2nd International Workshop on Risk Assessment and Risk-driven Testing

Hotel RC - Sveva Room

RISK Welcome and Keynote

Wednesday, Nov. 5, 09:00 - 10:30

Marcus Schacher. Keynote: Model-based Risk Analysis in the Railways Domain


RISK #1: Risk Analysis and Assessment

Wednesday, Nov. 5, 11:00 - 12:30

Chair: Johannes Viehmann

1.     Artsiom Yautsiukhin, Leanid Krautsevich and Fabio Martinelli. Evaluation of Risk for Complex Systems Using Attack Surface

2.     Samson Yoseph Esayas. Structuring Compliance Risk Identification Using the CORAS Approach: Compliance as an Asset

3.     Barbara Gallina, Edin Sefer and Atle Refsdal. Towards Safety Risk Assessment of Socio-technical Systems via Failure Logic Analysis


RISK #2: Risk Management

Wednesday, Nov. 5, 14:00 - 15:30

Chair: Gencer Erdogan

1.     Johannes Viehmann. Risk Management for Outsourcing to the Cloud

2.     Arthur-Jozsef Molnar and Jürgen Grossmann. CRSTIP - An Assessment Scheme for Security Assessment Processes


RISK #3: Risk Modeling and Risk-Based Testing

Wednesday, Nov. 5, 16:00 - 17:30

Chair: Marc-Florian Wendland

1.     Wolfgang Herzner, Sven Sieverding, Thomas Bauer, Brian Nielsen, Omar Kacimi and Eckard Böde. Expressing Best Practices in (Risk) Analysis and Testing of Safety-Critical Systems Using Patterns

2.     Gencer Erdogan, Atle Refsdal and Ketil Stølen. Schematic Generation of English-prose Semantics for a Risk Analysis Language Based on UML Interactions

3.     Marc-Florian Wendland, Andreas Hoffmann, Alessandra Bagnato, Etienne Brosse, Markus Schacher, Tao Yue, Shaukat Ali and Zhen Ru Dai. How the UML Testing Profile Supports Risk-Based Testing


Evaluation of Risk for Complex Systems Using Attack Surface
Many approaches for security assessment were recently proposed. In particular, attack graphs and attack surface gained a lot of attention. Nevertheless, these approaches suffer from several drawbacks. For example, attack graph operates only with known vulnerabilities and it is unclear how attack surface(metric) contributes to the risk picture for a complex system.We introduce a novel formal approach for modelling cyberattacks and evaluating of security of complex systems. Our formalisation unites attack surface and attack graph approaches and establishes an explicit link between these approaches and security risk assessment. In this way we are able to exploit the advantages of these three security evaluation approaches in a common framework overcoming many shortcomings of usingthese approaches separately.

Structuring Compliance Risk Identification Using the CORAS Approach: Compliance as an Asset
The global scale of modern business and information technology enables companies to trade across borders but at the risk of being subject to laws in diverse jurisdictions. The regulatory requirements with which businesses have to comply are drastically increasing not only in sheer number but also in complexity, confronting businesses with the need to adapt to a complex, evolving regulatory environment. Crucial to a business’s survival and profitability in such environment are understanding and managing legal and compliance risks. This need has spurred significant recent interest in integrated governance, risk, and compliance (GRC) management. A central element in integrated GRC management is following a risk-based approach to compliance which prioritizes compliance requirements based on their level of risk. Despite the need for risk-based compliance, few specific methods or approaches for identifying compliance risks have been developed. This paper presents a structured method for identifying compliance risks from compliance requirements and the business environment.

Towards Safety Risk Assessment of Socio-technical Systems via Failure Logic Analysis
A thorough understanding of the safety risks of a system requires an understanding of its human and organizational factors, as well as its technical components. Analysis approaches that focus only on the latter without considering, for example, how human decision makers may respond to a technical failure, are not able to adequately capture the wide variety of safety risk scenarios that need to be considered. In this paper, we propose a model-based analysis approach that allows analysts to interpret humans and organizations in terms of components and their behavior in terms of failure logic. Our approach builds on top of CHESS-FLA, which is a tool-supported failure logic analysis technique that supports analysis of component-based system architectures to understand what can go wrong at the system level and to identify the causes (i.e. faulty components). However, CHESS-FLA currently deals only with hardware and software components and thus it is not adequate to reason about socio-technical systems. We therefore provide an extension based on a preexisting classification of socio-failures and combine it with the one used in CHESS-FLA for technical failures, thereby giving birth to a novel approach to analysis of socio-technical systems. We demonstrate our approach on an example from the petroleum domain.

