D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

Recommendations

Info

12 F. Massacci and L.M.S. Tran RM 5% 5% 5% 45% RM1 A RM2 A ….... RM11 A RM12 B Fig. 4 The long-tail problem. 6 Quantitative Metrics: Max Belief and Residual Risk As consequence of actual occurences of evolutions possibilities, a final design choice may or may not be able to fulfil the enterprise’s objectives. In order to select among the various alternatives we need a quantitative metric that can guide the decision maker. The first intuitive measure is the total probability that a final configuration survived, called Total Belief : the sum of probabilities of all possibilities where the final choice fulfill the enterprise’s objectives. If complexity is not a problem it is also easy to compute: just unroll all probabilities combining them into one big observable rule. Then gather every possible model that (i) is resulting from the evolution, (ii) includes the final design choice and (iii) fulfils the root objectives of the enterprise. Unfortunately, this measure might lead to a severe long-tail problem. This problem, firstly coined by Anderson [1], is present when a larger than normal population rests within the tail of the distribution. A long-tail example is depicted in Fig. 4 where an enterprise model EMmight evolve to several potential possibilities with very low probabilities (say, eleven possibilities with 5% each), and another extra possibility with dominating probability (say, the twelfth one with 45%). Suppose that an element A appears in the first eleven possibilities, and an element B appears in the last twelfth possibility. Apparently, A is better than B due to A’s total belief is 55% which is greater than that of B, say 45%. Arguing that A is better than B or versa is still highly debatable. Ones might put their support on the long tail [1], and ones do the other way round [10]. Our game semantics allows us to make an informed choice: at the end of the day, only one possibility becomes effective (i.e. chosen by Reality). If we thus consider every single possibility to be chosen, the twelfth one (45%) is the one with the highest pay-off by the Domain Expert. The other possibilities offers a substantial less chance of making money: Domain Expertwill only pay a 5% ROI for any of the other possibilities. It is true that globally A might be chosen by any of the 11 alternatives, but reality will not realized them all together. It will only chose one and each of them only have a ROI of 5%. Choosing the largest ROI is one of the possible alternatives. However, we need to be careful since Designer must invest M to build B before knowing whether it would pay off. So what is interesting for the Designer is a measure of the risks that its choice might turn out to be sour. We are currently investigating a number of alternatives. A possible solution is to consider the dual of the MaxBelief and namely the MaxRisk as the highest chances of a possibility
Dealing with Known Unknowns: A Goal-based Approach 13 where the configuration is not useful. To be more conservative, in this paper we consider as risk measure the complement of the Total Belief and namely the sum of the total chances that a configuration would turn out to be utterly useless. Building on the above considerations, we introduce two quantitative metrics: Residual Risk 1 and Max Belief as follows. Max Belief (MaxB): of an configuration C is a function that measures the maximum belief supported by Domain Expert such that C is useful after evolution happens. Residual Risk (RRisk): of an configuration C is the complement of total belief supported by Domain Expert such that C is useful after evolution happens. In other words, residual risk of C is the total belief that C is not useful when evolutions happen. They offer two independent dimensions upon which a designer can chose. Given an evolutionary enterprise model 〈EM, r o,r c〉, max belief and residual risk can be formally defined as follows. MaxB(C) max p i ∀EM p i −→EM i .EM i ∈SDA(C) X RRisk(C) 1 − ∀EM p i −→EM i .EM i ∈SDA(C) p i (1) where SDA(C) is the set of design alternatives which a configuration C