Preservation of Policy Adherence under Refinement

-Policy-based management is an approach to the management of systems with respect to issues such as security, access control and trust by the enforcement of policy rules. This paper addresses the problem of integrating the requirements imposed by a policy with the system development process. In order to take a policy specification into account in the development of a system specification, the notion of policy adherence is formalized as a relation between policy specifications and system specifications. Adherence of a system specification to a policy specification means that the former satisfies the latter. The integrated development process is supported by refinement, where both the policy specification and the system specification may be developed under any number of refinement steps. This paper characterizes the conditions under which adherence is preserved under refinement and identifies development rules that guarantee adherence preservation. By results of transitivity and compositionality the integrated development process and the analysis tasks can be conducted in a stepwise and modular way, thereby facilitating development. Oppdragsgiver: Research Council of Norwa

An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with its ability to mitigate risks, is factors that affect the selection. While many approaches have been proposed to perform risk analysis, there has been less focus on delivering the prescriptive and specific information that managers require to select cost-effective countermeasures. This paper proposes a generic approach to integrate the cost assessment into risk analysis to aid such decision making. The approach makes use of a risk model which has been annotated with potential countermeasures, estimates for their cost and effect. A calculus is then employed to reason about this model in order to support decision in terms of decision diagrams. We exemplify the instantiation of the generic approach in the CORAS method for security risk analysis.Comment: 33 page

Tool supported risk modeling and analysis of evolving critical infrastructures

Part 2: Workshop; International audience; Risk management is coordinated activities to direct and control an organization with regard to risk, and includes the identification, analysis and mitigation of unacceptable risks. For critical infrastructures consisting of interdependent systems, risk analysis and mitigation is challenging because the overall risk picture can be strongly affected by changes in only a few of the systems. In order to continuously manage risks and maintain an adequate level of protection, there is a need to continuously maintain the validity of risk models while systems change and evolve. This paper presents a risk analysis tool that supports the modeling and analysis of changing and evolving risks. The tool supports the traceability of system changes to risk models, as well as the explicit modeling of the impact on the risk picture. The tool, as well as the underlying risk analysis method, is exemplified and validated in the domain of air traffic management. Document type: Part of book or chapter of boo

Logical spaces in multi-modal only knowing logics

Nonmonotonic logics are logics capable of formalizing defeasible inferences, i.e. inferences leading to conclusions that are withdrawn in case additional information, or additional premises, contradicts the defeasible conclusion. In other terms, the set of defeasible conclusions does not increase by incrementing the set of beliefs, it might rather decrease. In1990, H. J. Levesque introduced a modal logic of belief capable of formalizing defeasible reasoning. There are two keys in his system that make the formalism possible. First, the introduction of a complementary belief operator that, combined with the usual belief operator, make it possible to express the exact content of an agent’s beliefs. Second, an axiom schema stating that a proposition is a logical possibility, provided that the proposition is consistent in the framework. The condition that the proposition is consistent in the framework causes the logic to not being closed under uniform substitution. Moreover, the mentioned axiom means that the reasoning is carried out not entirely at the object level. Motivated by, among others, these points of criticism, Arild Waaler, dep. of Informatics, University of Oslo, introduced a logic of belief where the axiom of Levesque is replaced by a particular formula, the logical space, from which the logical possibilities, and necessities are derived entirely at the object level. This also has the effect that the notion of necessity is a notion of personal necessity. I.e. necessity surpasses the level of analytic relations between concepts. This thesis aims at generalizing the notions of Waaler to the multi-agent case. The advantages of operating with a logical space in place of a multi-modal Levesque axiom are many. First, the advantages given for the single-modality case hold for the multi-agent case also. Second, and more importantly, the condition that the axiom of Levesque applies to consistent formulae is highly problematic in the multi-modal context. In the single agent case, this formula is of the language of propositional language, and the question of consistency is a propositional logical question. This is not the case in the multi-modal context, because the axiom says that a formula not mentioning the beliefs of a given agent is a logical possibility of this agent. But the formula is in general a modal formula, and the question of consistency of this formula must be solved within the multi-modal axiom system. Intrinsic to this is a danger of a vicious circularity, but by replacing the axiom with a logical space, we are able to go around this problem. However, the construction of a logical space for the multi-modal case is highly non-trivial. We need to be able to express every single possibility of what a state of affairs might be from a given agent point of view. In the multi-modal case, a state of affairs must capture the belief set of every agent, where these belief sets in turn involves expressions in the modal language. The construction of the logical space is core of the thesis. In general, the thesis provides a study of modal logics, defeasible logics, multi-modal logics and multi-modal defeasible logics. Additionally, a modal reduction theorem is presented, a result that proves the ability to reduce any belief representation to a set of representations, each explicitly expressing the belief set, and each compatible with the initial representation. Comparative studies, relating the system of this thesis to other formalisms are also provided. Finally, we suggest an extension of the system allowing the logical space to be deducible instead of explicitly given

Policy specification using sequence diagrams. Applied to trust management

Sciences was completed during the project

Evaluation of experiences from applying the PREDIQT method in an industrial case study

We have developed a method called PREDIQT for model-based prediction of impacts of architectural design changes on system quality. A recent case study indicated feasibility of the PREDIQT method when applied on a real-life industrial system. This paper reports on the experiences from applying the PREDIQT method in a second and more recent case study - on an industrial ICT system from another domain and with a number of different system characteristics, compared with the previous case study. The analysis is performed in a fully realistic setting. The system analyzed is a critical and complex expert system used for management and support of numerous working processes. The system is subject to frequent changes of varying type and extent. The objective of the case study has been to perform an additional and more structured evaluation of the PREDIQT method and assess its performance with respect to a set of success criteria. The evaluation argues for feasibility and usefulness of the PREDIQT-based analysis. Moreover, the study has provided useful insights into the weaknesses of the method and suggested directions for future research and improvements

Security risk analysis of system changes exemplified within the oil and gas domain

Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil & gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also introduces new risks and vulnerabilities. We need suitable methods and techniques in order to understand how a change will affect the risk picture. This paper presents an approach that offers specialized support for analysis of risk with respect to change. The approach allows links between elements of the target of analyses and the related parts of the risk model to be explicitly captured, which facilitates tool support for identifying the parts of a risk model that need to be reconsidered when a change is made to the target. Moreover, the approach offers language constructs for capturing the risk picture before and after a change. The approach is demonstrated on a case concerning new software technology to support decision making on petroleum installations.acceptedVersio

Compositional Refinement of Policies in UML – Exemplified for Access Control

-The UML is the de facto standard for system specification, but offers little specialized support for the specification and analysis of policies. This paper presents Deontic STAIRS, an extension of the UML sequence diagram notation with customized constructs for policy specification. The notation is underpinned by a denotational trace semantics. We formally define what it means that a system satisfies a policy specification, and introduce a notion of policy refinement. We prove that the refinement relation is transitive and compositional, thus supporting a stepwise and modular specification process. The approach is exemplified with access control policies

Evaluations of methodology and tools used during the 8th SECURIS field trail

-This report presents the evaluation of the risk analysis in the 8th SECURIS field trial carried out the autumn 2006 and early 2007. FLO/IKT was the client and the target of the analysis was work with/handling of information with security level up to BEGRENSET outside controlled areas. The CORAS methodology and the CORAS tool were evaluated in addition to the CORAS modelling language. Oppdragsgiver: FLO/IK