Part III: Change Management
description
Transcript of Part III: Change Management
![Page 1: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/1.jpg)
CORAS 1
Part III: Change Management
Ketil Stølen, SINTEF & UiOFOSAD 2011
![Page 2: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/2.jpg)
CORAS 2
Overview of Part III
Changing and evolving risk Three perspectives on change Formal foundation Risk graphs Risk graphs with change CORAS instantiation Practical example Summary
![Page 3: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/3.jpg)
CORAS 3
Exercise III
How can we check that our risk models are correct?
In particular, how do we ensure the correctness of consequence and likelihood values?
![Page 4: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/4.jpg)
CORAS 4
Changing and Evolving Risk Many risk assessments build on unrealistic assumptions
Particular configuration of the target Particular point in time Valid under the assumptions of the target description
Reality change and evolve The target and the environment change and evolve over time The assumptions, context, scope, focus, assets and parties
may change and evolve over time As a result, risks change and evolve over time Change and evolvement must be reflected in the risk picture
![Page 5: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/5.jpg)
CORAS 5
Three Perspectives on Change
1: The maintenance (a posteriori) perspective2: The before-after (a priori) perspective3: The continuous evolution perspective
Planned revolutionRevolution
Evolution
Proactive Reactive
Unplanned revolution
Planned evolution
Unplanned evolution
1
2
3
![Page 6: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/6.jpg)
CORAS 6
Maintenance Perspective
Methodological challenges Reuse the old risk assessment
results Avoid having to start from
scratch Requires
Identifying the updates made to the target and update the target description accordingly
Identifying which risks and parts of the risk picture/risk model are affected by the updates
Updating the risk picture/risk model without having to do changes in the unaffected parts
Old target
Risk assessor
Current target
Old risk picture
Current risk picture
Updates
Old risks Current risks
![Page 7: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/7.jpg)
CORAS 7
Before-After Perspective
Methodological Challenges Obtain and present a risk picture for
the current risks, the future risks, and the risks to the change
Requires: A target description that characterizes
the target “as-is” and the target “to-be“ A description of the process of change Identifying current and future risk
without doing double work Identifying risks to the change process Providing a risk picture that
characterizes current risks, future risks and risks to the change process, and that relates these to the target description
Current target
Risk assessor
Future target
Planned changes
Current risks Future risks
Risk picture
Risks due to change process
![Page 8: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/8.jpg)
CORAS 8
Continuous Evolution Perspective
Target at time t0
Risk assessor
Evolution
Risks attime t0
Risk picture
Target at time tn
Target at time t1
… … Evolution
Risks attime t1
Risks attime tn
![Page 9: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/9.jpg)
CORAS 9
Continuous Evolution Perspective
Methodological challenges Identify and present evolving risks in a dynamic risk
picture/risk model Requires:
Generalizing a target description in such a way that it characterizes evolution of the target and its environment
Identifying and generalizing the risks affected by evolution in the target or its environment
Characterizing the evolution of risks and presenting it in a dynamic risk picture/risk model
Relating the evolution of risks described by the risk picture/risk model to the evolution of the target described in the target description
![Page 10: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/10.jpg)
CORAS 10
Exercise IV
How would you represent change in your favorite modelling language/formal notation/approach/method?
Which change perspective would be most relevant for you?
