Building an Experience Factory for a Model-based Risk Analysis Framework Chingwoei Gan, Eric Scharf Department of Electronic Engineering, Queen Mary University of London E1 4NS, United Kingdom {chingwoei.gan, e.m.scharf}@elec.qmul.ac.uk Abstract: This paper describes the integration of an experience factory in a model- based risk analysis framework called CORAS1. CORAS aims at developing a new model-based risk analysis framework for security critical application. The framework’s cornerstone of combining methods for risk analysis of critical systems and semiformal modelling methods in a tool-supported environment targeting openness and interoperability has not been tried before. We adapted the experience factory concept to fit our needs in documenting and exploiting the risk analysis results, as well as to support the structured process of risk management. Our internet-enabled experience factory takes advantage of XML as the vehicle for data exchange within an environment that involves heterogeneous tools. The effectiveness of the framework will be reviewed and measured against the objectives of the project during planned future trials. 1 Introduction The increased reliance of modern businesses and corporations on IT-related services imposes new and increasingly demanding requirements on the underlying infrastructure. An unambiguous understanding of the limitations of the existing infrastructure – through risk analysis - has become an important prerequisite for designing new services with a satisfactory degree of security. Risk analysis is now considered a useful and critical means for abstracting information from reality into a more formal description. Its importance has been recognized in the process industry, finance and business areas where methods for risk management have been developed [Di02]. Traditionally, risk analysis of security critical systems is performed on the basis of informal descriptions of the target of evaluation. Such an approach is prone to misunderstandings [St02]. Further, the growing complexity of today’s systems urges the improvement of existing methods of analyzing systems and their security specification in order to increase the likelihood that all possible security threats are taken into consideration. Consequently, the demand for a more orderly and formal treatment of risks is getting greater. 1 CORAS is a research and development project under the European Information Society Technologies Fifth Framework Programme (IST-2000-25031), to be completed by July 2003; website: http://www.nr.no/coras More recently we have witnessed the emergence of an improved methodology for security risk assessment in CORAS [Aa02, St02, Gu02, Iv02] and other similarly-motivated projects such as Reactive System Design Support (RSDS) [LAC00, La00, LAK00] and Surety Analysis [WCF99]. These initiatives share one thing in common – the integration of state-of-the-art Unified Modelling Language (UML) based methodology and conventional risk analysis techniques including Fault Tree Analysis (FTA), Failure Mode and Effect Criticality Analysis (FMECA) and Hazard and Operability study (HAZOP). CORAS, on which the main subject of this paper is built, aims to produce an improved methodology for precise, unambiguous, and efficient risk analysis of security critical systems. The focus of the CORAS project is on the tight integration of viewpoint- oriented visual modelling in the risk assessment process. An important aspect of the CORAS project is the practical use of UML in the context of security and risk assessment. A further overview of CORAS and its methodology can be found in Section 2. During risk assessment, knowledge and experiences are gained, other computerized tools are queried and a lot of documents of different types are produced by the risk analysis team. In the context of CORAS, this includes UML diagrams, textual report, tree diagrams, tables, guidelines and many others. It is a non-trivial task when dealing with information of such volume and variety in a heterogeneous operating environment. Further, the risk management process is an elaborate process, involving both humans and computerized tools, and as such, is prone to delays and errors. A system is needed which effectively manages, queries and reuses different types of risk analysis results according to a given assessment scenario. We have implemented such a system, known as the CORAS platform, designed to integrate the various components, technologies and results - risk analysis methods, semiformal methods, object-oriented modelling methods, and tools - into an overall tool-supported CORAS framework/process. A framework that attempts to operate within an organization and to realize the goal of organizational learning will require some measure of Knowledge Management (KM). We have chosen to incorporate the concept of Experience Factory (short: EF [BCR94]) into the CORAS platform. EF is an example of knowledge management approach initially designed for software organizations. In our work to carry out model-based risk assessment, we have found that a tailored version of the experience factory approach is beneficial for creating a learning organization even though the main subject of our project does not fall into the conventional category of software development. The CORAS experience factory is the first known application of EF in the field of model-based risk analysis. In this paper we introduce the CORAS framework (Section 2) and how this framework is supported by our adapted experience factory (Section 3) - including certain design issues, taxonomy of our experience package and the experience repository - in order to document and exploit the risk analysis results effectively. We also look at the various issues faced during development, and the rationale behind the choice of using XML as the building blocks of our CORAS platform and the decision to adopt a web-based approach. Finally, we summarize our experiences and conclude with future directions in Section 4. 2 CORAS Framework 2.1 Overview of the CORAS Framework The CORAS framework has four main anchor-points – a risk management process based on AS/NZS 4360 2 and ISO/IEC 17799 3 , a risk documentation framework based on Reference Model for Open Distributed Processing (RM-ODP) viewpoints architecture, an integrated risk management & development process based on (Rational) Unified Process and a XML-based tool independent platform. This framework is also characterised by a careful integration of aspects from partly complementary risk assessment methods like HAZOP, FTA, FMECA, Markov analysis and CRAMM4 . A more in-depth discussion into each of these anchor-points is covered in [Aa02, St02, Gu02, Iv02]. For the purpose of this paper, we focus only on the CORAS risk documentation framework and the CORAS platform, for which an EF has been set up. 2.2 CORAS Risk Documentation Framework The CORAS risk documentation framework divides the RM-ODP viewpoint structure into 22 concerns targeting security in general and model-based risk assessment in particular. Implicit within the risk documentation framework is the CORAS risk management process (Figure 2.1), which is to be performed in a sequential fashion. Each cross-viewpoint concern is tied to a particular sub-process within the risk management process, and may contain concrete elements which are relevant for the purpose of risk assessment. One or several of its viewpoints may be empty, depending on the concern in question as well as the target and rigour of evaluation. However if not empty, each concern-viewpoint will contain a set of element instances. Different instances of the same element may occur within different viewpoints of the same concern. Elements can be classified into: • Elements containing non-CORAS specific documentation, which refers to elements that are not prepared as a part of the CORAS risk management process. • Modelling elements expressed in UML. • Reports and logs from intrusion detection systems, as well as computerised vulnerability & threat management tools . • Risk assessment tables and FTA tree diagrams . For simplicity, we refer to these elements as experience from hereon. 2 Australian/New Zealand Standard AS/NZS 4360:1999: Risk Management. 1999. 3 ISO/IEC 10746 series: Basic reference model for open distributed processing. 1995. 4 Central Computer & Tele-communications Agency’s Risk Analysis and Management Methodology. CORAS Risk Management Process 1. 2. 3. 4. 5. Subprocess Identify Context Identify Risks Analyse Risks Evaluate Risks Treat Risks Activity 1.1 1.2 1.3 1.4 2.1 2.2 2.3 3.1 3.2 4.1 4.2 4.3 4.4 4.5 5.1 5.2 risk theme relationship risk evaluation criteria treatment assessment target of evaluation unwanted incidents risk theme priority risk management treatment priority security policies vulnerabilities organisational risk estimates consequence risk priority risk themes frequency treatment approval SWOT system threats assets technology engineering computational information enterprise Concerns Viewpoints Figure 2.1 CORAS Risk Documentation Framework 2.3 CORAS Platform From a conceptual view, the CORAS platform, or better understood as the computerized part of the CORAS framework, integrates experience from three broad categories of toolkits or applications. The resulting experience will be sorted and stored in the platform according to the CORAS risk documentation framework. The motivation behind such a high level of data integration and tools interoperability is to ensure broad applicability of CORAS. The pre-requisite to achieving this goal is therefore to have a common data exchange format that is capable of open sharing, in which case the universal XML format has been chosen. Besides, given the ubiquity of XML-related