Papers by Yudistira Asnar
Risk-Trust
Trust is perceived-risk and not the actual risk 'secure'does not imply for users to trust it. man... more Trust is perceived-risk and not the actual risk 'secure'does not imply for users to trust it. many users are more likely to place their trust in something that provides assurances for the cases when something goes wrong, rather than something that claims nothing can go wrong (as a result of deployment safeguards) in the first place.[Lacohee, 2006]
Abstract Recently, there has been an increase of reported security threats hitting organizations.... more Abstract Recently, there has been an increase of reported security threats hitting organizations. Some of them are originated from the assignments to users of inappropriate permissions on organizational sensitive data. Thus it is crucial for organizations to recognize as early as possible the risks deriving by inappropriate access right management and to identify the solutions that they need to prevent such risks.
The Governance, Risk, and Compliance (GRC) management process for Information Security is a neces... more The Governance, Risk, and Compliance (GRC) management process for Information Security is a necessity for any software systems where important information is collected, processed, and used. To this extent, many standards for security managements at operational level exists (eg, ITIL, ISO27K family etc). What is often missing is a process to govern security at organizational level.
Most of the critical aspects for secure and dependable systems, such as safety, integrity, availa... more Most of the critical aspects for secure and dependable systems, such as safety, integrity, availability, are related to uncertainty. Literature proposes many approaches to deal with uncertainty, mainly in the area of risk management and safety&reliability engineering. However, what is still missing is a clear understanding of the nature of uncertainty that very often has produced mistreatments in the design.
Critical Information Infrastructures Security, Jan 1, 2006
Modelling and analysing risk is one of the most critical activity in system engineering. However,... more Modelling and analysing risk is one of the most critical activity in system engineering. However, in literature approaches like Fault Tree Analysis, Event Tree Analysis, Failure Modes and Criticality Analysis focus on the system-to-be without considering the impact of the associated risks to the organization where the system will operate. The Tropos framework has been proved effective in modelling strategic interests of the stakeholders at organizational level. In this paper, we introduce the extended Tropos goal model to analyse risk at organization level and we illustrate a number of different techniques to help the analyst in identifying and enumerating relevant countermeasures for risk mitigation.
… Reliability and Security …, Jan 1, 2007
The importance of critical systems has been widely recognized and several efforts are devoted to ... more The importance of critical systems has been widely recognized and several efforts are devoted to integrate dependability requirements in their development process. Such efforts result in a number of models, frameworks, and methodologies that have been proposed to model and assess the dependability of critical systems. Among them, risk analysis considers the likelihood and severity of failures for evaluating the risk affecting the system.
Designing a secure and dependable system is not just a technical issue, it involves also a deep a... more Designing a secure and dependable system is not just a technical issue, it involves also a deep analysis of the organizational and the social environment in which the system will operate. In this paper, we detail our experience in modeling and analyzing requirements for an industrial case (air traffic management system) using the Secure Tropos framework. Particularly, we focus on modeling and reasoning about trust and risk relations within the organizational structure; we discuss pros and cons of Secure Tropos stemming from our experience and lessons learned which might be general interests for RE methodologies.
… Reliability and Security …, Jan 1, 2008
The analysis of business solutions is one of critical issues in industry. Risk is one of the most... more The analysis of business solutions is one of critical issues in industry. Risk is one of the most preeminent and accepted metrics for the evaluation of business solutions. Not surprisingly, many research efforts have been devoted to develop risk management frameworks. Among them, Tropos Goal-Risk offers a formal framework for assessing and treating risks on the basis of the likelihood and severity of failures. In this paper, we extend the Tropos Goal-Risk to assess and treat risks by considering the interdependency among actors within an organization. To make the discussion more concrete, we apply the proposed framework for analysis of the risks within manufacturing organizations. * This work was done when the author was at the University of Trento.
University of Trento, Tech. Rep. DIT- …, Jan 1, 2006
In software engineering, risks are usually considered and analysed during, or even after, the des... more In software engineering, risks are usually considered and analysed during, or even after, the design of the system. This approach can lead to the problem of accommodating necessary countermeasures in an existing design and possible to reconsider the initial requirements of the system. In this paper, we propose a goal-oriented approach for modelling and reasoning about risks at requirements level. Risks are introduced and analysed along the stakeholders' goals and countermeasures are imposed as part of the requirements of the system-to-be. The proposed framework is based on the Tropos methodology and extends the formal framework with new concepts and qualitative reasoning mechanisms to consider risks since the early phases of the requirements analysis. The risk analysis process is presented and illustrated with some experimental results.
