This is an html-based presentation of Chapter 3 of the CORAS book. Please cite: You may also freely download Chapter 3 of the CORAS book in pdf.

The Visio 2013 stencil for the CORAS icons is freely available.

The CORAS-language editor is freely available.

A Guided Tour of the CORAS Method

This chapter presents a guided tour of the CORAS method. As illustrated by Figure 1, the CORAS method is divided into eight steps. The first four of these steps are introductory in the sense that we use them to establish a common understanding of the target of the analysis, and to make the target description that will serve as a basis for the subsequent risk identification. The introductory steps include documenting all assumptions about the environment or setting in which the target is supposed to work, as well as making a complete list of constraints regarding which aspects of the target should receive special attention, which aspects can be ignored, and so forth. The remaining four steps are devoted to the actual detailed analysis. This includes identifying concrete risks and their risk level as well as identifying and assessing potential treatments for unacceptable risks.

Figure 1 The eight steps of the CORAS method

In the following sections we go through each of the eight steps of the CORAS method by means of a running example from the telemedicine domain. We follow two analysts in their interaction with an organisation by which they have been hired to carry out a risk analysis. They conduct the analysis according to the eight steps of the CORAS method.

Preparations for the Analysis

The purpose of Step 1 is to do the necessary initial preparations prior to the actual start-up of the risk analysis. This includes to roughly set the scope and focus of the analysis so that the analysis team can make the necessary preparations. It also includes informing the customer of its responsibilities regarding the analysis. We now introduce our example.

Customer Presentation of the Target

Step 2 involves an introductory meeting. The main item on the agenda for this meeting is to get the representatives of the customer to present their overall goals of the analysis and the target they wish to have analysed. Hence, during the second step the analysts will gather information based on the customer's presentations and discussions.

Before starting to identify and analyse potential risks to something, it is necessary to know exactly what this something is. What is the scope of the analysis, and what are the assumptions that we may make? In other words, we need to know what we are supposed to protect before we can start finding the threats against it and how it may be harmed, as well as how it should be protected. It is furthermore essential that the parties of the risk analysis and the analysts agree on a common terminology and how it should be used. They also need to arrive at a joint understanding of what should be the target of analysis, the assets to protect, the scope and focus, as well as all assumptions being made.

Figure 2 Picture of target

Refining the Target Description Using Asset Diagrams

The objective of Step 3 is to arrive at a more correct and refined understanding of the target and the objectives of the customer. Also this step typically involves a meeting between the analysts and the representatives of the customer. The meeting is divided into three parts:

  1. presentation of the target as understood by the analysts;
  2. asset identification;
  3. high-level risk analysis.

The purpose of the presentation of the of the target by the analysts is to correct misunderstandings on behalf of the analysts and to settle issues in need of clarification. The asset identification involves pinpointing the most important valuables of the parties of the analysis. The parties typically include the customer, but may also be other relevant stakeholders with respect to the target in question. The assets are the things or entities that these parties want to protect, and are the real motivation for conducting the risk analysis in the first place. The identified assets are documented using so-called asset diagrams. Asset diagrams are one of five kinds of diagrams offered by the CORAS risk modelling language. The other four play important roles in later steps of the CORAS method as we will see. Common for all five kinds of diagrams is that they make use of partly overlapping subsets of the graphical symbols presented in Figure 3. In the case of asset diagrams the subset consists of the two symbols for asset, and the one for party.

Figure 3 Symbols of the CORAS risk modelling language

The main purpose of the high-level analysis is to get an overview of the main threats and risks with respect to the identified assets, in particular at an enterprise level and from the perspective of the decision makers. The high-level analysis helps the analysts in identifying the aspects of the target that have the most urgent need for in-depth analysis, and hence makes it easier to define the exact scope and focus of the full analysis.

Figure 4 Class diagram showing the target concepts
Figure 5 Collaboration diagram illustrating the physical communication lines
Figure 6 Activity diagram describing the parallel processes of the GP
Figure 7 Asset diagram
Table 1 High-level risk table

Approval of the Target Description

Step 4 also typically involves a separate meeting, but may alternatively be conducted by email or other means of communication. The main objective of Step 4 is to agree on the description of the target to be analysed, including scope, focus and all assumptions, and for the customer to approve the description. Important aspects of the target documentation are definitions of scales for likelihoods and consequences as well as risk evaluation criteria. The formulation of these aspects are sub-tasks of Step 4.

