ISBN 978-3-642-12322-1 e-ISBN 978-3-642-12323-8
DOI 10.1007/978-3-642-12323-8
Springer Heidelberg Dordrecht London New York
Library of Congress Control Number: 2010936190
ACM Computing Classification (1998): K.6, D.2.9
© Springer-Verlag Berlin Heidelberg 2011
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting,
reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9,
1965, in its current version, and permission for use must always be obtained from Springer. Violations
are liable to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not
imply, even in the absence of a specific statement, that such names are exempt from the relevant protective
laws and regulations and therefore free for general use.
Cover design: KünkelLopka GmbH, Heidelberg
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
Contents
Part I Introductory Overview
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 The Importance of Risk Analysis . . . . . . . . . . . . . . . . . . 3
1.2 Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Risk Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 The CORAS Approach . . . . . . . . . . . . . . . . . . . . . . . 5
1.4.1 The CORAS Language . . . . . . . . . . . . . . . . . . . 6
1.4.2 TheCORASTool . . . . . . . . . . . . . . . . . . . . . . 6
1.4.3 TheCORASMethod . . . . . . . . . . . . . . . . . . . . 6
1.5 The Generality of CORAS . . . . . . . . . . . . . . . . . . . . . . 7
1.6 Overall Aim and Emphasis . . . . . . . . . . . . . . . . . . . . . 8
1.7 Organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.7.1 Part I: Introductory Overview . . . . . . . . . . . . . . . . 9
1.7.2 Part II: Core Approach . . . . . . . . . . . . . . . . . . . . 9
1.7.3 Part III: Selected Issues . . . . . . . . . . . . . . . . . . . 11
1.7.4 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.8 Colours inCORASandinthisBook . . . . . . . . . . . . . . . . 13
2 Background and Related Approaches . . . . . . . . . . . . . . . . . . 15
2.1 BasicTerminology . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Related Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Risk Analysis Methods . . . . . . . . . . . . . . . . . . . 17
2.2.2 Table-based Risk Analysis Techniques . . . . . . . . . . . 18
2.2.3 Tree-based Risk Analysis Techniques . . . . . . . . . . . . 18
2.2.4 Graph-based Risk Analysis Techniques . . . . . . . . . . . 19
2.2.5 SituatingCORASWithinthisPicture . . . . . . . . . . . . 20
3 A Guided Tour of the CORAS Method . . . . . . . . . . . . . . . . . 23
3.1 Preparations for the Analysis . . . . . . . . . . . . . . . . . . . . 23
3.2 CustomerPresentationof theTarget . . . . . . . . . . . . . . . . . 25
3.3 Refining the Target Description Using Asset Diagrams . . . . . . . 26
ix
x Contents
3.4 Approvalof theTargetDescription . . . . . . . . . . . . . . . . . 31
3.5 Risk IdentificationUsingThreatDiagrams . . . . . . . . . . . . . 33
3.6 RiskEstimationUsingThreatDiagrams . . . . . . . . . . . . . . 37
3.7 RiskEvaluationUsingRiskDiagrams . . . . . . . . . . . . . . . 39
3.8 RiskTreatmentUsingTreatmentDiagrams . . . . . . . . . . . . . 41
Part II Core Approach
4 The CORAS Risk Modelling Language . . . . . . . . . . . . . . . . . 47
4.1 Central Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.1.1 What is aThreat? . . . . . . . . . . . . . . . . . . . . . . 48
4.1.2 What is a Threat Scenario? . . . . . . . . . . . . . . . . . 49
4.1.3 What is a Vulnerability? . . . . . . . . . . . . . . . . . . . 51
4.1.4 What is an Unwanted Incident? . . . . . . . . . . . . . . . 53
4.1.5 What is anAsset? . . . . . . . . . . . . . . . . . . . . . . 55
4.2 The Diagrams of the CORAS language . . . . . . . . . . . . . . . 56
4.2.1 AssetDiagrams . . . . . . . . . . . . . . . . . . . . . . . 56
4.2.2 ThreatDiagrams . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.3 RiskDiagrams . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2.4 TreatmentDiagrams . . . . . . . . . . . . . . . . . . . . . 62
4.2.5 TreatmentOverviewDiagrams . . . . . . . . . . . . . . . 64
4.3 How to Schematically Translate CORAS Diagrams into English
Prose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.3.1 HowtoTranslateAssetDiagrams . . . . . . . . . . . . . . 65
4.3.2 HowtoTranslateThreatDiagrams . . . . . . . . . . . . . 67
4.3.3 HowtoTranslateRiskDiagrams . . . . . . . . . . . . . . 69
4.3.4 HowtoTranslateTreatmentDiagrams . . . . . . . . . . . 69
4.3.5 HowtoTranslateTreatmentOverviewDiagrams . . . . . . 70
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5 Preparations for the Analysis . . . . . . . . . . . . . . . . . . . . . . 73
5.1 OverviewofStep1 . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.2 Conducting the Tasks of Step 1 . . . . . . . . . . . . . . . . . . . 76
5.3 SummaryofStep1 . . . . . . . . . . . . . . . . . . . . . . . . . 78
6 Customer Presentation of the Target . . . . . . . . . . . . . . . . . . 81
6.1 OverviewofStep2 . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.2 Conducting the Tasks of Step 2 . . . . . . . . . . . . . . . . . . . 83
6.2.1 Presentation of the CORAS Terminology and Method . . . 83
6.2.2 Presentationof theGoals andTargetof theAnalysis . . . . 86
6.2.3 Setting the Focus and Scope of the Analysis . . . . . . . . 89
6.2.4 DeterminingtheMeetingPlan . . . . . . . . . . . . . . . . 91
6.3 SummaryofStep2 . . . . . . . . . . . . . . . . . . . . . . . . . 94
7 Refining the Target Description Using Asset Diagrams . . . . . . . . 95
7.1 OverviewofStep3 . . . . . . . . . . . . . . . . . . . . . . . . . 95
Contents xi
7.2 Conducting the Tasks of Step 3 . . . . . . . . . . . . . . . . . . . 97
7.2.1 Presentationof theTargetbytheAnalysisTeam . . . . . . 97
7.2.2 Asset Identification . . . . . . . . . . . . . . . . . . . . . 101
7.2.3 High-levelAnalysis . . . . . . . . . . . . . . . . . . . . . 106
7.3 SummaryofStep3 . . . . . . . . . . . . . . . . . . . . . . . . . 109
8 Approval of the Target Description . . . . . . . . . . . . . . . . . . . 111
8.1 OverviewofStep4 . . . . . . . . . . . . . . . . . . . . . . . . . 111
8.2 Conducting the Tasks of Step 4 . . . . . . . . . . . . . . . . . . . 113
8.2.1 Approvalof theTargetDescription . . . . . . . . . . . . . 114
8.2.2 Ranking of Assets . . . . . . . . . . . . . . . . . . . . . . 115
8.2.3 Setting the Consequence Scales . . . . . . . . . . . . . . . 116
8.2.4 Setting the Likelihood Scale . . . . . . . . . . . . . . . . . 118
8.2.5 Defining the Risk Function . . . . . . . . . . . . . . . . . 120
8.2.6 DecidingtheRiskEvaluationCriteria . . . . . . . . . . . . 122
8.3 SummaryofStep4 . . . . . . . . . . . . . . . . . . . . . . . . . 124
9