Building an Experience Factory for a Model-based Risk Analysis Framework Chingwoei Gan, Eric Scharf Department of Electronic Engineering Queen Mary, University of London United Kingdom Agenda � Introduction to Risk Analysis � Definitions � CORAS Objectives and Motivations for Experience Management (EM) � EM in CORAS � CORAS Platform � CORAS Experience Package (CEP) and other Features � Some Results � Summary 2 nd GWEM, April 4, 2003 EE Department, QMUL 2
Introduction: Risk Analysis � Risk involves both uncertainty and loss � Risk analysis (short: RA) – definitions: � A detailed examination including risk assessment, risk evaluation, and risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment � An analytical process to provide information regarding undesirable events � The process of quantification of the probabilities and expected consequences for identified risks � RA is widely used in the finance and process industry � Risk management vs. risk analysis vs. assessment 2 nd GWEM, April 4, 2003 EE Department, QMUL 3 Introduction: Risk Analysis � Popular methods used in the process and safety industries: � HazOp (Hazard and Operability) � FTA (Fault Tree Analysis) � FMECA (Failure Mode Effect and Criticality Analysis) � GMTA (Goals Means Task Analysis) � Markov analysis � CRAMM (CCTA Risk Analysis and Management Methodology) � These methods are used largely independent of each other � Use in the ICT domain is only just catching on 2 nd GWEM, April 4, 2003 EE Department, QMUL 4
Introduction: CORAS Objectives � To develop a practical framework, exploiting methods for risk analysis, semiformal methods for object-oriented modeling, and computerized tools, for a precise, unambiguous, and efficient risk analysis of security critical systems � To assess the applicability, usability, and efficiency of the framework by applying it in security critical application domains (telemedicine, e-commerce etc.) 2 nd GWEM, April 4, 2003 EE Department, QMUL 5 Introduction: The CORAS approach- Model-based Risk Analysis (MRA) FTA, HAZOP, FMECA, Markov, GMTA, CRAMM Graphical Risk analysis OO-modelling UML MRA Model-based Risk Analysis 2 nd GWEM, April 4, 2003 EE Department, QMUL 6
Introduction: Motivations for EM Approach � CORAS is about DEVELOPING A (TOOL-SUPPORTED) MODEL BASED RISK ANALYSIS FRAMEWORK for security critical applications in the ICT domain � Why do we need to have a “tool-supported” framework? Why experience management? � Knowledge-intensive � Time-consuming � Involves several if not many people CORAS Platform = � Large solution space Computerized Part of � Iterative CORAS Methodology 2 nd GWEM, April 4, 2003 EE Department, QMUL 7 User Platform integrator Platform developer interfaces CORAS Web Interface 1. 2. Platform 3. 4. user 5. 6. Modelling 7. Integration platform 8. Tool 9. Platform internal 10. 11. storage 12. 13. RA 14. Tool 15. 16. 17. 18. 19. V&TM 20. 21. Tool 22. Tool specific CORAS XML format XMI IDMEF Platform APIs 2 nd GWEM, April 4, 2003 EE Department, QMUL 8
* 1 Project 1 uses 1 creates Reusable element repository Repository Assessement repository Domain 1 * 1 version : undefined 1 is organised by last_updated : undefined Concern n 1 1 1 * 5 * is divided into belongs to * * Reusable element Element Viewpoint 1 is linked to * * Risk analysis element CORAS experience package author : string date of creation : string finalized : boolean description : string assessment area : string linked to : undefined title : string list of elements : undefined 2 nd GWEM, April 4, 2003 EE Department, QMUL 9 CORAS Platform: Components � Two repositories: � Reusable Element Repository (storing reusable elements/tables templates/guidelines etc) � Assessment Repository (storing instantiated or modified result) � All elements MUST conform to the XML data models (OMG’s XMI, IETF’s IDMEF, CORAS-developed RA-specific XML) � Web-based graphical user interfaces – allow for access to the CORAS platform/repository. Some benefits: � Benefits of XML technologies – Cocoon, eXist (native XML database), XPath, XSLT and many more! � Distributable - can reach a much large group of users and counter-parts � Easily updatable; thin-client � Cost-effective � Availability; 24x7 2 nd GWEM, April 4, 2003 EE Department, QMUL 10
Taxonomy of Experience Package � An experience package has three parts: � Characterization (defined by Attributes) � Relationship (defined by Links) � Body (defined by Entities) 2 nd GWEM, April 4, 2003 EE Department, QMUL 11 Attributes CORAS Other Title: string Experience Package Author: string Package Type Date of creation: string Type Description: string Finalized: Boolean e.g. Project Assessment area: string CEP2 Links … Linked to: linked to other CEPs … … Body List of elements: linked to other elements CEP1 Title: Telemedicine Trial 2 Linked to: CEP2 Author: Eva S & Eva S Date of creation: September 9 2002 List of elements: Description: teleconsultation services in cardiology swot1.xml Finalized: No sys_desc.xml Assessment area: Telecardiology, WebOnCOLL abstract.xml 2 nd GWEM, April 4, 2003 EE Department, QMUL 12
Taxonomy of Experience Package (contd.) � CEP attributes are useful for searching � CEP links are useful for associating present CEP with other similarly motivated CEP � CEP body contains useful elements (and experience) for reuse � Main benefit of using CEP: � Generally, CEP allows experience to be packaged in a systematic and structured manner thereby enabling the repository to document, store, qualify and update the experience base, as well as supplying those experiences back to projects on demand 2 nd GWEM, April 4, 2003 EE Department, QMUL 13 CORAS Platform: Reusing Experiences � Search – via XPATH � Mirrors a hybrid structural CBR and textual CBR approach � Retrieve only the CEPs � Navigational structure � Other features: � Semantic/consistency checks between tables and UML diagrams – risk management is iterative! 2 nd GWEM, April 4, 2003 EE Department, QMUL 14
Some Results � A working prototype of a “loose” computerized integration platform demonstrating the MRA approach – based on a native XML repository � Search for useful elements � Instantiate from the reusable libraries � Store and package assessment result/experience � Follow the risk assessment methodology � Empirical data is gathered from the telemedicine and e- commerce trials in CORAS � More trials planned 2 nd GWEM, April 4, 2003 EE Department, QMUL 15 Summary � The approach is not perfect � Difficulty in building experience – domain/context specific � General patterns and rules are difficult to obtain – each case varies so much sometime have to start over! � Adaptation/Tailoring cannot be solved in a general way in CORAS � Dealing with UML - diagram! Yes we have XMI but it’s often too verbose to be useful � EF can be extremely useful in addressing real world problems � First known EF application in risk analysis � Taking advantage of modern internet-based technology – XML, semantic web etc. 2 nd GWEM, April 4, 2003 EE Department, QMUL 16
Thank you for your attention! 2 nd GWEM, April 4, 2003 EE Department, QMUL 17
Recommend
More recommend
