2011年风险分析方法论好书：Model-Driven Risk Analysis--The CORAS Approach

是 否 +2 论坛币

k人 参与回答

经管之家送您一份

应届毕业生专属福利!

求职就业群

赵安豆老师微信：zhaoandou666

经管之家联合CDA

送您一个全额奖学金名额~ !

立即领取

感谢您参与论坛问题回答

经管之家送您两个论坛币！

+2 论坛币

ISBN 978-3-642-12322-1 e-ISBN 978-3-642-12323-8
DOI 10.1007/978-3-642-12323-8
Springer Heidelberg Dordrecht London New York
Library of Congress Control Number: 2010936190
ACM Computing Classification (1998): K.6, D.2.9
© Springer-Verlag Berlin Heidelberg 2011
This work is subject to copyright. All rights are reserved, whether the whole or part of the material is
concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting,
reproduction on microfilm or in any other way, and storage in data banks. Duplication of this publication
or parts thereof is permitted only under the provisions of the German Copyright Law of September 9,
1965, in its current version, and permission for use must always be obtained from Springer. Violations
are liable to prosecution under the German Copyright Law.
The use of general descriptive names, registered names, trademarks, etc. in this publication does not
imply, even in the absence of a specific statement, that such names are exempt from the relevant protective
laws and regulations and therefore free for general use.
Cover design: KünkelLopka GmbH, Heidelberg
Printed on acid-free paper
Springer is part of Springer Science+Business Media (www.springer.com)
Contents
Part I Introductory Overview
1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1 The Importance of Risk Analysis . . . . . . . . . . . . . . . . . . 3
1.2 Asset Identification . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Risk Modelling . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 The CORAS Approach . . . . . . . . . . . . . . . . . . . . . . . 5
1.4.1 The CORAS Language . . . . . . . . . . . . . . . . . . . 6
1.4.2 TheCORASTool . . . . . . . . . . . . . . . . . . . . . . 6
1.4.3 TheCORASMethod . . . . . . . . . . . . . . . . . . . . 6
1.5 The Generality of CORAS . . . . . . . . . . . . . . . . . . . . . . 7
1.6 Overall Aim and Emphasis . . . . . . . . . . . . . . . . . . . . . 8
1.7 Organisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.7.1 Part I: Introductory Overview . . . . . . . . . . . . . . . . 9
1.7.2 Part II: Core Approach . . . . . . . . . . . . . . . . . . . . 9
1.7.3 Part III: Selected Issues . . . . . . . . . . . . . . . . . . . 11
1.7.4 Appendices . . . . . . . . . . . . . . . . . . . . . . . . . 12
1.8 Colours inCORASandinthisBook . . . . . . . . . . . . . . . . 13
2 Background and Related Approaches . . . . . . . . . . . . . . . . . . 15
2.1 BasicTerminology . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2 Related Approaches . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.2.1 Risk Analysis Methods . . . . . . . . . . . . . . . . . . . 17
2.2.2 Table-based Risk Analysis Techniques . . . . . . . . . . . 18
2.2.3 Tree-based Risk Analysis Techniques . . . . . . . . . . . . 18
2.2.4 Graph-based Risk Analysis Techniques . . . . . . . . . . . 19
2.2.5 SituatingCORASWithinthisPicture . . . . . . . . . . . . 20
3 A Guided Tour of the CORAS Method . . . . . . . . . . . . . . . . . 23
3.1 Preparations for the Analysis . . . . . . . . . . . . . . . . . . . . 23
3.2 CustomerPresentationof theTarget . . . . . . . . . . . . . . . . . 25
3.3 Refining the Target Description Using Asset Diagrams . . . . . . . 26
ix
x Contents
3.4 Approvalof theTargetDescription . . . . . . . . . . . . . . . . . 31
3.5 Risk IdentificationUsingThreatDiagrams . . . . . . . . . . . . . 33
3.6 RiskEstimationUsingThreatDiagrams . . . . . . . . . . . . . . 37
3.7 RiskEvaluationUsingRiskDiagrams . . . . . . . . . . . . . . . 39