Business Process Management, Jan 1, 2008
Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plan... more Business Continuity Management (BCM) is a process to manage risks, emergencies, and recovery plans of an organization during a crisis. It results in a document called Business Continuity Plans (BCP) that specifies the methodology and procedures required to backup and recover the functional unit of a disrupted business. Traditionally, the BCP assessment is based only on the continuity of IS infrastructures and does not consider possible relations with the business objectives and business processes. This traditional approach assumes that the risk of business continuity is resulted from the disruption of the IS infrastructures. However, we believe there are situations where the risk emerges even the infrastructures up and running. Moreover, the lack of modeling framework and the aided-tool make the process even harder. In this paper, we propose a framework to support modeling and analysis of BCP from the organization perspective, where risks and treatments are modeled and analyzed along strategic objectives and their realizations. An automated reasoner based on cost-benefit analysis techniques is proposed to elicit and then adopt the most cost-efficient plan. The approach is developed using the Tropos Goal-Risk Framework and the Time Dependency and Recovery Model as underlain frameworks. A Loan Originating Process case study is used as a running example to illustrate the proposal.
Agent-Oriented Software Engineering VII, Jan 1, 2007
Recently, multi-agent systems have proved to be a suitable approach to the development of real-li... more Recently, multi-agent systems have proved to be a suitable approach to the development of real-life information systems. In particular, they are used in the domain of safety critical systems where availability and reliability are crucial. For these systems, the ability to mitigate risk (e.g., failures, exceptional events) is very important. In this paper, we propose to incorporate risk concerns into the process of a multi-agent system design and describe the process of exploring and evaluating design alternatives based on risk-related metrics. We illustrate the proposed approach using an Air Traffic Management case study.
Proceedings of the 4th ACM workshop on …, Jan 1, 2008
In the last years, IT systems play a more and more fundamental role in human activities and, in p... more In the last years, IT systems play a more and more fundamental role in human activities and, in particular, in critical activities such as the management of Air Traffic Control and Nuclear Power Plant. This has spurred several researchers to develop models, metrics, and methodologies for analyzing and measuring the security and dependability of critical systems. Their objective is to understand whether the risks affecting the system are acceptable or not. If risks are too high, analysts need to identify the treatments adequate to mitigate them. Existing proposals however fail to consider risks within multi-actors settings. Here, different actors participating to the system might have a different perception of risk and react consequently. In this paper, we introduce the concept of perceived risk and discuss its differences with actual risk. We also investigate the concepts necessary to capture and analyze perceived risk.
Modeling and analyzing risk is one of the most critical activity in system engineering and approa... more Modeling and analyzing risk is one of the most critical activity in system engineering and approaches like Fault Tree Analysis, Event Tree Analysis, Failure Modes and Criticality Analysis have been proposed in literature. All these approaches focus on the system-to-be without considering the impact of the associated risks to the organization where the system will operate. On the other hand, the tendency is more and more to consider software development as a part of organizational development. In this paper, we propose a framework to model and reason about risk at organizational level, namely considering the systemto-be along the organizational setting. The framework extends Tropos, a methodology that has been proved effective in modeling strategic interests of the stakeholders at organizational level. We introduce a number of different means that help the analyst to identify and enumerate relevant treatments for risk mitigation. Experimental results are finally presented and discussed.
International Journal of …, Jan 1, 2008
Evaluating business solutions before being deployed is essential for any organization. Risk is em... more Evaluating business solutions before being deployed is essential for any organization. Risk is emerging as one of the most preeminent and accepted metrics for the evaluations of business solutions. In this paper, we present a comprehensive case study where the Tropos Goal-Risk framework is used to assess and treat risk on the basis of the likelihood and severity of failures within organizational settings. We present an analysis and an evaluation of business solutions within manufacturing enterprises.
Risk is one of inherent problems in all software systems. It becomes more significant if the soft... more Risk is one of inherent problems in all software systems. It becomes more significant if the software system is operated in a critical system (e.g., air traffic control, nuclear plant). It is because in this domain the software system is expected to be always dependable all the time of its operation. The system is dependable when all its risks are suppressed until acceptable level. Therefore, in such setting analysts must carefully analyze the socio-technical system (i.e., organizationalsetting and software systems) and understand how uncertain events may affect the systems. By means of the Tropos Goal-Risk, we model the socio-technical system including its risks. Essentially, the framework consists of goal, event, and treatment modeling. The goal layer represents what the stakeholders' interests are and how to achieve them. The event layer depicts how uncertain events occur and impact the goals of stakeholders. The treatment layer represents what the possible measures that are available to treat the events. By quantifying the evidence value of the model, analysts can reason about the level of risk and choose the most appropriate alternative to achieve the stakeholders' interests and the necessary treatment that should be employed to mitigate the risks. We use a case study on Air Traffic Management to illustrate the proposal.
