For most organizations, risk management based on ISO 31000 is an indispensable part of the overall management process, the objective of which is to systematically and proactively identify the current risk picture and to ensure that the necessary controls are in place to maintain risks at an acceptable level. For this purpose, adequate and efficient methods and techniques for risk assessment are required.
However, information systems and services become increasingly complex, heterogeneous, dynamic and interoperable. This is in particular the case for information and services that are provided over the Internet, with cloud services as a prominent example. Managing risks in such a setting is extremely challenging, and established methods and techniques are often inadequate. A main problem is that the overall risk picture becomes too complex to understand, and that the risks quickly and continuously change and evolve.In the AGRA project we address this challenge by developing a divide-and-conquer strategy to risk management where separate parts or aspects of a system or organization can be analyzed separately. Compositional techniques should then enable a systematic and sound composition of the individual risk models in order to derive the combined result.
An important feature of our approach is that the risk model composition shall be conducted without having to reconsider or re-investigate the internal details of the individual risk models. The latter is supported by our principle of risk model encapsulation, which involves hiding the internal details. Only the information that is required for a sound composition is visible via a well-defined risk model interface.
AGRA is funded by the Research Council of Norway and the following project partners:
Created: June 30, 2014. Last updated: May 29, 2015.