Building an Experience Factory for a Model-based Risk...
Transcript of Building an Experience Factory for a Model-based Risk...
1
Building an Experience Factoryfor a
Model-based Risk Analysis Framework
Chingwoei Gan, Eric ScharfDepartment of Electronic Engineering
Queen Mary, University of London United Kingdom
22nd GWEM, April 4, 2003EE Department, QMUL
Agenda
n Introduction to Risk Analysisn Definitionsn CORAS Objectives and Motivations for Experience Management (EM)
n EM in CORASn CORAS Platform n CORAS Experience Package (CEP) and other Featuresn Some Results
n Summary
2
32nd GWEM, April 4, 2003EE Department, QMUL
Introduction: Risk Analysis
n Risk involves both uncertainty and lossn Risk analysis (short: RA) – definitions:n A detailed examination including risk assessment, risk evaluation, and
risk management alternatives, performed to understand the nature of unwanted, negative consequences to human life, health, property, or the environment
n An analytical process to provide information regarding undesirable events
n The process of quantification of the probabilities and expected consequences for identified risks
n RA is widely used in the finance and process industryn Risk management vs. risk analysis vs. assessment
42nd GWEM, April 4, 2003EE Department, QMUL
Introduction: Risk Analysis
n Popular methods used in the process and safety industries:n HazOp (Hazard and Operability)n FTA (Fault Tree Analysis)n FMECA (Failure Mode Effect and Criticality Analysis)n GMTA (Goals Means Task Analysis)n Markov analysisn CRAMM (CCTA Risk Analysis and Management Methodology)
n These methods are used largely independent of each othern Use in the ICT domain is only just catching on
3
52nd GWEM, April 4, 2003EE Department, QMUL
Introduction: CORAS Objectives
n To develop a practical framework, exploiting methods for risk analysis, semiformal methods for object-oriented modeling, and computerized tools, for a precise, unambiguous, and efficient risk analysis of security critical systems
n To assess the applicability, usability, and efficiency of the framework by applying it in security critical application domains (telemedicine, e-commerce etc.)
62nd GWEM, April 4, 2003EE Department, QMUL
Risk analysis
MRAModel-based Risk Analysis
GraphicalOO-modelling
Introduction: The CORAS approach-Model-based Risk Analysis (MRA)
FTA, HAZOP, FMECA, Markov, GMTA, CRAMM
UML
4
72nd GWEM, April 4, 2003EE Department, QMUL
Introduction: Motivations for EM Approach
n CORAS is about DEVELOPING A (TOOL-SUPPORTED) MODEL BASED RISK ANALYSIS FRAMEWORK for security critical applications in the ICT domain
n Why do we need to have a “tool-supported” framework? Why experience management?n Knowledge-intensiven Time-consumingn Involves several if not many people
n Large solution spacen Iterative
CORAS Platform = Computerized Part of CORAS Methodology
82nd GWEM, April 4, 2003EE Department, QMUL
Platform APIs
Platform user
Userinterfaces
V&TMTool
RATool
ModellingTool
CORAS Web Interface
Platform developerPlatform integrator
22.21.20.19.18.17.16.15.14.13.12.11.10.9.8.7.6.5.4.3.2.1.
Platforminternalstorage
Inte
grat
ion
plat
form
CORAS XMLXMI
IDMEF
Tool specific format
5
92nd GWEM, April 4, 2003EE Department, QMUL
Viewpoint
Assessement repository
Reusable element
RepositoryReusable element repository
Concern
Project
Risk analysis element
Element
CORAS experience package
Domain
is divided into
date of creation : string
last_updated : undefinedversion : undefined
is organised by
author : string
uses1
*
1
1
*is linked to
*
1
*
1 n
5
1
*belongs to
1
*
creates1
1
*
*1
finalized : booleandescription : stringassessment area : stringlinked to : undefinedtitle : stringlist of elements : undefined
102nd GWEM, April 4, 2003EE Department, QMUL
n Two repositories:n Reusable Element Repository (storing reusable elements/tables
templates/guidelines etc)n Assessment Repository (storing instantiated or modified result)n All elements MUST conform to the XML data models (OMG’s XMI, IETF’s
IDMEF, CORAS-developed RA-specific XML)
n Web-based graphical user interfaces – allow for access to the CORAS platform/repository. Some benefits:n Benefits of XML technologies – Cocoon, eXist (native XML database), XPath,
XSLT and many more!n Distributable - can reach a much large group of users and counter-partsn Easily updatable; thin-clientn Cost-effectiven Availability; 24x7
CORAS Platform: Components
6
112nd GWEM, April 4, 2003EE Department, QMUL
n An experience package has three parts:n Characterization (defined by Attributes)n Relationship (defined by Links)n Body (defined by Entities)
Taxonomy of Experience Package
122nd GWEM, April 4, 2003EE Department, QMUL
e.g. Project
Attributes Title: string Author: string Date of creation: string Description: string Finalized: Boolean Assessment area: string Links Linked to: linked to other CEPs Body List of elements: linked to other elements
CEP2 … … …
CEP1 Title: Telemedicine Trial 2 Author: Eva S & Eva S Date of creation: September 9 2002 Description: teleconsultation services in cardiology Finalized: No Assessment area: Telecardiology, WebOnCOLL
Linked to: CEP2 List of elements: swot1.xml sys_desc.xml abstract.xml
CORAS Experience
Package Type
Other Package
Type
7
132nd GWEM, April 4, 2003EE Department, QMUL
n CEP attributes are useful for searchingn CEP links are useful for associating present CEP with other
similarly motivated CEPn CEP body contains useful elements (and experience) for
reusen Main benefit of using CEP:n Generally, CEP allows experience to be packaged in a systematic and
structured manner thereby enabling the repository to document, store, qualify and update the experience base, as well as supplying those experiences back to projects on demand
Taxonomy of Experience Package (contd.)
142nd GWEM, April 4, 2003EE Department, QMUL
n Search – via XPATHn Mirrors a hybrid structural CBR and textual CBR approachn Retrieve only the CEPs
n Navigational structuren Other features:n Semantic/consistency checks between tables and UML diagrams – risk
management is iterative!
CORAS Platform: Reusing Experiences
8
152nd GWEM, April 4, 2003EE Department, QMUL
n A working prototype of a “loose” computerized integration platform demonstrating the MRA approach – based on a native XML repositoryn Search for useful elementsn Instantiate from the reusable librariesn Store and package assessment result/experience n Follow the risk assessment methodology
n Empirical data is gathered from the telemedicine and e -commerce trials in CORAS
n More trials planned
Some Results
162nd GWEM, April 4, 2003EE Department, QMUL
n The approach is not perfectn Difficulty in building experience – domain/context specific
n General patterns and rules are difficult to obtain – each case varies so much sometime have to start over!
n Adaptation/Tailoring cannot be solved in a general way in CORASn Dealing with UML - diagram! Yes we have XMI but it’s often too verbose to
be useful
n EF can be extremely useful in addressing real world problemsn First known EF application in risk analysisn Taking advantage of modern internet-based technology –
XML, semantic web etc.
Summary
9
172nd GWEM, April 4, 2003EE Department, QMUL
Thank you for your attention!