Component-based system development causes challenges for security and safety as upgraded components may interact with a system in unforeseen ways. Due to their lack of modularity, conventional risk analysis methods are poorly suited to address these challenges. A modular understanding of risks is a prerequisite for robust component-based development and for maintaining the trustworthiness of modular systems. In order to properly address risks related to component-based systems we propose a component-based approach to risk analysis, which is based on the same principles of modularity and composition as component-based development. The purpose of the approach is to support the integration of risk analysis into component-based development. The approach consists of: (1) a framework for component-based risk analysis; (2) a modular approach to risk modelling; (3) a formal foundation for modular risk modelling; (4) and a formal component model integrating the notion of risk. The framework for component-based risk analysis provides a process for analysing separate parts of a system independently with means for combining separate analysis parts into an overall picture for the whole system. It applies the modular risk modelling approach for the purpose of identifying, analysing and documenting component risks. The component model with a notion of risk provides a formal foundation for integrating risk analysis into component-based development.
List of papers. Paper C (Chapter 11) is removed from the thesis due to copyright restrictions.
Paper A (Chapter 9)
Gyrd Brændeland and Ketil Stølen.
Using model-driven risk analysis in componentbased development.
Technical Report 342, University of Oslo, Department of Informatics, 2010.
Paper B (Chapter 10)
Gyrd Brændeland, Mass Soldal Lund, Bjørnar Solhaug, and Ketil Stølen.
The dependent CORAS language.
In Model-Driven Risk Analysis: The CORAS Approach, pages 267-279. Springer, 2010. The original publication is available at www.springerlink.com
Paper C (Chapter 11)
Gyrd Brændeland, Atle Refsdal and Ketil Stølen
Modular analysis and modelling of risk scenarios with dependencies.
Journal of Systems and Software, Volume 83, Issue 10, October 2010, Pages 1995-2013
An appendix containing the proofs in an enlarged font was added after the paper, this appendix is not removed.
Paper D (Chapter 12)
Gyrd Brændeland, Atle Refsdal and Ketil Stølen.
A denotational model for component-based risk analysis.
Technical Report 363, University of Oslo, Department of Informatics, 2011.