Skip to content

How to create a Risk Model

Lidia edited this page Apr 20, 2015 · 16 revisions

Risk models are represented using a formal modelling language (RiskML) that allows us to (i) represent risks, their causes and possible effects, (ii) link measures and indicators to risks likelihood, severity and exposure, and (iii) link risk events to business goals to evaluate their impact.

#RiskML Language

The RISCOSS risk modelling language contains the main concepts of Indicator, Situation, Event and Goal. These concepts are characterised by properties, and are linked with each other through relationships. Risks, their assessment and mitigation possibilities, emerge from the interplay of concepts, relations and properties, and are the result of the different analysis types.

##RiskML Metamodel The RiskML meta-model defines the modelling primitives of risk and the interplay between risk, goals and the ecosystem. Situations and events are the core of the meta-model. The evidence to be in a certain situation can be quantified (especially in an OSS context) by means of indicators, which were empirically evaluated or approved by experts and base on measurements of available data. Situations represent the causes for risks to appear, while events represent the manifestation of a risk. Expose, increase, protect and reduce relations from situations (and events) to events quantify the likelihood for an event to occur and the significance of its consequences. Events impact the satisfaction of goals that actors desire to be achieved. This impact may be propagated to other goals, e.g. through i* contribution and decomposition relationships (see How to create a Goal Model).

##RiskML Primitives

Construct Definition
Event An event is the occurrence, at a given place and time, of a change in circumstances for the concept of risk event in requirements engineering).
Indicator An indicator is representation of one (raw value) or more (composite value) measures of some entity
Situation A situation is a partial state-of-affairs where some facts are true, others false, and some neither true nor false

These constructs contains the following attributes. The construct that the attribute belongs to in bold.

Attribute Definition
Exposure Probability and Criticality values are relevant to the extent that they tell us understand which events are potentially dangerous, that is, are risky. We call this Riskiness value
Likelihood An event is likely if it’s occurrence is possible
Satisfaction A situation is satisfied if there is evidence that the state of affairs it describes holds
Satisfiability A goal is satisfiable if there is some evidence that it may be fulfilled in the future; if there is evidence that something may prevent the goal’s fulfilment, the goal is said to be threatened
Significance An event is significant if its occurrence is perceived as negative with respect to some goals or assets

The different constructs are connected by the following relationships. Constructs involved in bold.

Relationship Definition Constraint
Expose An Expose relation indicates that the occurrence of the relation’s source(s) may cause the occurrence of the relation’s target From a Situation to an Event. If the situation is satisfied, then the event is possible. From an event to an event. If the source event is possible, then the target event is possible
Protect A Protect relation indicates that the occurrence of the relation’s source(s) may prevent the occurrence of the relation’s target From a Situation to an Event. If the situation is satisfied, then the event is neutralized
Impact An Impact relation indicates that if the relation’s sources are critical, their occurrence causes a negative impact on the relation’s target From an Event to a Goal
Indicate An Indicate relation indicates to what extent the value of a source Indicator makes the target Situation satisfied From an Indicator to a Situation, through a transformation function (1)
Increase An Increase relation indicates that the occurrence of the relation’s source(s) causes the occurrence of the relation’s target to be perceived as critical From a Situation to an Event. If the situation is satisfied, then the event is dangerous
Reduce A Reduce relation indicates that the occurrence of the relation’s source(s) causes the occurrence of the relation’s target to be perceived as not significant From a Situation to an Event. If the situation is satisfied, then the event is inoffensive

(1)Transformation Functions. An indicator depends on the underlying measure(s) through e certain function. A transformation function maps absolute numbers of measures onto indicator intervals [0..1]. Function can be of different nature. Pure mathematical functions, such as 1-(1/(x+1)), depend only on the measurement; more sophisticated functions depend on other statistical parameters, such as the standard deviation of the measures. Transformation function can be customized using embedded JavaScript code. The precise transformation function is embedded into the mode files, and is called by the risk analysis engine when a risk analysis is executed on that model.

#Risk Model persistency RiskML models are stored into xml files. The DTD of the RikML xml files is reported below.

<!ELEMENT riscoss (model+)>
<!ELEMENT diagram (entities, relationships)>
<!ELEMENT entities ((indicator|situation|event|goal)*)>
<!ELEMENT relationships ((indicate|expose|protect|increase|reduce|impact)*)>
<!ATTLIST indicate target IDREF #REQUIRED>
<!ATTLIST indicate source IDREF #REQUIRED>
<!ATTLIST indicate weight CDATA #IMPLIED>
<!ATTLIST indicate function CDATA "">
<!ATTLIST expose target IDREF #REQUIRED>
<!ATTLIST expose source IDREF #REQUIRED>
<!ATTLIST expose weight CDATA #IMPLIED>
<!ATTLIST expose function CDATA "">
<!ATTLIST protect target IDREF #REQUIRED>
<!ATTLIST protect source IDREF #REQUIRED>
<!ATTLIST protect weight CDATA #IMPLIED>
<!ATTLIST protect function CDATA "">
<!ATTLIST increase target IDREF #REQUIRED>
<!ATTLIST increase source IDREF #REQUIRED>
<!ATTLIST increase weight CDATA #IMPLIED>
<!ATTLIST increase function CDATA "">
<!ATTLIST reduce target IDREF #REQUIRED>
<!ATTLIST reduce source IDREF #REQUIRED>
<!ATTLIST reduce weight CDATA #IMPLIED>
<!ATTLIST reduce function CDATA "">
<!ATTLIST impact target IDREF #REQUIRED>
<!ATTLIST impact source IDREF #REQUIRED>
<!ATTLIST impact weight CDATA #IMPLIED>
<!ATTLIST impact function CDATA "">
<!ELEMENT indicator (property*)>
<!ELEMENT situation (property*)>
<!ELEMENT event (property*)>
<!ELEMENT goal (property*)>
<!ATTLIST indicator id ID #REQUIRED>
<!ATTLIST indicator input CDATA "false">
<!ATTLIST indicator label CDATA "">
<!ATTLIST indicator question CDATA "">
<!ATTLIST indicator datatype #IMPLIED "real">
<!ATTLIST indicate min CDATA #IMPLIED>
<!ATTLIST indicate max CDATA #IMPLIED>
<!ATTLIST situation id ID #REQUIRED>
<!ATTLIST event label CDATA "">
<!ATTLIST event id ID #REQUIRED>
<!ATTLIST event label CDATA "">
<!ATTLIST event output CDATA "true">
<|ATTLIST property name (input|label|question|datatype|output|min|max)>
<|ATTLIST property value #REQUIRED>

File riskml-schema.txt in docs folder contains the XML schema for the RiskML language.

RISCOSS Models

###Tutorials/Guides [How to contribute](How to contribute)
[How to create a Risk Model](How to create a Risk Model)
[How to create a Goal Model](How to create a Goal Model)
[How to set up the BN tool](How to set up the BN tool)

Models

[Goal Models](Goal Models)
[Risk Models](Risk Models)

###Others RISCOSS Corporate
RISCOSS GithubAnalizer
Risk Data Colletors

Clone this wiki locally