comprises (or support), also called as design alternative set of a configuration C. The residual risk, as discussed, is the complement of total belief. Hence, for convenience, the Total Belief of C is denoted as: RRisk(C) = 1 − RRisk(C) The selection between two configurations based on max belief and residual risk is obvious: “higher max belief, and lower residual risk”. However, it is not always a case that a higher max belief configuration has lower residual risk. Thus decision makers should understand which criterion is more important. In this sense, these metrics could be combined using weighted harmonic mean. Suppose that w 1 , w 2 are weights of max belief and residual risk, respectively. The harmonic mean is defined as follow. w 1 + w 2 MaxB(C) · (1 − RRisk(C)) H(C) = w 1 MaxB(C) + w 2 = (1 + β) β · MaxB(C) − RRisk(C) + 1 1 − RRisk(C) where β = w 1/w 2 means max belief is β times as much important as residual risk. 1 One should not confuse this notion of residual risk with the one in security risk analysis studies which is different in nature.
Page 1 and 2:
D.3.3 ALGORITHMS FOR INCREMENTAL RE
Page 3 and 4:
1.14 19 January Final 1.15 23 Janua
Page 5 and 6:
Index DOCUMENT INFORMATION 1 DOCUME
Page 7 and 8:
1 Introduction This deliverable pre
Page 9 and 10:
(Clause 6.4.3) processes of ISO/IEC
Page 11 and 12:
3 Orchestrating Requirements and Ri
Page 13 and 14:
grey. The ADS-B introduction requir
Page 15 and 16:
The security risk manager identifie
Page 17 and 18:
are supported by the argumentation
Page 19 and 20:
ADS-B Manage ADS-B signal ADS-B sig
Page 21 and 22:
the stagnation suite (i.e. obsolete
Page 23 and 24:
5 A framework for modeling and reas
Page 25 and 26:
sectors. And there is 42% of probab
Page 27 and 28:
SDA(C) = {DA 2 , DA 4 , DA 8 , DA 1
Page 29 and 30:
application contexts is saved if th
Page 31 and 32:
Figure 14. ATM model state after qu
Page 33 and 34:
References [1] Yudis Asnar, Fabio M
Page 35 and 36:
Managing Changes with Legacy Securi
Page 37 and 38:
Failure in the provisioning of corr
Page 39 and 40:
propagated to the system designer a
Page 41 and 42:
APPENDIX B D.3.3 Algorithms for Inc
Page 43 and 44:
is sometimes difficult, especially
Page 45 and 46: Tactical Monitor air R controller t
Page 47 and 48: protected from harm. Since in CORAS
Page 49 and 50: CModel. The postcondtion checks the
Page 51 and 52: of ADS-B signal and Availability of
Page 53 and 54: extensions to i* to model and analy
Page 55 and 56: 3. Bzivin, J., Dup, G., Jouault, F.
Page 57 and 58: APPENDIX C D.3.3 Algorithms for Inc
Page 59 and 60: steps. Section V demonstrates the R
Page 61 and 62: that should be mitigated by the sys
Page 63 and 64: CPU value PINconfirmed(PIN, card-de
Page 65 and 66: TABLE IV PRIORITIZATION OF RISKS FO
Page 67 and 68: context. We believe that the Common
Page 69 and 70: Managing Evolution by Orchestrating
Page 71 and 72: 1.1 The Contribution of this Paper
Page 73 and 74: Fig. 3. Integrated Change Managemen
Page 75 and 76: The requirement analysis is an iter
Page 77 and 78: Table 1. Conceptual Interface Requi
Page 79 and 80: Legend: Goals surrounded by dashed
Page 81 and 82: Table 5. Test Suite for GP-2.2 Tran
Page 83 and 84: 6. P. K. Chittimalli and M. J. Harr
Page 85 and 86: Noname manuscript No. (will be inse
Page 87 and 88: Dealing with Known Unknowns: A Goal
Page 95: Dealing with Known Unknowns: A Goal
Page 113 and 114: Understanding How to Manage Require
Page 115 and 116: Chatzoglou et al. [4] conducted a s
Page 117 and 118: Evolution Elicitation Probability E
Page 119 and 120: Table 2. Participants Background Pa
Page 121 and 122: for the defined success criteria. O
Page 123 and 124: Fig. 3. Codes Coverage ATM systems,
Page 125 and 126: The feedbacks provided by the ATM e
Page 127 and 128: 3. P. Carlshamre, K. Sandahl, M. Li
Page 129 and 130: Quick fix generation for DSMLs Ábe
Page 131 and 132: • extensibility: the supported li
Page 133 and 134: Fig. 7. Overview of the Quick fix g
Page 135 and 136: Fig. 9. Evaluation results (|V(M I
show all

D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange

Create successful ePaper yourself

Delete template?

Save as template?