Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection
This research develops methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.
Software Engineering Institute
During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.
The Security Engineering Risk Analysis (SERA) method is an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Using SERA, acquisition and development organizations can move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.
This brochure describes Security Engineering Risk Analysis (SERA), its purpose and benefits.
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.
In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.
This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.
In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.
In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.
This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.
In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.
In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.
This 2001 report defines a general approach for evaluating and managing information security risks.
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.
This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.