F. Bergomi, S. Paul, Bjørnar Solhaug, Raphaël Vignon-Davillier
{"title":"超越可追溯性:一致安全风险评估的比较方法","authors":"F. Bergomi, S. Paul, Bjørnar Solhaug, Raphaël Vignon-Davillier","doi":"10.1109/ARES.2013.109","DOIUrl":null,"url":null,"abstract":"As military and civil software-intensive information systems grow and become more and more complex, structured approaches, called architecture frameworks (AF), were developed to support their engineering. The concepts of these approaches were standardised under ISO/IEC 42010 - Systems and Software Engineering - Architecture Description. An Architecture Description is composed of Views, where each View addresses one or more engineering concerns. As mentioned in the standard, a multi-viewpoint approach requires the capacity to capture the different views, and maintain their mutual consistency. This paper addresses primarily the problem of integrating a model-based security risk assessment view to the mainstream system engineering view(s) and, to a lesser extent, the problem of maintaining the overall consistency of the views. Both business stakes and technical means are studied. We present two specific approaches, namely CORAS and Rinforzando. Both come with techniques and tool support to facilitate security risk assessment of complex and evolving critical infrastructures, such as ATM systems. The former approach offers static import/export relationships between artefacts, whereas the latter offers dynamic relationships. The pros and cons of each technical approach are discussed.","PeriodicalId":302747,"journal":{"name":"2013 International Conference on Availability, Reliability and Security","volume":"94 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2013-09-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Beyond Traceability: Compared Approaches to Consistent Security Risk Assessments\",\"authors\":\"F. Bergomi, S. Paul, Bjørnar Solhaug, Raphaël Vignon-Davillier\",\"doi\":\"10.1109/ARES.2013.109\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"As military and civil software-intensive information systems grow and become more and more complex, structured approaches, called architecture frameworks (AF), were developed to support their engineering. The concepts of these approaches were standardised under ISO/IEC 42010 - Systems and Software Engineering - Architecture Description. An Architecture Description is composed of Views, where each View addresses one or more engineering concerns. As mentioned in the standard, a multi-viewpoint approach requires the capacity to capture the different views, and maintain their mutual consistency. This paper addresses primarily the problem of integrating a model-based security risk assessment view to the mainstream system engineering view(s) and, to a lesser extent, the problem of maintaining the overall consistency of the views. Both business stakes and technical means are studied. We present two specific approaches, namely CORAS and Rinforzando. Both come with techniques and tool support to facilitate security risk assessment of complex and evolving critical infrastructures, such as ATM systems. The former approach offers static import/export relationships between artefacts, whereas the latter offers dynamic relationships. The pros and cons of each technical approach are discussed.\",\"PeriodicalId\":302747,\"journal\":{\"name\":\"2013 International Conference on Availability, Reliability and Security\",\"volume\":\"94 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2013-09-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2013 International Conference on Availability, Reliability and Security\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ARES.2013.109\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2013 International Conference on Availability, Reliability and Security","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ARES.2013.109","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Beyond Traceability: Compared Approaches to Consistent Security Risk Assessments
As military and civil software-intensive information systems grow and become more and more complex, structured approaches, called architecture frameworks (AF), were developed to support their engineering. The concepts of these approaches were standardised under ISO/IEC 42010 - Systems and Software Engineering - Architecture Description. An Architecture Description is composed of Views, where each View addresses one or more engineering concerns. As mentioned in the standard, a multi-viewpoint approach requires the capacity to capture the different views, and maintain their mutual consistency. This paper addresses primarily the problem of integrating a model-based security risk assessment view to the mainstream system engineering view(s) and, to a lesser extent, the problem of maintaining the overall consistency of the views. Both business stakes and technical means are studied. We present two specific approaches, namely CORAS and Rinforzando. Both come with techniques and tool support to facilitate security risk assessment of complex and evolving critical infrastructures, such as ATM systems. The former approach offers static import/export relationships between artefacts, whereas the latter offers dynamic relationships. The pros and cons of each technical approach are discussed.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
