CORAS - A platform for risk analysis of security critical systems

Accurate, unambiguous and effective risk analyses.

CORAS was a European R&D project partly funded by the 5th Framework program on Information Society Technologies (IST) by the European Commission. The project started in January 2001 and lasted until the end of June 2003. The consortium consisted of eleven partners - five from Norway, three from Greece, two from England and one from Germany. The main objectives of the project were

• To develop a practical framework for a precise, unambiguous and efficient risk assessment, by exploiting the synthesis of risk analysis methods with semiformal specification methods (in particular, methods for object-oriented modelling) and computerised tools, in order to improve the risk analysis of security-critical systems;

• To assess the applicability, usability and efficiency of the framework by extensive experimentation in the fields of e-commerce and telemedicine, and;

• To investigate its commercial viability and pursue its exploitation within relevant market segments, while playing an influential role in standardisation organisations.

The model-based approach of CORAS improves the quality and effectiveness of the risk assessment process by facilitating precision, communication and interaction between stakeholders and reduces maintenance costs by increasing the possibilities for reuse. CORAS provides a uniform, streamlined approach for each stage in a risk assessment project, from context identification, through risk assessment, analysis and treatment to presentation of results.

The CORAS tool is characterised by:

(1) A methodology for model-based risk assessment integrating aspects from partly complementary risk assessment methods and state-of-the-art modelling methodology.

(2) A UML based specification language targeting security risk assessment.

(3) A library of reusable experience packages for the eHealth and eCommerce doamins.

(4) A computerised platform providing two repositories; an assessment repository and a repository for the reusable experience packages.

(5) An XML mark-up for exchange of risk assessment data.

(6) A component for computerised vulnerability and threat management.

During the development phase of the CORAS framework, the framework was tested on applications within eCommerce and telemedicine. NST's main responsibility in the project was to conduct risk assessment on telemedicine systems. The objective of these risk assessments was to experiment with the model-based risk assessment methodology, in order to give feedback to the developers of the framework on the applicability, usability and efficiency of the methodology.

A description of the results and an open source version of the computerised tool that supports the methodology can be found on the CORAS home page at coras.sourceforge.net.

Project period

January 2000 to June 2003.

Project manager

Eva Skipenes, e-mail: eva.skipenes@telemed.no, tel.: +47 911 77 515.

<<