To main content

Analysing risk in practice: The CORAS approach to model-driven risk analysis


The term “risk” is known from many fields. On an almost daily basis we face references to “contractual risk”, “economic risk”, “operational risk”, “environmental risk”, “health risk”, “political risk”, “legal risk”, “security risk”, and so forth. In order to identify and assess risks we may conduct risk analyses. In this tutorial we present the CORAS approach, which is a self-contained risk analysis methodology and the first to be truly model-driven in the sense that modelling is an integrated part in every part of the process. The methodology is described in detail in the book Model-Driven Risk Analysis. The CORAS Approach, and has been validated through application in a large number of full-scale industrial analyses. The goal of the tutorial is to give the audience an introduction to the basics of risk analysis and to introduce the audience to the CORAS method and language for model-driven risk analysis. The intended audience is anyone with an interest in software engineering, security and risk management. The tutorial should be suitable both for persons new to risk analysis, as well as people familiar with risk analysis that are interested in the model-driven approach.


Academic lecture




  • Atle Refsdal


  • SINTEF Digital / Sustainable Communication Technologies

Presented at

18th ACM Conference on Computer and Communications Security (CCS 2011)




17.10.2011 - 21.10.2011



View this publication at Cristin