In software engineering, risk is usually considered and analyzed during, or even after, the syste... more In software engineering, risk is usually considered and analyzed during, or even after, the system design. Countermeasures are elaborated and then accommodated as a refinement of the design, when a limited number of changes are still possible and they may introduce the problem of revisiting the initial requirements. In this paper, we propose a goal-oriented approach for modeling and reasoning about risk during the requirements analysis process. Risks are introduced and analyzed along the stakeholders' goals and countermeasures are introduced as part of the system's requirements. The approach extends the Tropos formal framework with new concepts and qualitative risk reasoning mechanisms. We use a case study on loan origination process to illustrate the proposal.
Proceedings of the 6th European …, Jan 1, 2006
Organizations and individuals are becoming more and more dependent on computer systems to achieve... more Organizations and individuals are becoming more and more dependent on computer systems to achieve their goals and to deliver their responsibilities. This introduces at design time the need of considering humans as part of the system and consequently dependability becomes a critical issue to take into consideration during the development of the system. Traditionally, dependability is measured in terms of availability, reliability, and integrity of the system. However, in this new scenario dependability of a software system has to be closely related with the organizational-setting where the system will operate. In this paper, we briefly introduce a framework, based on Tropos methodology, to model/analyse risk and assess the dependability of a system in a particular organizational-setting. The framework supports the analyst in eliciting the necessary countermeasures to mitigate risks and, consequently, ensure the dependability of the system within a certain level of risk.
In Proceeding of the Italian …, Jan 1, 2008
Recent trends in Software Engineering have introduced the importance of reconsidering the traditi... more Recent trends in Software Engineering have introduced the importance of reconsidering the traditional idea of software design as a socio-tecnical problem, where human agents are integral part of the system along with hardware and software components. Design and runtime support for Socio-Technical Systems (STSs) requires appropriate modeling techniques and non-traditional infrastructures. Agent-oriented software methodologies are natural solutions to the development of STSs, both humans and technical components are conceptualized and analyzed as part of the same system. In this paper, we illustrate a number of Tropos features that we believe fundamental to support the development and runtime reconfiguration of STSs. Particularly, we focus on two critical design issues: risk analysis and location variability. We show how they are integrated and used into a planning-based approach to support the designer in evaluating and choosing the best design alternative. Finally, we present a generic framework to develop self-reconfigurable STSs.
PhD, Universita Degli Studi Di Trento, Jan 1, 2009
Critical Information Systems (CISs) are a special class of information systems where their failur... more Critical Information Systems (CISs) are a special class of information systems where their failures might produce catastrophic effects (e.g., life loss, economic loss, the environment destruction). A lot of efforts have been devoted in literature to improve the quality of CISs along the system development process. However, a major limitation of current approaches is that they consider the system only from the technical perspective and, very often, overlook the social aspects of the environment where the system will operate. Many incidents are indeed caused by factors beyond technical failures, such as abuses of permission or multi-actor (i.e., social) failures (e.g., mistrust, commitment repudiation). Considering interactions between humans and technology allows us to identify a wide range of risks in addition to those emerging from both aspects in isolation.
Agent-Oriented Software Engineering …, Jan 1, 2008
Autonomous agents and multi-agent systems have been proved to be useful in several safety-critica... more Autonomous agents and multi-agent systems have been proved to be useful in several safety-critical applications. However, in current agent architectures (particularly BDI architectures) the deliberation process does not include any form of risk analysis. In this paper, we propose guidelines to implement Tropos Goal-Risk reasoning. Our proposal aims at introducing risk reasoning in the deliberation process of a BDI agent so that the overall set of possible plans is evaluated with respect to risk. When the level of risk results too high, agents can consider and introduce additional plans, called treatments, that produce an overall reduction of the risk. Side effects of treatments are also considered as part of the model. To make the discussion more concrete, we illustrate the proposal with a case study on the Unmanned Aerial Vehicle agent.
Uploads
Papers by Yudistira Asnar