Main page

The CORAS Language

CORAS Method
CORAS Language




The CORAS language is a graphical modelling language for communication, documentation and analysis of security threat and risk scenarios in security risk analyses. The language is an integral part of the CORAS method, which is based on the use of structured brainstorming. In these brainstorming sessions, the CORAS language is applied for making models of threat scenarios and risks on the fly. Such brainstorming sessions are characterized by the involvement of people with thorough knowledge of specific, but only partly overlapping aspects, of the target of analysis. Typical participants are the intended users of the target, its designers, developers, and relevant decision makers. These people normally have quite different backgrounds and it may be difficult for the analysts to make them work well together as a group. The CORAS language improves both the efficiency of the analysis process and the quality of the results.

We claim that our graphical approach to security risk modelling contributes to solving three issues related to security risk analysis:

  • How to facilitate communication in a group consisting of people with different backgrounds and competences: Our aim has been to provide the participants with a means of communication that covers both technical and more high-level information, without being too complicated to understand. Offering a common basis for communication reduces misunderstandings and thereby gives a more correct risk picture.
  • How to estimate the likelihoods and consequences of identified risks: In practice, reliable data on which this can be based is often not available. The participants must use their expert knowledge, experience and familiarity with the domain to estimate both the likelihoods and the consequences of incidents that might not have happened yet. Our aim has been to offer a structured, graphical risk picture to make the complexity more manageable. A graphical representation may illustrate who or what caused the incidents and the weaknesses in the system that made them possible.
  • How to document the security analysis in a comprehensible manner: The findings of a security risk analysis constitute vital information not only to the participants in the analysis, but also to the organization as a whole. Our aim has been to define a documentation method that should be more or less self-explanatory, and not rely on extensive training to be understood.

The language was originally defined as a UML profile, which became part of the "UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms Specification" standardised by the Object Management Group (OMG). The language has since then been developed into a specialized language (domain specific language) through several iterations with feedback from industrial case studies, teaching and empirical investigations.

For tool support, see the downloads page.

Related publications

Bjørnar Solhaug and Ketil Stølen. The CORAS Language - Why it is designed the way it is. In Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, proc. of 11th International Conference on Structural Safety & Reliability (ICOSSAR'13), pp. 3155-3162. CRC Press, 2013.


Mass Soldal Lund, Bjørnar Solhaug, Ketil Stølen. Model-Driven Risk Analysis. The CORAS Approach. Springer, 2010.


Gyrd Brændeland, Heidi E. I. Dahl, Iselin Engan, Ketil Stølen. Using dependent CORAs diagams to analyse mutual dependency. In Second International Workshop on Critial Information Infrastructures Security (CRITIS'07), number 5141 in Lecture Notes in Computer Science, pages 135-148, Springer, 2008.


Ida Hogganvik. A graphical approach to security risk analysis. PhD thesis, Faculty of Mathematics and Natural Sciences, University of Oslo, 2007.


Heidi E. I. Dahl, Ida Hogganvik, Ketil Stølen. Structured semantics for the CORAS security risk modelling language. In Pre-proceedings of the 2nd International Workshop on Interoperability solutions on Trust, Security, Policies and QoS for Enhanced Enterprise Systems (IS-TSPQ'07). Report B-2007-3, pages 79-92, Deparmtne of Computer Science, University of Helsinki, 2007.


Heidi E. I. Dahl and Ida Hogganvik and Ketil Stølen. Structured semantics for the CORAS security risk modelling language. Technical report STF07 A970, SINTEF Information and Communication Technology, 2007.


Ida Hogganvik, Ketil Stølen. A Graphical Approach to Risk Identification, Motivated by Empirical Investigations. In 9th International Conference on Model Driven Engineering Languages and Systems (MoDELS 2006), number 4199 in Lecture Notes in Computer Science, pages 574-588, Springer, 2006. (©2006 Springer)


UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and mechanisms. OMG document formal/06-05-02, Object Management Group, May 2006.


Follow CORAS on LinkedInFollow CORAS on LinkedIn Logo

Page updated October 23, 2014