![Page 11: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/11.jpg)
CORAS 11
Formal Foundation
![Page 12: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/12.jpg)
CORAS 12
Risk Modeling Risk analysis involves the process of understanding
the nature of risks and determining the risk level Risk modeling refers to techniques for risk
identification, documentation and estimation A risk model is a structured way of representing
unwanted incidents and its causes and consequences by means of graphs, trees or block diagrams
Risk graphs are an aid for structuring events and scenarios leading to incidents estimating likelihoods of incidents
![Page 13: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/13.jpg)
CORAS 13
Risk Graph
Risk graphs can be understood as a common abstraction of several established risk modeling techniques Fault trees, attack trees, cause-consequence diagrams,
Bayesian networks, CORAS threat diagrams
v1[P1]
v2[P2]
v3[P3]
v4[P4]
v5[P5]
v6[P6]
Pa
v7[P7]
Pb
Pc
Pe
Pd
Pf
![Page 14: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/14.jpg)
CORAS 14
Formalization of Risk Graphs Syntax
A risk graph is a set D of elements e An element is a vertex v or a relation v1→v2
A probability set P ⊆ [0,1] is assigned to the elements Semantics
Scenarios and probabilities are represented by a probability space on traces of events
Calculus Rules for reasoning about risk graphs Soundness proofs with respect to the semantics
![Page 15: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/15.jpg)
CORAS 15
CORAS Instantiation
CORAS vertices and relations can be interpreted in terms of risk graph vertices and relations
The risk graph semantics and calculi carries over to CORAS
Pa
Pb
Pe
Pc
Pf
c
r1
r2
r3
v1
[P1]
v2
[P2]
v5
[P5]
v3
[P3]v4
[P4]
v6
[P6]
v7
[P7]a
Pd
![Page 16: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/16.jpg)
CORAS 16
Risk Graphs with Change
v1[P1]
Pa
Pb/Pb’
Pc/Pc’
Pe
Pd/Pd’
Pf
v2[P2]/[P2’]
v3[P3]/[P3’]
v4[P4]/[P4’]
v7[P7]/[P7’]
v5[P5]
v6[P6]
Vertex beforeVertex before-after
Vertex after
Explicit modeling of Elements before change Elements after change Changes in likelihood estimates
![Page 17: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/17.jpg)
CORAS 17
Two Views on Risk Graphs with Change
v2[P2]
v3[P3]
v4[P4]
Pa
v7[P7]
Pb
Pc
Pd
v1[P1]
v2[P2’]
v3[P3’]
v4[P4’]
v5[P5]
v6[P6]
v7[P7’]
Pb’
Pc’
Pe
Pd’
Pf
Before
After
![Page 18: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/18.jpg)
CORAS 18
Trace Model
v1[P1]
Pa
Pb/Pb’
Pc/Pc’
Pe
Pd/Pd’
Pf
v2[P2]/[P2’]
v3[P3]/[P3’]
v4[P4]/[P4’]
v7[P7]/[P7’]
v5[P5]
v6[P6]
t1
t2
t3
Target element beforeTarget element before-after
Target element after
![Page 19: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/19.jpg)
CORAS 19
CORAS Instantiation
v6
[P6]
t3
v5
[P5]
a
v7
[P7]/[P7’]
t2
v4
[P4]/[P4’]v3
[P3]/[P3’]
v2
[P2]/[P2’]
v1
[P1] Pa
Pb/Pb’
Pe
Pc/Pc’
Pd/Pd’
Pf
c/c’
r1
t1
r3
r2
![Page 20: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/20.jpg)
CORAS 20
Practical Example: ATM
![Page 21: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/21.jpg)
CORAS 21
Process of Eight Steps1. Preparations for the analysis2. Customer presentation of the target3. Refining the target description using
asset diagrams4. Approval of the target description5. Risk identification using threat diagrams6. Risk estimation using threat diagrams7. Risk evaluation using risk diagrams8. Risk treatment using treatment
diagrams
Establish context
Assess risk
Treat risk
Need to address change in all steps
![Page 22: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/22.jpg)
CORAS 22
Establish Context
CORAS Steps 1-4
![Page 23: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/23.jpg)
CORAS 23
Establish Context Make a description of target as-is and target to-be Identify and document changes regarding target of
analysis and risk evaluation criteria
1
1..**Target of analysis
Scope Focus
Assumption
Asset
Party1..**
11
part of
1..*
within
Environment
Context
*
111
*
1 1
1
![Page 24: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/24.jpg)
CORAS 24
Changes Current characteristic of ATM
Limited interaction with external world Limited security problems in relation to information flow to
and from the environment Humans at the centre
Limited role of automated decision support systems and tools
Changes in European ATM Introduction of new information systems and decision
support systems Reorganization of services
![Page 25: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/25.jpg)
CORAS 25
Target of Analysis Arrival management and the role of air traffic
controllers (ATCOs) in the area control centre (ACC)
The introduction of AMAN and ADS-B Arrival manager (AMAN) is a decision support tool for
the automation of ATCO tasks in the arrival management
Automatic Dependent Surveillance-Broadcast (ADS-B) is a cooperative GPS-based surveillance technique where aircrafts constantly broadcast their position to the ground and to other aircrafts
![Page 26: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/26.jpg)
CORAS 26
Focus of Analysis
Before changes: Information provision (availability) Compliance with regulation
Additional concerns after changes: Information protection (confidentiality)
