An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with its ability to mitigate risks, is factors that affect the selection. While many approaches have been proposed to perform risk analysis, there has been less focus on delivering the prescriptive and specific information that managers require to select cost-effective countermeasures. This paper proposes a generic approach to integrate the cost assessment into risk analysis to aid such decision making. The approach makes use of a risk model which has been annotated with potential countermeasures, estimates for their cost and effect. A calculus is then employed to reason about this model in order to support decision in terms of decision diagrams. We exemplify the instantiation of the generic approach in the CORAS method for security risk analysis.Comment: 33 page

A Dynamic Intelligent Decision Approach to Dependency Modeling of Project Tasks in Complex Engineering System Optimization

Complex engineering system optimization usually involves multiple projects or tasks. On the one hand, dependency modeling among projects or tasks highlights structures in systems and their environments which can help to understand the implications of connectivity on different aspects of system performance and also assist in designing, optimizing, and maintaining complex systems. On the other hand, multiple projects or tasks are either happening at the same time or scheduled into a sequence in order to use common resources. In this paper, we propose a dynamic intelligent decision approach to dependency modeling of project tasks in complex engineering system optimization. The approach takes this decision process as a two-stage decision-making problem. In the first stage, a task clustering approach based on modularization is proposed so as to find out a suitable decomposition scheme for a large-scale project. In the second stage, according to the decomposition result, a discrete artificial bee colony (ABC) algorithm inspired by the intelligent foraging behavior of honeybees is developed for the resource constrained multiproject scheduling problem. Finally, a certain case from an engineering design of a chemical processing system is utilized to help to understand the proposed approach

Evolution of security engineering artifacts: a state of the art survey

Security is an important quality aspect of modern open software systems. However, it is challenging to keep such systems secure because of evolution. Security evolution can only be managed adequately if it is considered for all artifacts throughout the software development lifecycle. This article provides state of the art on the evolution of security engineering artifacts. The article covers the state of the art on evolution of security requirements, security architectures, secure code, security tests, security models, and security risks as well as security monitoring. For each of these artifacts the authors give an overview of evolution and security aspects and discuss the state of the art on its security evolution in detail. Based on this comprehensive survey, they summarize key issues and discuss directions of future research