ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
AMBRA: automated model-based risk analysis
Full text PdfPdf (330 KB)
Source
Conference on Computer and Communications Security archive
Proceedings of the 2007 ACM workshop on Quality of protection table of contents
Alexandria, Virginia, USA
SESSION: Risk analysis table of contents
Pages: 43 - 48  
Year of Publication: 2007
ISBN:978-1-59593-885-5
Authors
Marco D. Aime  Politecnico di Torino, Turin, Italy
Andrea Atzeni  Politecnico di Torino, Turin, Italy
Paolo C. Pomi  Politecnico di Torino, Turin, Italy
Sponsors
SIGSAC: ACM Special Interest Group on Security, Audit, and Control
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 13,   Downloads (12 Months): 142,   Citation Count: 2
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1314257.1314272
What is a DOI?

ABSTRACT

Risk analysis is the starting baseline that helps to choose what technical and procedural security measures an organisation must employ. In spite of its importance, due to its complexity and its relative immaturity, this issue burdens on the arm of security experts at the moment, with little automation of the process. In this work, we show a methodology based on existing standards, highlighting tasks automatically-performable, and describe how it is possible to automate these aspects in our model.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Y. Asnar, P. Giorgini, and J. Mylopoulos. Risk modelling and reasoning in goal models. Technical Report DIT-06-008, Informatica e Telecomunicazioni, University of Trento, March 2006.
2
Gyrd Brændeland , Ketil Stølen, Using model-based security analysis in component-oriented system development, Proceedings of the 2nd ACM workshop on Quality of protection, October 30-30, 2006, Alexandria, Virginia, USA  [doi>10.1145/1179494.1179498]
 
3
CCTA. CCTA risk analysis and management method (CRAMM). http://www.cramm.com.
 
4
The CORAS project. http://coras.sourceforge.net/.
 
5
FIRST. Common Vulnerability Scoring System (CVSS). http://www.first.org/cvss/cvss-guide.html.
 
6
Erich Gamma , Richard Helm , Ralph Johnson , John Vlissides, Design patterns: elements of reusable object-oriented software, Addison-Wesley Longman Publishing Co., Inc., Boston, MA, 1995
 
7
Gamma Secure Systems. A practitioner's view of CRAMM. http://www.gammassl.co.uk/topics/hot5.html.
 
8
J. Hallberg, A. Hunstad, and M. Peterson. A framework for system security assessment. In Proc. of the 6th IEEE Systems, Man and Cybernetics (SMC) Information Assurance Workshop (IAW), pages 224--231, 15-17 June 2005.
 
9
J. D. Howard. An Analysis Of Security Incidents On The Internet 1989 - 1995. http://www.cert.org/research/JHThesis/, 7 April 1997.
 
10
ISO/IEC 17799. Information technology - Security techniques - Code of practice for information security management. 2005.
 
11
ISO/IEC Guide 73:2002. Risk management - Vocabulary - Guidelines for use in standards. 2002.
12
Erland Jonsson, An integrated framework for security and dependability, Proceedings of the 1998 workshop on New security paradigms, p.22-29, September 22-26, 1998, Charlottesville, Virginia, United States  [doi>10.1145/310889.310903]
 
13
N. Kavantzas, D. Burdett, G. Ritzinger, T. Fletcher, Y. Lafon, and C. Barreto. Web services choreography description language version 1.0. W3C Recommendation, http://www.w3.org/TR/ws-cdl-10/, November 2005.
 
14
Jeffrey O. Kephart , David M. Chess, The Vision of Autonomic Computing, Computer, v.36 n.1, p.41-50, January 2003  [doi>10.1109/MC.2003.1160055]
 
15
H. Langweg and E. Snekkenes. A classification of malicious software attacks. In Proc. of 23rd IEEE Int. Conference on Performance, Computing, and Communications, pages 827--832, 15-17 April 2004.
 
16
B. Martin, C. Sullo, and J. Kouns. OSVDB: Open Source Vulnerability Database. http://www.osvdb.org/database-info.php.
 
17
N. Mayer, A. Rifaut, and E. Dubois. Towards a risk-based security requirements engineering framework. In Proc. of 11th Int. Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'05), Porto, Portugal, pages 83--98, 13-14 June 2005.
 
18
Microsoft Corporation. Understanding the SDM to SML evolution. http://www.microsoft.com/business/dsi/sdmwp.mspx, 16 February 2007.
 
19
Ministerio de Administraciones Publicas. Methodology for information systems risk analysis and management (MAGERIT) version 2. http://www.csae.map.es/.
 
20
MITRE. Common vulnerabilities and exposures web site. http://www.cve.mitre.org/.
 
21
S. Naqvi and M. Riguidel. Quantifiable security metrics for large scale heterogeneous systems. In Proc. of 40th IEEE Int. Carnahan Conference on Security Technology, pages 209--215, 16-19 October 2006.
 
22
NIST. National vulnerability database. http://nvd.nist.gov/.
 
23
POSITIF Project. System Description Language (PSDL) and Security Policy Language (PSPL). http://www.positif.org/.
24
Bruce Schneier, The psychology of security, Communications of the ACM, v.50 n.5, May 2007  [doi>10.1145/1230819.1241693]
 
25
SERENITY Project. Report on state of the art workflow security technology. http://www.serenity-forum.org/.
 
26
G. Stoneburner, A. Goguen, and A. Feringa. Risk management guide for information technology systems. http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf, July 2002.
 
27
The DMTF Technical Committee. The Common Information Model. http://www.dmtf.org/standards/cim.

CITED BY  2
Stefan Fenz , Andreas Ekelhart, Formalizing information security knowledge, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
Marco D. Aime , Andrea Atzeni , Paolo C. Pomi, The risks with security metrics, Proceedings of the 4th ACM workshop on Quality of protection, October 27-27, 2008, Alexandria, Virginia, USA

INDEX TERMS

Primary Classification:
  K. Computing Milieux
  K.6 MANAGEMENT OF COMPUTING AND INFORMATION SYSTEMS
      K.6.5 Security and Protection (D.4.6, K.4.2)

Additional Classification:
  C. Computer Systems Organization
  C.4 PERFORMANCE OF SYSTEMS
      Subjects: Measurement techniques; Modeling techniques


General Terms:
Languages, Management, Security


Keywords:
computer-aided risk analysis, security metrics, system modelling

Collaborative Colleagues:
Marco D. Aime: colleagues
Andrea Atzeni: colleagues
Paolo C. Pomi: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player