Bounding availability of repairable computer systems
SIGMETRICS '89 Proceedings of the 1989 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A Reference Model for Requirements and Specifications
IEEE Software
Risk Assessment & Success Factors for e-Government in a UK Establishment
EGOV '02 Proceedings of the First International Conference on Electronic Government
Automated Generation and Analysis of Attack Graphs
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
Requirements engineering paper classification and evaluation criteria: a proposal and a discussion
Requirements Engineering
Complete Guide to Security and Privacy Metrics
Complete Guide to Security and Privacy Metrics
Model-based security analysis in seven steps --- a guided tour to the CORAS method
BT Technology Journal
eTVRA, a Threat, Vulnerability and Risk Assessment Method and Tool for eEurope
ARES '07 Proceedings of the The Second International Conference on Availability, Reliability and Security
Designing Requirements Engineering Research
CERE '07 Proceedings of the 2007 Fifth International Workshop on Comparative Evaluation in Requirements Engineering
Architectural-Level Risk Analysis Using UML
IEEE Transactions on Software Engineering
Assessing the risk of an information infrastructure through security dependencies
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
The Best Damn IT Security Management Book Period
The Best Damn IT Security Management Book Period
SP 800-30. Risk Management Guide for Information Technology Systems
SP 800-30. Risk Management Guide for Information Technology Systems
Lightweight modeling and analysis of security concepts
ESSoS'11 Proceedings of the Third international conference on Engineering secure software and systems
A2thOS: availability analysis and optimisation in SLAs
International Journal of Network Management
Technical action research as a validation method in information systems design science
DESRIST'12 Proceedings of the 7th international conference on Design Science Research in Information Systems: advances in theory and practice
Hi-index | 0.00 |
For today's organisations, having a reliable information system is crucial to safeguard enterprise revenues (think of on-line banking, reservations for e-tickets etc.). Such a system must often offer high guarantees in terms of its availability; in other words, to guarantee business continuity, IT systems can afford very little downtime. Unfortunately, making an assessment of IT availability risks is difficult: incidents affecting the availability of a marginal component of the system may propagate in unexpected ways to other more essential components that functionally depend on them. General-purpose risk assessment (RA) methods do not provide technical solutions to deal with this problem. In this paper we present the qualitative time dependency (QualTD) model and technique, which is meant to be employed together with standard RA methods for the qualitative assessment of availability risks based on the propagation of availability incidents in an IT architecture. The QualTD model is based on our previous quantitative time dependency (TD) model (Zambon et al. in BDIM '07: Second IEEE/IFIP international workshop on business-driven IT management. IEEE Computer Society Press, pp 75---83, 2007), but provides more flexible modelling capabilities for the target of assessment. Furthermore, the previous model required quantitative data which is often too costly to acquire, whereas QualTD applies only qualitative scales, making it more applicable to industrial practice. We validate our model and technique in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results with respect to the goals of the stakeholders of the system. We also perform a review of the most popular standard RA methods and discuss which type of method can be combined with our technique.