Abstract
This report contains an evaluation of the CORAS UML profile and consists og two parts:Modeling a benchmarking test called ""the core security risk scenarios"" using the CORAS UML profileAssessing the quality og the CORAS UML profile using a quality evaluation framework for modeling languages.The results shows that it was possible to model almost all the information in the core security risk scenarios with the CORAS UML profile. However, being able to express the core security risk scenarios is not sufficient. The diagrams are characterized by duplication of information, and information that is spread out over several diagrams which makes it difficult to get an overview.In the quality evaluation the CORAS UML profile has been found to include the main security analyses concepts and modeling perspectives, and therefor have a high domain appropriateness factor. It benefits from being based on a well-known and widely used modeling language for which several tools are available. The quality evaluation shows that the main weakness of the UML profile are related to its graphical symbols and and diagram types.The symbols do not always conforme to best practice within symbol design. Some of the diagrams are more confusing than they are explanatory, and they require a substancial effort from the modeler.
Oppdragsgiver: Norges Forskningsråd
Oppdragsgiver: Norges Forskningsråd