A modular understanding of risks is a prerequisite for robust component-based development and for maintaining the trustworthiness and security of modular systems. In order to properly address risks related to component-based systems, the COMA project delivered a component-based approach to risk analysis in general and security risk analysis in particular. The approach is based on the same principles of modularity and composition as component-based development. The purpose of the approach is to support the integration of risk analysis into component-based development. The approach consists of the following artifacts.

• A framework for component-based risk analysis
• A modular approach to risk modelling
• A formal foundation for modular risk modelling
• A formal component model integrating the notion of risk

The framework for component-based risk analysis provides a process for analysing separate parts of a system independently with means for combining separate analysis parts into an overall picture for the whole system. It applies the modular risk modelling approach for the purpose of identifying, analysing and documenting component risks. The component model with a notion of risk provides a formal foundation for integrating risk analysis into component-based development.

The COMA project was funded by the Research Council of Norway. The project was initiated in January 2004 and ran until 2008. The project funded one PhD-student, Gyrd Brændeland, and her needs with respect to travel and equipment.

PhD Thesis

• Gyrd Brændeland. Component-based risk analysis. PhD-thesis, University of Oslo, 2011.

Scientific articles

• Gyrd Brændeland, Atle Refsdal, Ketil Stølen. A denotational model for component-based risk analysis. To appear in Proc. 8th International Symposium on Formal Aspects of Component Software (FACS'11).
• Gyrd Brændeland, Ketil Stølen. Using model-driven risk analysis in component-based development. In book titled Dependability and Computer Engineering: Concepts for Software-Intensive Systems, 330-380, IGI Global, 2011.
• Gyrd Brændeland, Atle Refsdal, Ketil Stølen. Modular analysis and modelling of risk scenarios with dependencies. Journal of Systems and Software, volume 83, pages 1995-2013, Elsevier, 2010.
• Gyrd Brændeland, Heidi E.I. Dahl, Iselin Engan, Ketil Stølen. Using dependent CORAS diagrams to analyse mutual dependency. In Proc. 2nd International Workshop on Critical Information Infrastructure Security (CRITIS'07), LNCS 5141, pages 135-148, Springer, 2008.
• Gyrd Brændeland, Ketil Stølen. A semantic paradigm for component-based specification integrating a notion of security risk. In Proc. 4th International Workshop in Formal Aspects in Security and Trust (FAST'06), LNCS 4691, pages 31-46, Springer 2007.
• Gyrd Brændeland, Ketil Stølen. Using model-based security assessment in component-oriented system development: A case-based evaluation. In Proc. 2nd ACM Workshop on Quality of Protection (QoP'06), pages 11-18, ACM Press, 2006.