To main content

Cyber Risk

Cyber Risk

The Cyber Risk group at SINTEF Digital focuses on industry-driven research and development within security risk assessment, cybersecurity, software quality, model-driven analysis and development, as well as empirical research on methods and tools.

The Cyber Risk group

Information and security technologies (ICT) have over several decades brought significant benefits to enterprises, individuals, and society as a whole. ICT and information infrastructures have become a cornerstone for a broad range of services that today we take for granted; people and organizations have access to more and better services than ever before within most areas of society, including banking and finance, communication, entertainment, health, power supply, social interactions, transportation and social participation. As a result, our daily lives, fundamental rights, economies and social security depend on ICT working seamlessly.

At the same time, ICT continues to introduce numerous new threats and vulnerabilities, and stakeholders are exposed to security incidents of many different kinds and degree of severity. Our research group develops methods, modelling techniques and tools to aid stakeholders in managing and assessing security risk, and in maintaining system and software security and quality. Our two books present major contributions in this respect.

  • Atle Refsdal, Bjørnar Solhaug and Ketil Stølen: Cyber-Risk Management (Springer, 2015). The book can be ordered from Springer in printed version or electronically. See also the product flyer.
  • Mass Soldal Lund, Bjørnar Solhaug and Ketil Stølen: Model-Driven Risk Analysis - The CORAS Approach (Springer, 2011). The book can be ordered from Springer in printed version or electronically. See also the product flyer.

Research Areas

Our cyber risk research is based on industry best practices and established international standards. Relevant standards include ISO 31000 on risk management, the ISO/IEC 27000 series on information security, as well as the OMG Unified Modeling Language (UML). Our main research interests are as follows:

  • Security risk management
  • Cybersecurity
  • Information security
  • Model-driven risk analysis
  • Model-driven security architecture
  • Model-based quality assessment and prediction
  • System modeling, refinement and semantics
  • Tools for modeling, analysis and documentation
  • Empirical research on methods and tools

Major Results

  • The CORAS approach to model-driven risk analysis. The approach includes a method, a modeling language and an open source tool. You may read the guided tour of the CORAS method for a quick introduction.
  • The PREDIQT method resulting from the PhD thesis of Aida Omerovic.
  • The STAIRS methodology developed in collaboration with the University of Oslo.


We have since more than ten years organized a series of public seminars where research results and new technologies are presented and discussed. The seminars are held in Norwegian and attract people from industry, public sector and academia.


Our projects are conducted in close collaboration with industry partners, academia and research institutes both nationally and internationally. Ongoing and completed projects are alphabetically listed below.

Ongoing Projects

  • AGRA - Aggregated risk assessment and management (Research Council of Norway project, 2014-2018)
  • PrivacyAssessment@SmartCity - Enabling Real-Time Privacy-Awareness of Smart City Providers and Users (SINTEF ICT project, 2016-2017)
  • WISER - Wide-Impact Cyber Security Risk Framework (EU-project, 2015-2017)

