Using UML in a Risk-Driven Development Process

Risk-driven development focus on identifying and treating risks as an integrated part of the development process. One then obtain an adequate security level by treating security issues at the right time for the correct cost throughout the development. The EU IST-project CORAS has developed an integrate risk management and system development process for security-critical systems based on AS/NZS 4360, RUP, and RM–ODP. However, trials have shown that the efficiency and applicability of the integrated process depends on having an experienced risk analyst present during development. In this paper we present a refinement of the context identification phase of CORAS and provide detailed description on how to employ UML according to each of the RM– ODP viewpoints in each phase of the development. The refinements are described through a set of guidelines that where developed applying the CORAS integrated process on an example system. These guidelines reflects the experiences gained in a set of trials performed within the CORAS project.