tools, we can reduce the cost and time of deployment significantly. The three categories of toolkits that can conceivably communicate with the CORAS platform are: UML Comp uter Aided Software Engineering (CASE) tools, risk assessment tools and intrusion detection tools (including vulnerability & threat management tools). Each toolkit category generates experience in a specific XML data model that can be transported and exchanged within the confine of the platform. Some of the supported XML data models are: • Data based on XML Metadata Interchange (XMI) standardised by the Object Management Group and targeting tools for UML modelling. • XML-compliant data format targeting risk assessment tools. • Data based on Intrusion Detection Messaging Exchange Format (IDMEF). IDMEF is an XML data model designed to represent the information exported by the intrusion- detection systems. • XML-compliant data format targeting vulnerability assessment tools. Figure 2.2 illustrates the concept behind the CORAS integration platform. (Target of Assessment) VA Tool Security Critical System (Nessus ) FMECA FTA HAZOP TM Tool Tools Tools Tools (Snort) UML CASE Tools CORAS XMI XML IDMEF Models in Output IDMEF Data Data Data UML XML IDMEF CORAS XMI CORAS CORAS Platform Specific Specific Tags Tags Reusable Assessment Elements Repository Repository CORAS Repository Figure 2.2 CORAS Integration Platform Given our conceptual view of the CORAS platform, we discovered a list of high-level requirements that the platform should satisfy. The requirements are as below: • The CORAS platform shall support geographically distributed organizations allowing them to share and manage experience packages remotely. • The repository shall be robust, reliable and portable to standard computer platforms . • The GUI shall be platform independent, and allow for visual information navigation. • The data model shall be simple but powerful enough to model diverse classes of experience packages. The CORAS platform will adapt to the current practices, processes, and products or different organizations, and not vice-versa. • To allow for effective and efficient use of the repository, the CORAS platform shall be furnished with easy-to-use GUIs and search mechanisms enabling the users to “plug into” the platform, thereby manipulate experience they deem relevant. • The platform shall increase the reusability of CORAS results and to promote the sharing of such results, as well as to improve the effectiveness and efficiency of model- based risk assessment. Armed with these requirements, we embarked to discover other strategies that are needed in building an EF for the CORAS framework. 3 Experience Factory in CORAS 3.1 Appl ying the EF approach to CORAS As part of a concerted effort for improving risk assessment, in the project we are concerned with establishing an experience management system at both logical and physical organizational level that supports the unique model-based risk assessment approach of CORAS. We need a system that can analyze and synthesize our assessment results and experience, acting as a repository for such experience, and supplying that experience to future assessments on demand. The EF approach aims to establish an organizational infrastructure to facilitate systematic and continuous organizational learning through the sharing and reuse of experiences in software engineering [BCR94]. It is clear from the beginning that the EF concept was motivated by the lack of understanding of the nature of software and software development in software business. To some extent, software is different from most products. First of all, software is developed in the creative, intellectual sense, rather than produced in the manufacturing sense. Each software system is developed rather than manufactured. Likewise in the context of CORAS, risk management is an evolving process developed in an iterative and interactive manner, instead of being carried out in a simple straight-line process. Secondly, there is a non-visible nature to software. Unlike an automobile or a television set, it is hard to see the structure or the function of software. Similarly for CORAS, the outcome of the risk management process is not immediately apparent. The CORAS risk management process requires understanding, continuous improvement, and the packaging of experience for reuse. Hence, the EF approach seems like a good fit for CORAS. However, we have not, at least at the present time, incorporated the entire EF concept within our framework, as has been accomplished by a number of software development organizations including SEL-NASA [Ba02, Ba92], FC-MD [Ba01], PERFECT [Pe96] and Daimler Benz AG [HSW98]. One reason is that the EF/QIP approach remains a theoretical, abstract framework, which lacks explicit and easily applicable guidelines on implementation (also pointed out in [HSW98, KJL00]). The