We often need multiple consequence scales, which are used when it is difficult or inappropriate to measure or describe damage to all assets according to the same scale. It is easier, for example, to measure income in monetary values than to do the same for company brand. There should only be one likelihood scale for the analysis based, for example, on time-intervals such as years, weeks and hours, or on probabilities. The last activity of the approval step is to decide upon the risk evaluation criteria. These criteria characterise the minimal level of risk required for risks to deserve a detailed evaluation for possible treatment. Step 4 should not terminate before the full documentation as prepared by the analysts has been approved by the customer.

Table 2 Asset table
Table 3 Likelihood scale
Table 4 Consequence scale for Health records
Table 5 Risk evaluation matrix

Risk Identification Using Threat Diagrams

Step 5 is organised as a workshop gathering people with expertise on the target of analysis. The goal is to identify as many potential unwanted incidents as possible, as well as threats, vulnerabilities and threat scenarios.

To do this identification we make use of a technique called structured brainstorming. Structured brainstorming may be understood as a structured walk-through of the target of analysis and is carried out as a workshop. The main idea of structured brainstorming is that since the participants of the analysis represent different competences, backgrounds and interests, they will view the target from different perspectives and consequently identify more, and possibly other, risks than individuals or a more homogeneous group would have managed.

The findings of the brainstorming are documented using CORAS threat diagrams, which are the second kind of diagrams offered by the CORAS risk modelling language.

Figure 8 Initial threat diagram for accidental actions
Figure 9 Initial threat diagram for deliberate actions
Figure 10 Initial threat diagram for non-human threats
Figure 11 Final threat diagram for accidental actions

Risk Estimation Using Threat Diagrams

When the threat scenarios, unwanted incidents, threats and vulnerabilities are properly described in threat diagrams it is time to estimate likelihoods and consequences. This is the main task of Step 6 which is also typically conducted as a structured brainstorming. The likelihoods and consequences are needed in order to compute the risk values which are used to decide whether risks are acceptable or should be further evaluated for possible treatment.

The participants of the brainstorming session provide likelihood estimates based on their judgements or give advice with respect to how they may be determined from historical data that they are aware of. Since risk values are calculated from the likelihoods of unwanted incidents, and not threat scenarios, the unwanted incidents are the main focus of the likelihood estimation. However, if the likelihood of an unwanted incident is hard to determine or very uncertain, we may try to deduce the value from the likelihoods of the threat scenarios and unwanted incidents to which they are directly related. The documentation of information about the likelihoods of threat scenarios is useful also because it shows the most important sources of risks. This gives a more detailed risk picture and furthermore serves as a basis for determining where to direct treatments.

Consequences are estimated for each relation from an unwanted incident to an asset. The consequence values and the likelihood values are taken from the consequence scale of the asset and the likelihood scale, respectively, as defined during Step 4.

Figure 12 Threat diagram with likelihood and consequence estimates
Table 6 Combined likelihood estimates

Risk Evaluation Using Risk Diagrams

Step 7 involves giving the customer the first overall risk picture. This will typically trigger some adjustments and corrections of the information documented so far. The objective of the risk evaluation is to determine which of the identified risks that must be considered for possible treatment based on the risk estimation of the previous step, as well as the risk evaluation criteria.

The risk evaluation furthermore includes the estimation and evaluation of the risks with respect to the indirect assets. Because the indirect assets are harmed only through harm to the direct assets, the relevant unwanted incidents with likelihoods are already identified. What remains is to determine the consequence of the harm to the direct assets on the related indirect assets. For the purpose of this we need to define a consequence scale for each of the indirect assets, and we need to define their risk evaluation criteria.

Figure 13 Harm to indirect assets

Once all the relevant unwanted incidents have been identified, and their likelihoods as well as consequences for both direct and indirect assets have been estimated, we are ready to evaluate the risks.

Table 7 Risk evaluation matrix with risks
Figure 14 Risk diagram

Risk Treatment Using Treatment Diagrams

Step 8 is devoted to treatment identification, as well as addressing cost-benefit issues of the treatments. A main task of Step 8 is the treatment identification using CORAS treatment diagrams, which is also often organised as a workshop. The risks that are not acceptable are all addressed in order to find means to reduce their likelihood and/or consequence. Since treatments can be costly, they are assessed with respect to cost-benefit, before a final treatment plan is made. The initial treatment diagrams are similar to the final threat diagrams except that unwanted incidents are replaced by the risks from the risk diagram.

Figure 15 Treatment diagram
Figure 16 Treatment overview diagram

Created: December 10, 2016. Last updated: January 5, 2017.