Risk Management for Outsourcing to the Cloud
This short paper describes our ongoing research about security risk management for IT projects which might eventually take benefit from outsourcing to external Cloud services. Choosing appropriate, secure enough Cloud services from multiple offers might be difficult. Hence, we develop the Cloud Security Guide CSG to assist. It contains a specialized methodology for Cloud risk assessment supporting particularly the extraction of security relevant information from user contracts or terms and conditions of public Cloud services. Discovering that many providers fail to communicate their safeguards, we also decided to develop a provider’s guide for risk management and for the communication of risk treatments.

CRSTIP - An Assessment Scheme for Security Assessment Processes
Complex networked systems are an integral part of today’s support infrastructures. Due to their importance, these systems become more and more the target for cyber-attacks, suffering a notable number of security incidents. Also, they are subject to regulation by national and international legislation. An operator of such an infrastructure or system is responsible for ensuring its security and correct functioning in order to satisfy customers. In addition, the entire process of risk and quality control needs to be efficient and manageable. This short paper introduces the Compliance, Risk Assessment and Security Testing Improvement Profiling (CRSTIP) scheme. CRSTIP is an evaluation scheme that enables assessing the maturity of security assessment processes, taking into consideration systematic use of formalisms, integration and tool-support in the areas of compliance assessment, security risk assessment and security testing. The paper describes the elements of the scheme and their application to one of the case studies of the RASEN research project.

Expressing Best Practices in (Risk) Analysis and Testing of Safety-Critical Systems Using Patterns
The continuing pervasion of our society with safety-critical cyber-physical systems not only demands for adequate (risk) analysis, testing and verification techniques, it also generates growing experience on their use, which can be considered as important as the tools themselves for their efficient use. This paper introduces workflow patterns to describe such best practices in a systematic way that efficiently represents this know¬ledge, and also provides a way to relate different patterns, making them easier to identify and use, and cover as wide a range of experiences as possible. The value of the approach is demonstrated using some pattern examples from a collection developed in the Artemis-project MBAT . Finally, the paper presents a wiki-based approach for developing and maintaining the pattern collection.

Schematic Generation of English-prose Semantics for a Risk Analysis Language Based on UML Interactions
To support risk-driven testing, we have developed CORAL, a language for risk analysis based on UML interactions. In this paper, we present its semantics as a translation of CORAL diagrams into English prose. The CORAL semantics is developed to help software testers to clearly and consistently document, communicate and analyze risks in a risk-driven testing process. We first provide an abstract syntax and a translation algorithm. Then, we evaluate the approach based on some examples. We argue that the resulting English prose is comprehensible by testers, is consistent with the semantics of UML interactions, and has a complexity that is linear to the complexity of CORAL diagrams in terms of size.

How does the UML Testing Profile Support Risk-Based Testing
The increasing complexity of software-intensive systems raises a lot of challenges demanding new techniques for ensuring their overall quality. The risk of not meeting the expected level of quality has negative impact on business, customers, environment and people, especially in the context of safety/security-critical systems. The importance of risk assessment, analysis and management has been well understood both in the literature and practice, which has led to the definition of a number of well-known standards. In the recent years, Risk-Based Testing (RBT) is gaining more attention, especially focusing on test prioritization and selection based on risks. On the other hand, model-based testing (MBT) provides a systematic and automated way to facilitate rigorous testing of software-intensive systems. MBT has been an intense area of research and a large number of MBT techniques have been developed in literature and practice in the last decade. In this paper, we study the feasibility of combining RBT with MBT by using the upcoming version of UML Testing Profile (UTP 2) as the mechanism. We present potential traceability between RBT and UTP 2 concepts.