![Page 27: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/27.jpg)
CORAS 27
Target Description
Target of analysis described using UML Conceptual overview using UML class
diagrams Component structure using UML structured
classifiers Activities using UML interactions (interaction
overview diagrams and sequence diagrams) One set of diagrams for target as-is One set of diagrams for target to-be
![Page 28: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/28.jpg)
CORAS 28
Target Before
: Radar
class ATM
: FDPS : Meteo-stations
: Surveillance: AOIS : Aircraft[*]
: Technical room[1..*]
: Adjacent ATS unit[*]: OPS room[1..*]
: ACC network
Flight Data Processing System
Aeronautical Operational Information System
Area Control Centre network
Operation room
AdjacentAir Traffic Systemunit
Location of Air Traffic Controllers (ATCOs)
![Page 29: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/29.jpg)
CORAS 29
Target Beforeclass OPS Room
: CWP_SUP : SUP[1..*] : ACC island[1..*]
: ACC network
SupervisorController Working Position of Supervisor
SUP is an air traffic controller (ATCO) supervising the traffic management of an ACC island
ATCOs in the ACC island work in teams of two
![Page 30: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/30.jpg)
CORAS 30
Target Before
Controlling the aircraft in the sector
Aircraft data analysis for starting the sequence
creation
Sequence finalization
Clearances to the aircraft for building the
planned sequence
Progressive transfer of the whole sequence to
the adjacent sector
Arrival management tasks
![Page 31: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/31.jpg)
CORAS 31
Target After
: Radar
class ATM
: FDPS : Meteo-stations
: Surveillance: AOIS : Aircraft[*]
: Technical room[1..*]
: Adjacent ATS unit[*]: OPS room[1..*]
: ACC network
: ADS-B
![Page 32: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/32.jpg)
CORAS 32
Target After
class OPS Room
: CWP_SUP : SUP[1..*] : ACC island[1..*]
: ACC network
: AMAN
![Page 33: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/33.jpg)
CORAS 33
Target After
Controlling the aircraft in the sector
Acquisition of the AMAN provided sequence
AMAN sequence monitoring and
verification
Clearances to the aircraft for building the
planned sequence
Progressive transfer of the whole sequence to
the adjacent sector
Arrival management tasks
![Page 34: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/34.jpg)
CORAS 34
Assets Before-After
Party remains the same under change Direct asset Confidentiality of ATM information is
considered only after changes Indirect asset Airlines’ trust is considered only after changes
Confidentiality of ATM
information
Compliance
ATM service provider
Availability of arrival
sequences
Availability ofaircraft position
data
Airlines’ trust
![Page 35: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/35.jpg)
CORAS 35
Consequence Scales
Consequence Description
Catastrophic Catastrophic accident
Major Abrupt maneuver required
Moderate Recovery from large reduction in separation
Minor Increasing workload of ATCOs or pilots
Insignificant No hazardous effect on operations
Consequence Description
Catastrophic Loss of data that can be utilized in terror
Major Data loss of legal implications
Moderate Distortion of air company competition
Minor Loss of aircraft information data
Insignificant Loss of publically available data
Confidentiality Availability
![Page 36: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/36.jpg)
CORAS 36
Likelihood Scale
Likelihood Description
Certain A very high number of similar occurrences already on record; has occurred a very high number of times at the same location/time
Likely A significant number of similar occurrences already on record; has occurred a significant number of times at the same location
Possible Several similar occurrences on record; has occurred more than once at the same location
Unlikely Only very few similar incidents on record when considering a large traffic volume or no records on a small traffic volume
Rare Has never occurred yet throughout the total lifetime of the system
![Page 37: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/37.jpg)
CORAS 37
Risk Evaluation Criteria
Insignificant Minor Moderate Major Catastrophic
Rare
Unlikely
Possible
Likely
Certain
Consequence
Like
lihoo
d
High risk: Unacceptable and must be treated Medium risk: Must be evaluated for possible treatment Low risk: Must be monitored
Note: Also the evaluation criteria may change
![Page 38: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/38.jpg)
CORAS 38
Risk Identification
CORAS Step 5
![Page 39: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/39.jpg)
CORAS 39
Availability of aircraft position
data
Software error
The consolidation of data from several radar
sources fails
Delays in sequence provisioning
Duplication of labels
ATCO fails to comply with arrival management
procedures
Degradation of aircraft position data
Creation of false alarms
Lack of awareness
ATCO
Technical room
CWP
Availability of arrival
sequences
Before
![Page 40: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/40.jpg)
CORAS 40
Critical aircraft position data leakes to unauthorised third parties
Degradation of aircraft position data