3.8 RiskTreatmentUsingTreatmentDiagrams . . . . . . . . . . . . . 41
Part II Core Approach
4 The CORAS Risk Modelling Language . . . . . . . . . . . . . . . . . 47
4.1 Central Concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
4.1.1 What is aThreat? . . . . . . . . . . . . . . . . . . . . . . 48
4.1.2 What is a Threat Scenario? . . . . . . . . . . . . . . . . . 49
4.1.3 What is a Vulnerability? . . . . . . . . . . . . . . . . . . . 51
4.1.4 What is an Unwanted Incident? . . . . . . . . . . . . . . . 53
4.1.5 What is anAsset? . . . . . . . . . . . . . . . . . . . . . . 55
4.2 The Diagrams of the CORAS language . . . . . . . . . . . . . . . 56
4.2.1 AssetDiagrams . . . . . . . . . . . . . . . . . . . . . . . 56
4.2.2 ThreatDiagrams . . . . . . . . . . . . . . . . . . . . . . . 58
4.2.3 RiskDiagrams . . . . . . . . . . . . . . . . . . . . . . . . 60
4.2.4 TreatmentDiagrams . . . . . . . . . . . . . . . . . . . . . 62
4.2.5 TreatmentOverviewDiagrams . . . . . . . . . . . . . . . 64
4.3 How to Schematically Translate CORAS Diagrams into English
Prose . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
4.3.1 HowtoTranslateAssetDiagrams . . . . . . . . . . . . . . 65
4.3.2 HowtoTranslateThreatDiagrams . . . . . . . . . . . . . 67
4.3.3 HowtoTranslateRiskDiagrams . . . . . . . . . . . . . . 69
4.3.4 HowtoTranslateTreatmentDiagrams . . . . . . . . . . . 69
4.3.5 HowtoTranslateTreatmentOverviewDiagrams . . . . . . 70
4.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
5 Preparations for the Analysis . . . . . . . . . . . . . . . . . . . . . . 73
5.1 OverviewofStep1 . . . . . . . . . . . . . . . . . . . . . . . . . 73
5.2 Conducting the Tasks of Step 1 . . . . . . . . . . . . . . . . . . . 76
5.3 SummaryofStep1 . . . . . . . . . . . . . . . . . . . . . . . . . 78
6 Customer Presentation of the Target . . . . . . . . . . . . . . . . . . 81
6.1 OverviewofStep2 . . . . . . . . . . . . . . . . . . . . . . . . . 81
6.2 Conducting the Tasks of Step 2 . . . . . . . . . . . . . . . . . . . 83
6.2.1 Presentation of the CORAS Terminology and Method . . . 83
6.2.2 Presentationof theGoals andTargetof theAnalysis . . . . 86
6.2.3 Setting the Focus and Scope of the Analysis . . . . . . . . 89
6.2.4 DeterminingtheMeetingPlan . . . . . . . . . . . . . . . . 91
6.3 SummaryofStep2 . . . . . . . . . . . . . . . . . . . . . . . . . 94
7 Refining the Target Description Using Asset Diagrams . . . . . . . . 95
7.1 OverviewofStep3 . . . . . . . . . . . . . . . . . . . . . . . . . 95
Contents xi
7.2 Conducting the Tasks of Step 3 . . . . . . . . . . . . . . . . . . . 97
7.2.1 Presentationof theTargetbytheAnalysisTeam . . . . . . 97
7.2.2 Asset Identification . . . . . . . . . . . . . . . . . . . . . 101
7.2.3 High-levelAnalysis . . . . . . . . . . . . . . . . . . . . . 106
7.3 SummaryofStep3 . . . . . . . . . . . . . . . . . . . . . . . . . 109
8 Approval of the Target Description . . . . . . . . . . . . . . . . . . . 111
8.1 OverviewofStep4 . . . . . . . . . . . . . . . . . . . . . . . . . 111
8.2 Conducting the Tasks of Step 4 . . . . . . . . . . . . . . . . . . . 113
8.2.1 Approvalof theTargetDescription . . . . . . . . . . . . . 114
8.2.2 Ranking of Assets . . . . . . . . . . . . . . . . . . . . . . 115
8.2.3 Setting the Consequence Scales . . . . . . . . . . . . . . . 116
8.2.4 Setting the Likelihood Scale . . . . . . . . . . . . . . . . . 118
8.2.5 Defining the Risk Function . . . . . . . . . . . . . . . . . 120
8.2.6 DecidingtheRiskEvaluationCriteria . . . . . . . . . . . . 122
8.3 SummaryofStep4 . . . . . . . . . . . . . . . . . . . . . . . . . 124
9

扫码加我 拉你入群

请注明：姓名-公司-职位

以便审核进群资格，未注明则拒绝

分享0 收藏0 回帖

关键词：Approach Analysis Analysi Driven Analys copyright material whether whole

网上有免费的哦~