Top Banner
Analysing Risk in Practice The CORAS Approach to Model-Driven Risk Analysis Atle Refsdal Atle Refsdal CCS 2011-10-17 CORAS 1
27

The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

May 30, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Analysing Risk in PracticeThe CORAS Approach to

Model-Driven Risk Analysisy

Atle RefsdalAtle RefsdalCCS 2011-10-17

CORAS 1

Page 2: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

AcknowledgmentsAcknowledgments

The research for the contents of this tutorial has partly been funded by the p y yEuropean Commission through the FP7 projects SecureChange and BRIDGE andprojects SecureChange and BRIDGE and the FP7 network of excellence NESSoS

CORAS 2

Page 3: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

ContactContact

Atle Refsdal SINTEF ICT NorwaySINTEF ICT, Norway E-mail: [email protected] Web: www.sintef.no

CORAS 3

Page 4: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

OverviewOverview

Part I Introduction – Risk management and the CORAS approachpp

Part II Example-driven walkthrough of the CORAS methodthe CORAS method

Part III Risk monitoring using CORAS

CORAS 4

Page 5: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Part I: Introduction

Risk Management and theRisk Management and the CORAS Approach

5CORAS

Page 6: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Overview of Part IOverview of Part IWhat is risk? What is risk?

What is risk management? Central termsCentral terms What is CORAS? Main conceptsp The CORAS process Risk modeling Semantics Likelihood reasoning

The CORAS tool The CORAS tool Further reading

CORAS 6

Page 7: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

What is Risk?What is Risk?

M ki d f i k Many kinds of risk Contractual risk Economic risk Operational risk p Environmental risk Health riskHealth risk Political risk Legal risk Legal risk Security risk

CORAS 7

Page 8: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Definition of risk from ISO 31000Definition of risk from ISO 31000

Risk: Effect of uncertainty on objectives NOTE 1 An effect is a deviation from the expected — positive and/or

negativenegative NOTE 2 Objectives can have different aspects (such as financial, health

and safety, and environmental goals) and can apply at different levels ( h t t i i ti id j t d t d )(such as strategic, organization-wide, project, product and process)

NOTE 3 Risk is often characterized by reference to potential eventsand consequences, or a combination of these

NOTE 4 Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood of occurrence

NOTE 5 Uncertainty is the state, even partial, of deficiency of information related to, understanding or knowledge of an event, its consequence, or likelihood

CORAS 8

Page 9: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

What is Risk Management?What is Risk Management? Risk management:

Coordinated activities to direct and control

Establish the context

to direct and control an organization with regard to risk c

onsu

lt Identify risks

view

men

tg[ISO 31000:2009]

mm

unic

ate

and

Estimate risks

Mon

itor a

nd re

v

Ris

k as

sess

m

Com

Evaluate risks

M

Treat risks

CORAS 9

Page 10: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Risk Analysis InvolvesRisk Analysis InvolvesD t i i h t Determining what can happen, why and how

Systematic use of Establish the context

yavailable information to determine the level of risk

Prioritization by con

sult Identify risks

view

men

t

Prioritization by comparing the level of risk against predetermined criteria m

unic

ate

and

Estimate risks

Mon

itor a

nd re

v

Ris

k as

sess

m

predetermined criteria Selection and

implementation of C

om

Evaluate risks

M

pappropriate options for dealing with risk

Treat risks

CORAS 10

Page 11: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

TermsTerms

Asset VulnerabilityReduced risk

Threat

RiskRisk

CORAS 11

Need to introduce risk treatment

Page 12: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

TermsInternet

Terms

UnwantedComputer running Outlook

Infected PC

Vulnerability

Unwanted incident

Computer running Outlook

- Infected twice per year- Infected mail send to all

contacts VRisk

Threat

Worm

Install virus scanner

Treatment

12

Page 13: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Risk Analysis Using CORAS

13

Page 14: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

OverviewOverview

What is CORAS? Main conceptsp Process of eight steps Risk modeling Risk modeling Semantics Calculus Tool support Further reading

CORAS 14

Page 15: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

What is CORAS?What is CORAS?CORAS i t f CORAS consists of Method for risk analysis Language for risk modeling Language for risk modeling Tool for editing diagrams

Stepwise structured and systematic process Stepwise, structured and systematic process Directed by assets Concrete tasks with practical guidelines Concrete tasks with practical guidelines Model-driven Models as basis for analysisy Models as documentation of results

Based on international standards

CORAS 15

Page 16: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Main ConceptsMain ConceptsPartVulnerability Party