Completed Projects

  • COBRA - Component-based security assessment (Research Council of Norway project, 2002)
  • COMA - Component-oriented model-based security analysis (Research Council of Norway project, 2004-2007)
  • CONCERTO - Guaranteed Component Assembly with Round Trip Analysis for Energy Efficient High-integrity Multi-core Systems (ARTEMIS/Research Council of Norway project, 2013-2016)
  • CORAS - A tool-supported methodology for model-based risk analysis of security critical systems (EU project, 2001-2003)
  • DIAMONDS - Effort-dependent technologies for multi-domain risk-based security testing (Research Council of Norway project, 2010-2014)
  • DIGIT - Digital interoperability with trust (Research Council of Norway project, 2007-2010)
  • DRA - Dynamic Risk Assistant (Research Council of Norway project, 2012-2014)
  • EMERGENCY - Mobile decision support in emergency situations (Research Council of Norway project, 2008-2012)
  • EMFASE - Empirical Framework for Security Design and Economic Trade-Off (SESAR WP-E project, 2013-2016)
  • ENFORCE - Tool supported methodology for the formalization, analysis and enforcement of policies within trust management (Research Council of Norway project, 2005-2009)
  • FRISK - Framework for Risk Management of Welfare Services (SINTEF ICT project, 2012)
  • InSecurance - Project on cyber-insurance and the economics of cybersecurity (SINTEF ICT project, 2015-2016)
  • iTrust - Working group on trust management in dynamic open systems (EU project, 2002-2005)
  • MASTER - Managing Assurance, Security and Trust for sERvices (EU project, 2008-2011)
  • NESSoS - Network of Excellence on Engineering Secure Future Internet Software Services and Systems (EU project, 2010-2014)
  • RASEN - Compositional Risk Assessment and Security Testing of Networked Systems (EU project, 2012-2015)
  • S3MS - Security of Software and Service for Mobile Systems (EU project, 2006-2008)
  • SARDAS - Securing availability by robust design, assessment and specification (Research Council of Norway project, 2003-2006)
  • SecureChange - Security Engineering for Lifelong Evolvable Systems (EU project, 2009-2012)
  • SECURIS - Model-driven development and analysis of secure information systems (Research Council of Norway project, 2003-2006)
  • TrustCom - A trust and contract management framework enabling secure collaborative business processing in on-demand created, self-managed, scalable, and highly dynamic virtual organisations (EU project, 2004-2007)


Group leader: Ketil Stølen
Phone: +47 92 21 61 12
Home page

Forskningsveien 1
PO Box 124, Blindern
0314 Oslo

How to find us
Directions and map: [pdf en][pdf no]


2017-08-01: The paper A Method for Developing Qualitative Security Risk Assessment Algorithms authored by Gencer Erdogan and Atle Refsdal has been accepted for publication in the proceedings of the 12th International Conference on Risks and Security of Internet and Systems (CRiSIS 2017).

2017-07-12: The paper Experiences from Developing an Algorithm to Support Risk-Based Decisions for Offshore Installations authored by Gencer Erdogan, Atle Refsdal, Bjørn Nygård, Bernt Kvam Randeberg, and Ole Petter Rosland has been accepted for publication in the proceedings of the 14th International Symposium on Operations Research in Slovenia (SOR 2017).

2017-06-15: The paper A Method for Developing Algorithms for Assessing Cyber-Risk Cost authored by Gencer Erdogan, Alejandra Gonzalez, Atle Refsdal, and Fredrik Seehusen has been accepted for publication in the proceedings of the 2017 IEEE International Conference on Software Quality, Reliability & Security (QRS 2017).

2017-05-29: The chronicle The Internet of Things: A good, but also a threat for the nation written by Ketil Stølen is published in Teknisk Ukeblad, 23 May 2017, no. 5. The chronicle is also available online at

2017-04-28: The chronicle Guide to good smart city life written by Marit Kjøsnes Natvig, Aida Omerovic, and Isabelle Tardy is published in Dagens Næringsliv and Gemini.

2017-03-30: The chronicle Trust management - what is it, really? by Ketil Stølen is published in Dagens Perspektiv.

2017-03-27: On April 4, Atle Refsdal will present Experiences from development of risk-based decision support for offshore installations at the public seminar Risk Aggregation - what works in practise?

2017-03-02: The chronicle Privacy and cybersecurity do not go hand in hand by Ketil Stølen is published in Computerworld.

2017-02-15: The next public seminar organized by the Cyber Risk group will be held on April 4, 2017. The topic of the seminar is Risk Aggregation - What works in practise? The seminar has speakers from EVRY, Oslo municipality, The Agency for Public Management and eGovernment (Difi), and SINTEF.

2017-02-08: The paper Privacy Scorecard – Refined Design and Results of a Trial on a Mobility as a Service Example authored by Aida Omerovic, Marit Natvig, and Isabelle Tardy has been accepted for publication in the proceedings of the 27th European Safety and Reliability Association Conference (ESREL 2017).

2017-01-06: A guided tour of the CORAS method is now available.

2017-01-05: On February 16, Ketil Stølen will present The Relationship Between Trust, Security, and Risk at the SOFTWARE 2017 conference.

2017-01-04: On February 14, Aida Omerovic will hold a course about risk management at the Norwegian Computer Society.