time aspect is also a critical point, for instance the EF at NASA evolved over 15 years whereas our EF is supposed to be running within 6 months! Thus, our objective is to build a scale-down but functional EF, tailored to our specific organizational need within the shortest possible time -frame, without the overhead – both time and resources – that is normally required of an organization wishing to tap into the many benefits of EF. 3.2 Building the EF – Top-down Approach There are two approaches to starting an EF – top-down or bottom-up. The top-down approach compares and organization’s process with some generally accepted standard process. Five key steps characterize the top-down approach [KJL00]: (1) Obtain commitment (2) Establish structure (3) Establish processes (4) Produce baseline (5) Identify potential changes. The bottom-up approach assumes that process change must be driven by an organization’s goals, characteristics, product attributes, and experiences. In CORAS there are four existing standardization initiatives: (1) AS/NZS 4360 (2) ISO/IEC 17799 (3) UP (4) RM -ODP. These initiatives were already glued together in a comprehensive risk analysis framework. The goal is to provide the facility to support a smooth operation of such a framework. It was obvious that the top-down approach is most suitable for our purpose, so any change will be driven and guided, not by experience, but by a set of best practices and the inherent organizational requirements. EF is based on the Quality Improvement Paradigm (QIP). The QIP focuses on the notion that improving the software process requires the continual accumulation of evaluated experiences (learning) in a form that can be effectively understood and modified (experience models) into a repository of integrated experience models (experience base) that can be accessed and modified to meet the needs of the current project (reuse) [BCR94]. This paradigm implies the logical separation of project development (performed by the Project Organization) from the systematic learning and packaging of reusable experience (performed by the Experience Factory) [ABT00]. In particular, the EF analyses and synthesizes all kinds of experiences drawn from these projects, acts as a repository for such experiences by documenting, storing, qualifying, and updating them using a so-called experience base (EB; Figure 3.1), and supplies those experiences back to projects on demand. The task of the EF, besides support during the risk assessment process, is to package experience by building informal, formal or schematized various risk management processes, components and other forms of knowledge. Experience Factory Organization Project #1 CORAS Experien ce Base Project Organization Experience Factory Figure 3.1 EF Organization The interacting PO and EF also realize two feedback loops, a project feedback loop that takes place in the usage phase and an organizational feedback loop that takes place after a project is completed. The second feedback loop changes or improves the organization’s understanding of risk assessment by packaging and reusing experience and making it accessible to future projects. New methods and techniques can be defined or old ones refined. 3.3 Information Structure for the EF * 1 Project 1 uses 1 creates Reusable element repository Repository Assessement repository 1 version : undefined last_updated : undefined is organised by 1 Concern 1 n 1 1 * * 5 is divided into belongs to * Reusable element Element * 1 Viewpoint is linked to* * Risk analysis element CORAS experience package author : string date of creation : string finalized : boolean description : string assessment area : string linked to : undefined title : string list of elements : undefined Figure 3.2 Information Structures for the CORAS Repository and CEP In practice, the result of the PO is the Assessment Repository while the EF materializes in the form of a Reusable Element Repository (Figure 3.2). From the information structure, it is clearly seen that the content of a concern with respect to a particular viewpoint is found in the element class itself. Elements in this respect are all kind of experience stored either in AR or RER. The RER focuses on storing reusable UML models, table patterns and formats, as well as supporting the process of experience internalization in an effort to improve the risk management practice. The AR focuses on storing and delivering concrete experience from already completed assessments and/or assessments in progress. Although the roles of the AR and RER are separate, they interact to support each other. Further, though not shown, the reusable element class and risk analysis element class inherit from the XML data models (or types). During the design stage, a proposal to incorporate the CEP as part of the elements was also considered, but eventually abandoned. The reasons