Article

AMBRA: automated model-based risk analysis

Authors:

Paolo C. PomiAuthors Info & Claims

QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection

Pages 43 - 48

https://doi.org/10.1145/1314257.1314272

Published: 29 October 2007 Publication History

Abstract

Risk analysis is the starting baseline that helps to choose what technical and procedural security measures an organisation must employ. In spite of its importance, due to its complexity and its relative immaturity, this issue burdens on the arm of security experts at the moment, with little automation of the process. In this work, we show a methodology based on existing standards, highlighting tasks automatically-performable, and describe how it is possible to automate these aspects in our model.

References

[1]

Y. Asnar, P. Giorgini, and J. Mylopoulos. Risk modelling and reasoning in goal models. Technical Report DIT-06-008, Informatica e Telecomunicazioni, University of Trento, March 2006.

[2]

G. Braedeland and K. Stolen. Using model-based security analysis in component-oriented system development. In Proc. of the 2nd ACM workshop on Quality of protection (QoP'06), pages 11--18, 30 October 2006.

Digital Library

[3]

CCTA. CCTA risk analysis and management method (CRAMM). http://www.cramm.com.

[4]

The CORAS project. http://coras.sourceforge.net/.

[5]

FIRST. Common Vulnerability Scoring System (CVSS). http://www.first.org/cvss/cvss-guide.html.

[6]

E. Gamma, R. Helm, R. Johnson, and J. Vlissides. Design patterns: elements of reusable object-oriented software. Addison-Wesley Professional, 1995.

Digital Library

[7]

Gamma Secure Systems. A practitioner's view of CRAMM. http://www.gammassl.co.uk/topics/hot5.html.

[8]

J. Hallberg, A. Hunstad, and M. Peterson. A framework for system security assessment. In Proc. of the 6th IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop (IAW), pages 224--231, 15-17 June 2005.

[9]

J. D. Howard. An Analysis Of Security Incidents On The Internet 1989 - 1995. http://www.cert.org/research/JHThesis/, 7 April 1997.

[10]

ISO/IEC 17799. Information technology - Security techniques - Code of practice for information security management. 2005.

[11]

ISO/IEC Guide 73:2002. Risk management - Vocabulary - Guidelines for use in standards. 2002.

[12]

E. Jonsson. An integrated framework for security and dependability. In Proc. of the 1998 workshop on New security paradigms (NSPW'98), pages 22--29, 22-25 September 1998.

Digital Library

[13]

N. Kavantzas, D. Burdett, G. Ritzinger, T. Fletcher, Y. Lafon, and C. Barreto. Web services choreography description language version 1.0. W3C Recommendation, http://www.w3.org/TR/ws-cdl-10/, November 2005.

[14]

J. Kephart and D. Chess. The vision of autonomic computing. Computer, 36:41--50, January 2003.

Digital Library

[15]

H. Langweg and E. Snekkenes. A classification of malicious software attacks. In Proc. of 23rd IEEE Int. Conference on Performance, Computing, and Communications, pages 827--832, 15-17 April 2004.

[16]

B. Martin, C. Sullo, and J. Kouns. OSVDB: Open Source Vulnerability Database. http://www.osvdb.org/database-info.php.

[17]

N. Mayer, A. Rifaut, and E. Dubois. Towards a risk-based security requirements engineering framework. In Proc. of 11th Int. Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'05), Porto, Portugal, pages 83--98, 13-14 June 2005.

[18]

Microsoft Corporation. Understanding the SDM to SML evolution. http://www.microsoft.com/business/dsi/sdmwp.mspx, 16 February 2007.

[19]

Ministerio de Administraciones Publicas. Methodology for information systems risk analysis and management (MAGERIT) version 2. http://www.csae.map.es/.

[20]

MITRE. Common vulnerabilities and exposures web site. http://www.cve.mitre.org/.

[21]

S. Naqvi and M. Riguidel. Quantifiable security metrics for large scale heterogeneous systems. In Proc. of 40th IEEE Int. Carnahan Conference on Security Technology, pages 209--215, 16-19 October 2006.

[22]

NIST. National vulnerability database. http://nvd.nist.gov/.

[23]

POSITIF Project. System Description Language (PSDL) and Security Policy Language (PSPL). http://www.positif.org/.

[24]

B. Schneier. The Psychology of Security. http://www.schneier.com/essay-155.html, 28 February 2007.

Digital Library

[25]

SERENITY Project. Report on state of the art workflow security technology. http://www.serenity-forum.org/.

[26]

G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf, July 2002.

