnoFigure 1. Risk assessment overview [4]2.2. ModellingReference Model for Open Distributed Processing(RM-ODP) [5] is a standard reference model fordistributed systems, based on object-orientation. RM-ODP divides the system documentation into fiveviewpoints. It also provides modelling, specification andstructuring terminology, a conformance moduleaddressing implementation and consistency requirements,as well as a distribution module defining transparenciesand functions required to realise these transparencies.UML is the de facto standard for documenting softwarearchitectures. However, UML is a large language and itsuse in different phases of system evolution is notstandardised. In this paper we show how UML can beused to document both the target of risk assessment, andthe results of such an assessment.3. Model-based risk assessmentIn this section we present the CORAS approach to riskassessment.3.1. MotivationCORAS focuses on the integration of viewpoint-oriented modelling