The availability of data systems is one of the greatest challenges companies face today. Keeping a high level of availability is not a trivial task:
- Security technology may be deployed incorrectly and does not give a company an effective protection against security threats. Security measures must be incorporated and assessed to protect data systems and company infrastructures against a massive range of threats and vulnerabilities that affect availability of data systems.- Businesses today must be responsive and change very rapidly. Their supporting software systems must change equally rapidly. The change in the system architecture may lead to change in system availability. This should be addressed quickly.- The threats and vulnerabilities are not standardised, but are situation dependant. This is why organisations and companies have to assess risks to the availability of a data system regularly. A regular availability risk assessment may be very costly for a company.
This thesis presents Model Driven Availability Risk Analysis (MODA), a methodology for identifying, assessing and treating risks to availability of data systems. MODA aims to take one step in the direction of addressing the challenges sketched above and aims for improved time efficiency, cost effectiveness, and usability.
To successfully analyse system availability, we need to know all the key areas of risk to system availability. We identify these key areas and define four sub classes of availability, the so-called availability aspects: Network availability, Software availability, Hardware availability, and Human availability. Further, we decompose each availability aspect into more basic entities, define the relationship of each aspect to other availability aspects and identify the assets that can be affected by its denial.
The risk assessment community makes use of a structured approach to address risks – the so-called Risk management process. The MODA risk management process is based on AS/NZS 4360:1999 Risk Management and CORAS and we decompose it into sub-processes for context identification, risk identification, risk assessment, risk evaluation and risk treatment. We present MODA in an example-driven manner in the form of a small case study. Further, to evaluate the suitability of MODA we conduct a larger case study using MODA to assess the availability of a chat service.