AssetThreat

T t tTreatment

Consequence

Unwanted incident

Likelihood

RiskConsequence

CORAS 16

Page 17: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

DefinitionsDefinitions Asset: Something to which a party assigns value and hence for which the

party requires protection Consequence: The impact of an unwanted incident on an asset in terms of

harm or reduced asset value Likelihood: The frequency or probability of something to occur Party: An organization, company, person, group or other body on whose

behalf a risk analysis is conductedy Risk: The likelihood of an unwanted incident and its consequence for a

specific asset Risk level: The level or value of a risk as derived from its likelihood and Risk level: The level or value of a risk as derived from its likelihood and

consequence Threat: A potential cause of an unwanted incident

T t t A i t t d i k l l Treatment: An appropriate measure to reduce risk level Unwanted incident: An event that harms or reduces the value of an asset Vulnerability: A weakness, flaw or deficiency that opens for, or may be

exploited by, a threat to cause harm to or reduce the value of an asset

CORAS 17

Page 18: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Process of Eight StepsProcess of Eight Steps1. Preparations for the analysis2. Customer presentation of the target

Establish context

3. Refining the target description using asset diagrams

4 A l f th t t d i ti4. Approval of the target description5. Risk identification using threat diagrams6 Ri k i i i h di

Assess i k6. Risk estimation using threat diagrams

7. Risk evaluation using risk diagramsrisk

8. Risk treatment using treatment diagrams

Treat risk

CORAS 18

Page 19: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Risk ModelingRisk Modeling The CORAS language consists of five kinds of diagramsThe CORAS language consists of five kinds of diagrams

Asset diagrams Threat diagrams Risk diagrams Treatment diagrams

T t t i di Treatment overview diagrams

Each kind supports concrete steps in the risk analysis processprocess

In addition there are three kinds of diagrams for specific needsneeds High-level CORAS diagrams Dependent CORAS diagrams Legal CORAS diagrams

CORAS 19

Page 20: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Example: Threat DiagramExample: Threat DiagramConsequence

Hacker gets access to server0.1

Asset

Virus creates

Hacker [unlikely]Confidentialityof informationLikelihood

Server is infectedby computer virus

[possible]

Likelihoodback door to server[possible]

Integrity of server

0 2

Threat

[possible]

Virus protection d

Servergoes down[unlikely] AvailabilityComputer

i

0.2

not up to date of servervirus

VulnerabilityThreat scenario Unwanted

incident

CORAS 20

Page 21: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

SemanticsSemanticsH t i t t d d t d CORAS How to interpret and understand a CORAS diagram?U d i d bi Users need a precise and unambiguous explanation of the meaning of a given diagram

Natural language semanticsCORAS comes ith r les for s stematic translation of CORAS comes with rules for systematic translation of any diagram into sentences in English

Formal semantics Formal semantics Semantics in terms of a probability space on traces

CORAS 21

Page 22: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

ExampleExampleEl Elements Computer virus is a non-human threat. Virus protection not up to date is a vulnerability.p p y Threat scenario Server is infected by computer virus occurs with

likelihood possible. Unwanted incident Server goes down occurs with likelihood unlikely Unwanted incident Server goes down occurs with likelihood unlikely. Availability of server is an asset.

Relations Computer virus exploits vulnerability Virus protection not up to date to

initiate Server is infected by computer virus with undefined likelihood. Server is infected by computer virus leads to Server goes down with y p g

conditional likelihood 0.2. Server goes down impacts Availability of server with consequence

high.g

CORAS 22

Page 23: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Calculus for Likelihood ReasoningCalculus for Likelihood Reasoning

Relation

Mutually exclusive Mutually exclusive vertices

Statistically independent vertices

CORAS 23

Page 24: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Guidelines for Consistency Checking

CORAS 24

Page 25: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Tool SupportTool SupportTh CORAS t l i di dit The CORAS tool is a diagram editor

Supports all kinds of CORAS diagrams Suited for on-the-fly modeling during workshops Ensures syntactic correctness May be used during all the steps of a risk analysis Documents input to the various tasks Selection and structuring of information during tasks Documentation of analysis results

Download: http://coras.sourceforge.net/

CORAS 25

Page 26: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Screenshot Pull-down menuTool barScreenshot Tool bar

PaletteOutline

Canvas

Properties window

CORAS 26

Page 27: The CORAS Approach to Model-Driven Risk Analysis Atle ...coras.sourceforge.net/documents/tutorials/part1_CCS2011_CORAS.pdf · Analysing Risk in Practice The CORAS Approach to Model-Driven

Further ReadingFurther ReadingBook: Book: www.springer.com/computer/swe/book/978-3-642-12322-1 Some chapters may be downloaded for free, including p y , g

Chapter 3 which gives a Guided Tour of CORAS Tool: http://coras sourceforge net/ http://coras.sourceforge.net/ Open source

Formal semantics: Gyrd Brændeland, Atle Refsdal, Ketil Stølen. Modular

analysis and modelling of risk scenarios with dependencies. Journal of Systems and Software, volume p y ,83, pages 1995-2013, Elsevier, 2010.

CORAS 27