"The CORAS language is a graphical modeling language used to support the security analysis process with its customized diagrams. The language has been developed within the research project "SECURIS" (SINTEF ICT/University of Oslo), where it has been applied and evaluated in seven major industrial field trials.
Experiences from the field trials show that the CORAS language has contributed to a more actively involvement of the participants, and it has eased the communication within the analysis group. The language has been found easy to understand and suitable for presentation purposes.
With time we have become more and more dependent on various kinds of computerized systems. When the complexity of the systems increases, the number of security risks is likely to increase. Security analyses are often considered complicated and time consuming. A well developed security analysis method should support the analysis process by simplifying communication, interaction and understanding between the participants in the analysis.
This thesis describes the development of the CORAS language that is particularly suited for security analyses where "structured brainstorming" is part of the process. Important design decisions are based on empirical investigations. The thesis has resulted in the following artifacts:
- A modeling guideline that explains how to draw the different kind of diagrams for each step of the analysis.
- Rules for translation which enables consistent translation from graphical diagrams to text.
- Concept definitions that contributes to a consistent use of security analysis terms.
- An evaluation framework to evaluate and compare the quality of security analysis modeling languages.”
Ida Hogganvik and Ketil Stølen On the Comprehension of Security Risk Scenarios 13th International Workshop on Program Comprehension (IWPC’04)
Ida Hogganvik and Ketil Stølen Risk Analysis Terminology for IT-systems: Does it match intuition? 4th International Symposium on Empirical Software Engineering (ISESE’05)
Ida Hogganvik and Ketil Stølen A Graphical Approach to Risk Identification, Motivated by Empirical Investigations 9th International Conference on Model Driven Engineering Languages and Systems (MoDELS’06)
Heidi E. I. Dahl, Ida Hogganvik and Ketil Stølen Structured Semantics for the CORAS Security Risk Modelling Language 2nd International Workshop on Interoperability Solutions on Trust, Security, Policies and QoS for Enhanced Systems (IS-TSPQ'07)
Folker den Braber,Ida Hogganvik, Mass Soldal Lund, Ketil Stølen and Fredrik Vraalsen Model-based security analysis in seven steps – a guided tour to the CORAS method Vol. 25 (1) of BT Technology Journal, 2007
Fredrik Vraalsen, Tobias Mahler,Mass Soldal Lund,Ida Hogganvik,Folker den Braber,Ketil Stølen Assessing Enterprise Risk Level: The CORAS Approach Advances in Enterprise Information Technology Security, Information Science Reference, 2007
Ida Hogganvik and Ketil Stølen Investigating preferences in graphical risk modeling Investigations Technical report, SINTEF A57, 2007