The CORAS Method

Have you ever asked yourself some of the following questions.

• Should I worry when using my credit card on the Internet?
• How safe is my Internet bank account?
• How many doctors or healthcare personnel have access to my personal health records?
• Can I be sure that I am the only one reading my e-mail?
• How crucial can a single personal mistake be for my company?

A security risk analysis may provide answers to such questions. CORAS is a method for conducting security risk analysis. CORAS provides a customised language for threat and risk modelling, and comes with detailed guidelines explaining how the language should be used to capture and model relevant information during the various stages of the security analysis. In this respect CORAS is model-based. The Unified Modelling Language (UML) is typically used to model the target of the analysis. For documenting intermediate results, and for presenting the overall conclusions we use special CORAS diagrams which are inspired by UML. The CORAS method provides a computerised tool designed to support documenting, maintaining and reporting analysis results through risk modelling.

In the CORAS method a security risk analysis is conducted in seven steps:

The seven steps of the CORAS method are summarised as follows.

• Step 1: The first step involves an introductory meeting. The main item on the agenda for this meeting is to get the representatives of the client to present their overall goals of the analysis and the target they wish to have analysed. Hence, during the initial step the analysts will gather information based on the client’s presentations and discussions.
• Step 2: The second step also involves a separate meeting with representatives of the client. However, this time the analysts will present their understanding of what they learned at the first meeting and from studying documentation that has been made available to them by the client. The second step also involves a rough, high-level security analysis. During this analysis the first threats, vulnerabilities, threat scenarios and unwanted incidents are identified. They will be used to help with directing and scoping the more detailed analysis still to come.
• Step 3: The third step involves a more refined description of the target to be analysed, and also all assumptions and other preconditions being made. Step three is terminated once all this documentation has been approved by the client.
• Step 4: This step is organised as a workshop, drawn from people with expertise on the target of the analysis. The goal is to identify as many potential unwanted incidents as possible, as well as threats, vulnerabilities and threat scenarios.
• Step 5: The fifth step is also organised as a workshop. This time with the focus on estimating consequences and likelihood values for each of the identified unwanted incidents.
• Step 6: This step involves giving the client the first overall risk picture. This will typically trigger some adjustments and corrections.
• Step 7: The last step is devoted to treatment identification, as well as addressing cost/benefit issues of the treatments. This step is best organised as a workshop.

News

2008-09-03: Tutorial slides from ESSCaSS 2008 made available: pdf

2008-08-22: Complete remake of the CORAS web page.

[News archive]

Page updated September 3, 2008