2016-11-14: On November 9, Ketil Stølen presented Privacy from a cyber perspective at the public seminar Cybersecurity and privacy -- Hand in hand or each on their own? organized by SINTEF.

2016-11-14: On November 9, Aida Omerovic presented Transparent real-time monitoring of privacy at the public seminar Cybersecurity and privacy -- Hand in hand or each on their own? organized by SINTEF.

2016-11-14: On November 10, Gencer Erdogan presented CORAL - a model-based approach to risk-driven security testing, at the event Security and Apps organized by NITO.

2016-11-07: The next public seminar organized by the Cyber Risk group will be held on November 9, 2016. The topic of the seminar is Cybersecurity and privacy -- Hand in hand or each on their own? The seminar has speakers from The Norwegian Digital Learning Arena, Norwegian Computing Center, The Norwegian Data Protection Authority, and SINTEF.

2016-11-04: Microsoft Visio 2013 stencil for the CORAS language is now available at the CORAS website. The stencil is also compatible with Microsoft Visio 2016.

2016-11-02: On 18 October 2016 Gencer Erdogan presented the following papers at the 4th International Workshop on Risk Assessment and Risk-driven Quality Assurance (RISK'16) held in conjunction with the 28th International Conference on Testing Software and Systems (ICTSS'16):

  • Gencer Erdogan, Aida Omerovic, Marit Natvig and Isabelle C.R. Tardy: Towards Transparent Real-Time Privacy Risk Assessment of Intelligent Transport Systems.
  • Gencer Erdogan and Ketil Stølen: Design Decisions in the Development of a Graphical Language for Risk-Driven Security Testing.

2016-09-05: On September 1, Fredrik Seehusen presented the paper Differentiating Cyber Risk of Insurance Customers: The Insurance Company Perspective at the International Cross Domain Conference and Workshop (CD-ARES'16). The paper was authored by Inger Anne Tøndel, Erlend Andreas Gjære, Fredrik Seehusen, and Marie Elisabeth Gaup Moe.

2016-07-18: The WISER project has published a technical report (D3.2 - Cyber risk modelling language and guidelines, preliminary version) that describes how to define machine-readable algorithms based on CORAS diagrams to support real-time cyber risk assessment in the WISER platform.

2016-06-30: The WISER project has published a technical report (D3.1 - Cyber risk patterns) that describes common cyber risk patterns expressed in CORAS and how these patterns are used in the WISER platform to support real-time cyber risk assessment.

2016-05-23: The paper A Model-Based Approach to Support Safety-Related Decisions in the Petroleum Domain authored by Leonardo Montecchi, Atle Refsdal, Paolo Lollini, and Andrea Bondavalli, in context of the CONCERTO project, will be presented on July 1 at the 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

2016-04-28: On April 27, the DIAMONDS project received the EUREKA Innovation Award.

2016-04-22: The WISER project has launched its innovative tool Cyber Wiser Light for cyber security assessment. The tool is available free of charge to any organization interested in obtaining a high-level view of their cyber risk exposure.

2016-04-13: ITS Norway and SINTEF is holding a workhop related to privacy in the context of Intelligent Transportation Systems (ITS). The workshop is open to public and will be held on May 4 at Dronning Maudsgt 15, Oslo. Time: 08:30-15:30.

2016-03-11: On February 20, Gencer Erdogan presented the paper Evaluation of the CORAL Approach for Risk-driven Security Testing based on an Industrial Case Study (poster), and the EU-project WISER (poster), at the 2nd International Conference on Information Systems Security and Privacy (ICISSP'16).

2015-10-14: Selected extracts from the book Cyber-Risk Management (Springer 2015) are freely available from Springer, namely the preface, the table of contents, as well as a sample chapter (Chapter 9: Risk Evaluation).

2015-09-17: On September 15, Bjørnar Solhaug gave the tutorial Tool-Supported Cyber-Risk Assessment at the Security Assessment for Systems, Services and Infrastructures (SASSI'15) workshop. PDF of the slides are available.

2015-09-03: New book on risk management and assessment with respect to cybersecurity. A. Refsdal, B. Solhaug and K. Stølen: Cyber-Risk Management (Springer, 2015). The book can be ordered from Springer in printed version or electronically. See also the product flyer.