[27]

The DMTF Technical Committee. The Common Information Model. http://www.dmtf.org/standards/cim.

Cited By

Fenz S(2011)E-Business and Information Security Risk ManagementElectronic Business Interoperability10.4018/978-1-60960-485-1.ch024(596-614)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-485-1.ch024
Hurley PPal PCreti MFedyk A(2011)Continuous mission-oriented assessment (CMA) of assuranceProceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops10.1109/DSNW.2011.5958861(33-38)Online publication date: 27-Jun-2011
https://dl.acm.org/doi/10.1109/DSNW.2011.5958861
Verendel VSomayaji AFord R(2009)Quantified security is a weak hypothesisProceedings of the 2009 workshop on New security paradigms workshop10.1145/1719030.1719036(37-50)Online publication date: 8-Sep-2009
https://dl.acm.org/doi/10.1145/1719030.1719036
Show More Cited By

Index Terms

AMBRA: automated model-based risk analysis

Recommendations

Model‐based risk assessment evaluation
Abstract
Risk assessment (RA) belongs to the core parts of an organizational risk management process. The primary goals of a RA are the identification, estimation and prioritization of risk(s) to organizational operations. The existing quantitative ...
Performance Metrics for Information Security Risk Management

Qualitative methods are available for risk management, but better practice would use quantitative risk management based on expected losses and related metrics. Measuring the success of information security investments is best accomplished by measuring ...
Risk analysis supported by information security metrics
CompSysTech '11: Proceedings of the 12th International Conference on Computer Systems and Technologies

This work presents motivation for using metrics as an instrument for the risk analysis. There are information security standards, like ISO 27000 family, which serve as a reference for risk analysis and assessment, however there is a lack of formal ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

QoP '07: Proceedings of the 2007 ACM workshop on Quality of protection

October 2007

64 pages

ISBN:9781595938855

DOI:10.1145/1314257

Program Chairs:
Günter Karjoth
IBM Research, CH
,
Ketil Stølen
SINTEF, NO

Copyright © 2007 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 October 2007

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

CCS07

Sponsor:

CCS07: 14th ACM Conference on Computer and Communications Security 2007

October 29, 2007

Virginia, Alexandria, USA

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
884
Total Downloads

Downloads (Last 12 months)7
Downloads (Last 6 weeks)1

Reflects downloads up to 08 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fenz S(2011)E-Business and Information Security Risk ManagementElectronic Business Interoperability10.4018/978-1-60960-485-1.ch024(596-614)Online publication date: 2011
https://doi.org/10.4018/978-1-60960-485-1.ch024
Hurley PPal PCreti MFedyk A(2011)Continuous mission-oriented assessment (CMA) of assuranceProceedings of the 2011 IEEE/IFIP 41st International Conference on Dependable Systems and Networks Workshops10.1109/DSNW.2011.5958861(33-38)Online publication date: 27-Jun-2011
https://dl.acm.org/doi/10.1109/DSNW.2011.5958861
Verendel VSomayaji AFord R(2009)Quantified security is a weak hypothesisProceedings of the 2009 workshop on New security paradigms workshop10.1145/1719030.1719036(37-50)Online publication date: 8-Sep-2009
https://dl.acm.org/doi/10.1145/1719030.1719036
Fenz SEkelhart ALi WSusilo WTupakula USafavi-Naini RVaradharajan V(2009)Formalizing information security knowledgeProceedings of the 4th International Symposium on Information, Computer, and Communications Security10.1145/1533057.1533084(183-194)Online publication date: 10-Mar-2009
https://dl.acm.org/doi/10.1145/1533057.1533084
Aime MAtzeni APomi POzment AStølen K(2008)The risks with security metricsProceedings of the 4th ACM workshop on Quality of protection10.1145/1456362.1456376(65-70)Online publication date: 27-Oct-2008
https://dl.acm.org/doi/10.1145/1456362.1456376
Michalska KWalkowiak T(2008)Hierarchical Approach to Dependability Analysis of Information Systems by Modeling and SimulationProceedings of the 2008 Second International Conference on Emerging Security Information, Systems and Technologies10.1109/SECURWARE.2008.59(356-361)Online publication date: 25-Aug-2008
https://dl.acm.org/doi/10.1109/SECURWARE.2008.59
Scarfone KGrance T(2008)A framework for measuring the vulnerability of hosts2008 1st International Conference on Information Technology10.1109/INFTECH.2008.4621610(1-4)Online publication date: May-2008
https://doi.org/10.1109/INFTECH.2008.4621610

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten