Attack trees are a well-known formalism for quantitative analysis of cyber attacks consisting of multiple steps and alternative paths. It is possible to derive properties of the overall attacks from properties of individual steps, such as cost for the attacker and probability of success. However, in existing formalisms, such properties are considered independent. For example, investing more in ...

Risk analysis is an important tool for developers to establish the appropriate protection level of a system. Unfortunately, the shifting environment of components and component-based systems is not adequately addressed by traditional risk analysis methods. This paper addresses this problem from a theoretical perspective by proposing a denotational model for component-based risk analysis. In ord...

From the outsourcer’s perspective, the IS outsourcing literature emphasizes the importance of contracts and risk awareness for managing outsourcing ventures. However, there is a lack of proven and tested outsourcing management concepts in theory and practise incorporating contractual designs to effectively counter risk. By extending the risk model of Bahli and Rivard (2001) we investigate the i...

Portfolio selection is concerned with optimization of capital allocation to a large number of securities. In portfolio selection, risk analysis is one of the most important topics and research on quantitative definition of risk remains core of the topic. This paper proposes a novel risk definition for portfolio selection with uncertain returns. A risk curve is introduced and a new safe criterio...

This paper discusses various approaches to risk analysis of infrastructure systems. The discussion is applied to electric power delivery systems, i.e. transmission and distribution of electric power, with an emphasis on the electric power grid in Sweden. In reviewing a number of the methods of risk analysis, it is concluded that methods from the systems safety and reliability discipline can to ...

Although a variety of information security risk management (ISRM) approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can the risk level of a business process be determined by taking the risk levels of the involved resources into account? This paper presents our research results regarding resource-based risk analysis method...

This paper discusses the findings of an exploratory study investigating IS/IT project risk analysis in large organisations within Western Australia. While a questionnaire was used as a pilot to gain information before in depth interviews were carried out, this is an interpretivist study that investigates data in a qualitative mode of research. The researchers, therefore, sought to interpret ric...

This chapter presents a guided tour of the CORAS method. As illustrated by Fig. 3.1, the CORAS method is divided into eight steps. The first four of these steps are introductory in the sense that we use them to establish a common understanding of the target of the analysis, and to make the target description that will serve as a basis for the subsequent risk identification. The introductory ste...

This paper discusses various approaches to risk analysis of infrastructure systems. The discussion is applied to electric power delivery systems, i.e. transmission and distribution of electric power, with an emphasis on the electric power grid in Sweden. In reviewing a number of the methods of risk analysis, it is concluded that methods from the systems safety and reliability discipline can to ...