being that – firstly, to impose package type at the lowest level, i.e. by integrating any specific information inside the UML model itself will be troublesome as there are many different types of UML diagram, which prohibits a clear-cut approach (if only there is just one type of diagram - class diagram!); secondly, one could encode any additional CORAS-specific tags in the generated XML output but this approach by means of post-rendering complicates the process of information exchange with the repository and may result in a non-canonical XML document. The internal data structure of both sub-repositories mirror the decomposition model that links together CORAS concerns and viewpoints as outlined previously in Figure 2.1. The sub-repositories are also organized into groups of elements which we regard as CORAS Experience Packages – the main product of our EF. Such packaging scheme functions by giving a structure on how to cluster together various experience in support of the operation of the CORAS platform. 3.4 CORAS Experience Package As a means to support efficient manipulation of the repository, a unique CORAS Experience Package (CEP) class has been introduced into the information structure. One or more element(s) in the repository can be linked to a CEP class, which is also an element per se. A CEP class is described by three parts: (i) a characterization part used to classify packages in the experience base; (ii) a relationship part used to establish relations between packages; and (iii) a body part that contains the content of the experience package itself. Each CEP is associated with a package type that defines the type of attributes that will be used in its characterization part; the type of links that will be used in its relationship part, and the type of entities that will compose its body. Package attributes contains well-defined naming and typing. These attributes build classification taxonomy for each CEP. The attributes effectively define facets that are filled in by the author of an experience package to characterize the package being submitted to the repository. These attribute values are then used to search the repository for packages of interest. Package attributes are typed as “title”, “author”, “date of creation”, “description”, “finalized” and “assessment area”. Package links also have well-defined naming and typing. As they are used to establish relationships between packages, a package link can be typed as a pointer to a CEP or a list of them. The CORAS platform is built atop of a web-based native XML database that supports URL addresses as pointers to internal CEPs. For this reason, a link can be typed as a URL address or a list of them. Package entities are typed as an element or as a list of elements. There is no constraint on the type pf elements that can be stored within a package. From a practical point of view, the repository may store of wide variety of elements that capture experience, including annotation and feedback. An example of important constituents is guidelines and methodology for the use of UML to support the risk assessment methodology. Package entities can also employ similar URL referencing mechanism as package links. Figure 3.3 illustrates the properties of a CEP, along with its attributes, links and entities in the top left dashed box of the diagram. In the bottom is an instance of a CEP with all the parameters instantiated. The arrows show the association between linked entities and their original representation (in the forms of tables, UML diagrams, fault tree etc.). The CEP class is an important component, without which the EF concept would not have been possible to be put to practise. The usefulness of the CEP is summarized as follows: - All CEP attributes are useful for searching. - CEP links are useful for associating present CEP with other similarly motivated CEP. - CEP entities contain useful experience for reuse. Generally, CEP allows experience to be packaged in a systematic and structured manner thereby fulfilling our initial goals. Similar to the JCI EMS [Li02], the CORAS experience management system consists of only one package type, making it a specialized experience base, exclusively for risk analysis elements. It is also possible to have different types of CEPs, for instance a package of type “Project” that may be useful in cataloguing groups of smaller packages. Attributes Title: string CORAS Experience CEP2 Author: string … Date of creation: string Package Type … Description: string … Finalized: Boolean Disclosure of patient data over network Assessment area: string Disclosure of data through the firewall Disclosure during transfer on ISP Disobedient users (from Internet) network,dueto physical access D Links Special hw and sw at Special hw and sw at Unauthorised use Anyother connectionto Installation of "malicious" sw by Linked to: linked to other