Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection
• Collection
Publisher
Software Engineering Institute
Abstract
During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.
The Security Engineering Risk Analysis (SERA) method is an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Using SERA, acquisition and development organizations can move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.
Collection Items
Security Engineering Risk Analysis (SERA)
• Brochure
By Software Engineering Institute
This brochure describes Security Engineering Risk Analysis (SERA), its purpose and benefits.
Learn More
Introduction to the Security Engineering Risk Analysis (SERA) Framework
• Technical Note
By Christopher J. Alberts, Carol Woody, Audrey J. Dorofee
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
Read
Best Practices for Trust in the Wireless Emergency Alerts Service
• Podcast
By Robert J. Ellison, Carol Woody, Suzanne Miller
In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that …
Listen
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators
• Special Report
By The WEA Project Team
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance …
Read
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service
• Special Report
By Carol Woody, Robert J. Ellison
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert …
Read
Combining Security and Privacy in Requirements Engineering
• Book Chapter
By Saeed Abu-Nimeh (Damballa), Nancy R. Mead
In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.
Read
Risk Management Framework
• Technical Report
By Christopher J. Alberts, Audrey J. Dorofee
In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to …
Read
A Framework for Categorizing Key Drivers of Risk
• Technical Report
By Christopher J. Alberts, Audrey J. Dorofee
This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.
Read
Software Security Engineering: A Guide for Project Managers (book)
• Book
By Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.
Read
Managing Information Security Risks: The OCTAVE Approach
• Book
By Christopher J. Alberts, Audrey J. Dorofee
In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.
Read
OCTAVE Criteria, Version 2.0
• Technical Report
By Christopher J. Alberts, Audrey J. Dorofee
This 2001 report defines a general approach for evaluating and managing information security risks.
Read
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0
• Technical Report
By Christopher J. Alberts, Sandra Behrens, Richard D. Pethia, William R. Wilson
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.
Read
Continuous Risk Management Guidebook
• Book
By Christopher J. Alberts, Audrey J. Dorofee, Ron Higuera, Richard L. Murphy, Julie A. Walker, Ray C. Williams
This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.
ReadPart of a Collection
Cybersecurity Engineering Research Collection