Security incidents targeting all kinds of computerised systems occur on a daily basis within most organisations and vulnerability records increase steadily. The modern industry hence demands secure and reliable systems and calls for good methods for security risk analysis in order to identify the threat picture.
CORAS is a method for conducting security risk analysis, and similar to most security risk analysis methods, it may involve participants from totally different professions and background that hardly speak the same language.
We have developed a tool-supported method, SCORE, that aims to deal with problems related to one of the sub-processes of a CORAS security risk analysis, namely risk estimation. SCORE applies to CORAS diagrams, a special purpose graphical language designed to facilitate communication between roles of different professions, that are used to describe risk and threat scenarios.
This thesis presents and documents the results from the SCORE project. Its main contribution is the SCORE tool-supported method that consists of two distinct, but closely related modules; the SCORE method and the SCORE tool. The first defines rules for processing input from the risk estimation process in a structured fashion and standardises the risk estimation process of a CORAS security risk analysis. The latter is a computerised tool integrated with the existing CORAS tool designed to support the SCORE method by implementing its defined rules.
The SCORE tool-supported method has successfully been evaluated on a CORAS security risk analysis supported by SCORE. Together with formal evaluation techniques, SCORE has come to the conclusion that a carefully designed tool-supported method will increase the efficiency of risk estimation using CORAS diagrams.
The thesis furthermore provides documentation of how to execute the SCORE method, and documentation in terms of software requirements and architectural design such that the SCORE tool may be fully extended to a commercial implementation into the CORAS tool.