Affiliation:
1. Fraunhofer-Institute AISEC, Garching, Bavaria, Germany
2. Freie Universität Berlin, Institute of Computer Science, Berlin, Germany
Abstract
Security risk assessment is an important task in systems engineering. It is used to derive security requirements for a secure system design and to evaluate design alternatives as well as vulnerabilities. Security risk assessment is also a complex and interdisciplinary task, where experts from the application domain and the security domain have to collaborate and understand each other. Automated and tool-supported approaches are desired to help manage the complexity. However, the models used for system engineering usually focus on functional behavior and lack security-related aspects. Therefore, we present our modeling approach that alleviates communication between the involved experts and features steps of computer-aided modeling to achieve consistency and avoid omission errors. We demonstrate our approach with an example. We also describe how to model impact rating and attack feasibility estimation in a modular fashion, along with the propagation and aggregation of these estimations through the model. As a result, experts can make local decisions or changes in the model, which in turn provides the impact of these decisions or changes on the overall risk profile. Finally, we discuss the advantages of our model-based method.
Publisher
Association for Computing Machinery (ACM)
Subject
Artificial Intelligence,Control and Optimization,Computer Networks and Communications,Hardware and Architecture,Human-Computer Interaction
Reference37 articles.
1. Daniel Angermeier, Alexander Nieding, and Jörn Eichler. 2016. Supporting risk assessment with the systematic identification, merging, and validation of security goals. In International Workshop on Risk Assessment and Risk-driven Testing. Springer, Cham, Germany, 82–95.
2. Systematic identification of security goals and threats in risk assessment;Angermeier Daniel;Softwaretechnik-Trends,2016
3. Supporting Risk Assessment with the Systematic Identification, Merging, and Validation of Security Goals
4. Robustness in the Strategy of Scientific Model Building
Cited by
3 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献