CEPs thelines(OTE, theswitches ofATTRACT Internetfrom ATTRACT users users that disobeys Vodaphone) (FORTHnet) rules thatdisobeysrules 21 <> <>2 3 22 24 Theme1 Theme2 Asset3 Each box can be split into two boxes, with an AND-gate between Asset1 value =1 value = 3 CriteriaID Criteriadescription Asset4 Asset5 Entities … Asset2 value = 5 value =7 value =3 <> <> List of elements: linked to other elements Stakeholder1 Stakeholder2 CEP1 Title: Telemedicine Trial 2 Linked to: CEP2 Author: Eva S & Eva S Date of creation: September 9 2002 List of elements: Description: teleconsultation services in cardiology swot1.xml Finalized: No sys_desc.xml Assessment area: Telecardiology, WebOnCOLL abstract.xml Figure 3.3 CEP and its instantiation 3.5 Technologies for Deployment One of the aspects in which experience management differs, or rather expands fro m knowledge management is that the former also looks at the methods and technologies that are suitable in facilitating the necessary process. Here, it is important to note that EF, as an important ingredient of experience management system, can benefit fro m the use of tools. Thus, one of the crucial decisions to be made when building an EF infrastructure is the choice between using open-source technologies or proprietary tools such as Lotus Notes - a workflow application, SpotFire - a Visual Query Interface (VQI) tool [Ma01] or Nvivo [Pe96]. We examined the potential of applying workflow and VQI technologies to the specific problem in CORAS, but decided they had inadequate support for retrieval. Tools like Nvivo can be used to automate the searching and coding, as well as facilitate searching for trends and packaging the results. However the tool is not portable to the Web, which is one of our project requirements. The fact that none of these tools are open- source tools is superfluous. Consequently, we decided to implement our system utilizing a suite of open-source tools, built upon a native XML database called eXist5 . eXist is tightly integrated with Apache’s Cocoon6 publishing framework. Cocoon offers a powerful mechanism called XSP to write XML-based dynamic web pages which fits well with eXist’s search engine that has been designed to provide fast XPath queries, using indexes for all elements, text and attribute nodes. eXist is lightweight and well suited for the deployment of our repositories. The server is accessible through easy to use HTTP and XML-RPC interfaces and supports the XMLDB API for Java programming. Furthermore, the latest version of eXist also supports Web-based Distributed Authoring and Versioning (WebDAV) a powerful HTTP extension that allows users to collaboratively edit and manage files on remote web servers. Some of the advantages of adopting a web-based approach are: -The system can be easily deployed across different platform and OS, making it a highly distributed and portable solution. -The system can be extended to interoperate with future web services to provide additional value-added functionalities. 3.6 Initial Results and Trials Six trials have been planned for the CORAS project; three within e-commerce (one of which has already been completed) and three within telemedicine (two of which has been completed) to measure the effectiveness of the framework. The completed trials were conducted prior to the completion of the prototype CORAS platform, so no substantial findings on the use of the platform are currently available. However, initial informal evaluation of the platform, which focused mainly on its usability and linked interfaces, has found the system to be acceptable. Users are able to navigate and query the repository, as well as to manipulate results via the CEPs. Future trials will evaluate the platform and test its effectiveness in supporting the CORAS methodology. 5 Open-source XML database, largely developed by Wolfgang Meier (http://exist.sourceforge.net) 6 Open-source XML publishing framework (http://xml.apache.org/cocoon) 4 Conclusion and Future Work In this paper we described an ongoing work that aims to build a generalized Experience Factory approach into CORAS, which is model-based risk analysis framework for security critical applications. The planned usage of the platform is geared towards consistent use and integration into the CORAS risk management process. The purpose is to promote the reuse and sharing of risk analysis results, as well as to improve the effectiveness and efficiency of model-based risk assessment. We looked at the properties of the prototype EF-driven CORAS platform including the information structure of the repository and its experience package. The prototype and its web approach, takes advantage of modern technologies like XML for distributed storage, access and dissemination of relevant knowledge. The prototype encompassed only some of the automated features that are required of a system aimed at