Spoofing of ADS-B data
ADS-B
ADS-B transponders not transmitting correct
information
Surveillance
ATCOATCO fails to comply with arrival management
procedures
ATCO fails to comply with AMAN sequence
Creation of false alarms
CWP
Duplication of labels
Technical room
The consolidation of data from several radar
sources failsSoftware error
Lack of awareness
Availability of arrival
sequences
ADS-B transponder
Attacker Dependence on broadcasting
Confidentiality of ATM
information
Availability ofaircraft position
data
Eavesdropping ADS-B communication
Delays in sequence provisioning
Before-After
![Page 41: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/41.jpg)
CORAS 41
Risk Estimation
CORAS Step 6
![Page 42: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/42.jpg)
CORAS 42
Software error
The consolidation of data from several radar
sources fails[possible]
Delays in sequence provisioning[possible]
Duplication of labels[possible]
ATCO fails to comply with arrival management
procedures[rare]
Degradation of aircraft position data[possible]
Creation of false alarms
[possible]
Lack of awareness
minor
minor
Availability of aircraft position
data
ATCO
Technical room
CWP
Availability of arrival
sequences
Before
![Page 43: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/43.jpg)
CORAS 43
Critical aircraft position data leakes to unauthorised third parties[rare]
Degradation of aircraft position data[possible]/[possible]
Eavesdropping ADS-B communication
[certain]
Spoofing of ADS-B data
[rare]
ADS-B
ADS-B transponders not transmitting correct
information[likely]
Surveillance
ATCO
Delays in sequence provisioning[possible]/[unlikely]
ATCO fails to comply with arrival management
procedures[rare]
ATCO fails to comply with AMAN sequence
[rare]
Creation of false alarms
[possbile]/[unlikely]
CWP
Duplication of labels[possbile]/[possible]
Technical room
The consolidation of data from several radar
sources fails[possible]/[possible]
minor/minor
minor/minor
major
Software error
Lack of awareness
Availability of arrival
sequences
ADS-B transponder
Attacker Dependence on broadcasting
Confidentiality of ATM
information
Availability ofaircraft position
data
Before-After
![Page 44: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/44.jpg)
CORAS 44
Risk Evaluation
CORAS Step 7
![Page 45: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/45.jpg)
CORAS 45
Indirect Assets
Before-After
Critical aircraft position data leakes to unauthorised third parties[rare]
Delays in sequence provisioning[possible]/[unlikely]
minor/minor
minor/minor
major
Availability of arrival
sequences
Confidentiality of ATM
information
Availability ofaircraft position
data
Compliance
Degradation of aircraft position data[possible]/[possible]
minor
minor/minor
insignificant/insignificant
moderate
Airlines’ trust
![Page 46: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/46.jpg)
CORAS 46
Risk Diagram
Before-After
Software error
Availability of arrival
sequences
ADS-B transponder
AttackerConfidentiality
of ATM information
Availability ofaircraft position
data
R1: Delays in sequence provisioning[low]/[low]
R3: Critical aircraft position data leakes to unauthorised third parties[medium]
R2: Degradation of aircraft position data[low]/[low]
![Page 47: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/47.jpg)
CORAS 47
Risk Diagram
ADS-B transponder
Attacker
R4: Delays in sequence provisioning[low]/[low]
R6: Critical aircraft position data leakes to unauthorised third parties[low]
R5: Degradation of aircraft position data[low]/[low]
Compliance
Software error
R7: Critical aircraft position data leakes to unauthorised third parties[moderate] Airlines’ trust
Before-After
![Page 48: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/48.jpg)
CORAS 48
Risk Evaluation
Insignificant Minor Moderate Major Catastrophic
Rare R6 R7 R3
Unlikely R4 R1
Possible R4 R1, R2, R5
Likely
Certain
Consequence
Like
lihoo
d
Legend: Italic denotes risk before Bold denotes risk after
![Page 49: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/49.jpg)
CORAS 49
Eavesdropping ADS-B communication
[certain]
Spoofing of ADS-B data
[rare]
ADS-B transponders not transmitting correct
information[likely]ADS-B
transponder
Attacker Dependence on broadcasting
Confidentiality of ATM
information
Availability ofaircraft position
data
R2: Degradation of aircraft position data[low]/[low]
R3: Critical aircraft position data leakes to unauthorised third parties[medium]
Implement backup or improve maintenance of
the transponder
Implement encryption of ADS-B signals
R7: Critical aircraft position data leakes to unauthorised third parties[moderate] Airlines’ trust
Treatment Diagram
Before-After
![Page 50: Part III: Change Management](https://reader036.fdocuments.in/reader036/viewer/2022062222/56816554550346895dd7d198/html5/thumbnails/50.jpg)
CORAS 50
Summary For systems that change, also the risks change and
should be analyzed as such Only the parts of the risk picture affected by changes
should be analyzed anew CORAS supports
Traceability of changes from target system to risk models The explicit modeling of changes to risk
All artifacts of CORAS are generalized to handle change The CORAS language The CORAS tool The CORAS method