CORAS

Funding Agency: EC/DG-Information Society
Programme: IST-2000-25031
Programme Nature: 5th Framework Programme R&D project
Coordinator: Telenor As,Oslo-NORWAY
Start Date: 01.11.2001
Expiration Date: 30.06.2003
Duration: 20 months
Total Budget: 4.870.478 Euro
FORTH ICS Budget: 198.346 Euro
Related URL: http://coras.sourceforge.net
Partners: Telenor Communications AS R&D (Norway), Intracom S.A. (Greece), Institute for energy technology (Norway), Norwegian Computing Center (Norway), SINTEF (Norway), Norwegian Centre of Telemedicine (Norway), Rutherford Appleton Labs (United Kingdom), Queen Marys and Westfield College (United Kingdom), Computer Technology Institute (Greece) and Solinet Gmbh (Germany)
A major challenge for users and vendors of information and communication technology in Europe and world-wide is to implement security in a way that meets business needs cost-effectively, both in the short term and as enterprise needs expand. In order to meet this challenge, we need to improve the existing methods of identifying and analysing possible threats, and of specifying, designing and implementing security policies. CORAS aims to develop a framework or precise, unambiguous, and efficient risk analysis of security critical systems. This framework will be built upon a selective integration of Risk Analysis techniques and semi-formal Object Oriented Modelling to support the formation, rigorous specification and endorsement of security policies. The framework will be obtained through adapting, refining, extending, and combining methods for risk analysis, semi-formal object oriented modelling, and computerized tools (supporting the above mentioned methods). The integration of risk analysis and semiformal modelling will receive special emphasis. In particular, for each analysis scenario considered:
- What are the relevant system properties?
- How should the relevant system properties be modelled using semiformal methods?
- How do we make optimal use of the resulting semiformal models during risk analysis?
- How do we represent the results from risk analysis (intermediate as well as final results)?
- What are the general rules for maintenance and reuse of such results?
- The CORAS framework will be tested and assessed in two major trials, one within telemedicine and one within e-commerce.