supporting an EF. Much technical and organizational work are pending. The ultimate goal of an EF -driven system is to turn an organization into one which is shaped by constant learning. Therefore, having obtained and stored the explicit knowledge/experience in the experience base, the next step is to ensure that such experience is internalized as active knowledge and practical skills. This is still a largely semi-automated process in CORAS which indicates room for further research and improvement. Immediate plans have been made to extend the functionality of the CORAS platform. This includes adding: (1) automatic consistency and semantic translation for the stored experiences (for instance between a RA table and UML model) (2) content management features: authentication and backup (3) an XML data model targeting model-based risk analysis (currently absent in the XML industry). Acknowledgement The authors wish to thank the European Commission for supporting the CORAS project, as well as all the partners from the project consortium - CTI (Greece), FORTH (Greece), IFE (Norway), Intracom (Greece), NCT (Norway), NR (Norway), RAL (UK), Sintef (Norway), Solinet (Germany) and Telenor (Norway) – for their excellent contribution and cooperation. Bibliography [Aa02] Aagedal, J. Ø., Braber, F. den, Dimitrakos, T., Gran, B. A., Raptis, D., Stølen, K.: Model-based Risk Assessment to Improve Enterprise Security, 6th IEEE International Enterprise Distributed Object Computing Conference, September, 2002. [ABT00] Althoff, K.-D., Bomarius, F. & Tautz, C.: Knowledge Management for Building Learning Software Organizations In Information System Frontiers Journal, Vol. 2, Nr. 3/4, 349-367, 2000. [Ba92] Basili, V.; Caldiera, G.; McGarry, F.; Pajerski, R.; Page, G.; Waligora, S.: The Software Engineering Laboratory-an Operational Software Experience Factory, International Conference on Software Engineering, 1992. [Ba01] Basili, V.; Costa, P.; Lindvall, M.; Mendonca, M.; Seaman, C.; Tesoriero, R.; Zelkowitz, M.: An experience management system for a software engineering research organization, Proceedings of the 26th Annual NASA Goddard Software Engineering Workshop, 2001. [Ba02] Basili, V.R., McGarry, F.E., Pajerski, R., Zelkowitz, M.V.: Lessons learned from 25 years of process improvement: The Rise and Fall of the NASA Software Engineering Laboratory, Proceedings of the 24th International Conference on Software Engineering, 2002. ICSE 2002. May 2002. [BCR94] Basili, V. R., Caldiera, G., and Rombach, D. H.: The Experience Factory, Encyclopaedia of Software Engineering -2 Volume Set, pp. 469-476, 1994. [Di02] Dimitrakos, T. et al.: Integrating Model-based Security Risk Management into e- Business Systems Development. 2nd IFIP Conference on e-commerce, e-business, e- government. Lisbon, 7-9 October, 2002. [Gu02] Gustavsen, T.S., Houmb, S-H., Gran, B. A. Stølen, K.: Security Risk Analysis in e-Commerce, 7th Nordic Workshop on Secure IT Systems 2002. [HSW98] Houdek, F., Schneider, K. and Wieser, E.: Establishing Experience Factories at Daimler Benz: An Experience Report, Proc. 20th Int’l Conf. on Software Engineering, Kyoto, May 1998. [Iv02] Djordevic, I., Gan, C., Scharf, E., Mondragon, R. et al.: Model-based risk management of security critical systems. In Proc. Risk Analysis III, series: Management Information Systems, Vo lume 5, WIT Press, 2002. [KJL00] Koennecker, A., Jeffery, R., Low, G.: Implementing an experience factory based on existing organisational knowledge, Proceedings of the 2000 Australian Software Engineering Conference, 2000. [La00] Lano, K., Clark, D., Androutsopoulos, K. and Kan, P.: Invariant-based Synthesis of Fault-tolerant Systems. TRTFT 2000, Pune, India, 2000. [LAC00] Lano, K., Androutsopoulos, K. and Clark, D.: Structuring and Design of Reactive Systems using RSDS and B. FASE 2000, LNCS, Springer-Verlag, 2000. [LAK00] Lano K., Androutsopoulos, K. and Kan, P.: Structuring Reactive Systems in B AMN. In ICFEM 2000, IEEE Computer Society Press, 2000. [Li02] Lindvall, M., Frey, M., Costa, P., Tesoriero, R.: Lessons Learned about Structuring and Describing Experience for Three Experience Bases, Lecture Notes in Computer Science, 2001. [Ma01] Manoel Gomes de Mendonça Neto, Carolyn B. Seaman, et al.: A Prototype Experience Management System for a Software Consulting Organization. Proceedings of the International Conference on Software Engineering and Knowledge Engineering (SEKE01), Buenos Aires, Argentina, June 2001. [Pe96] PERFECT Consortium: PIA Experience Factory, The PEF Model, ESPRIT Project 9090, D-BL-PEF-2-PERFECT9090, 1996. [St02] Stølen, K. et al.: Improving security through model-based risk assessment, Business CBSE Chapter 11, Kluwer Academic Publishers, 2002. [WCF99] Wyss G., Craft, R., and Funkhouser, D.: The Use of Object-Oriented Analysis Methods in Surety Analysis. Sandia National Laboratories Report, 1999.