search menu icon-carat-right cmu-wordmark

Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection

This research develops methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.


Software Engineering Institute

During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.

The Security Engineering Risk Analysis (SERA) method is an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Using SERA, acquisition and development organizations can move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.

Security Engineering Risk Analysis (SERA)

November 2015

This brochure describes Security Engineering Risk Analysis (SERA), its purpose and benefits.

Introduction to the Security Engineering Risk Analysis (SERA) Framework

December 2014

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

Best Practices for Trust in the Wireless Emergency Alerts Service

April 2014

In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.

Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators

March 2014

In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.

Maximizing Trust in the Wireless Emergency Alerts (WEA) Service

February 2014

This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.

Combining Security and Privacy in Requirements Engineering

December 2011

In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.

Risk Management Framework

August 2010

In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.

A Framework for Categorizing Key Drivers of Risk

April 2009

This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.

Software Security Engineering: A Guide for Project Managers (book)

March 2008

In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.

Managing Information Security Risks: The OCTAVE Approach

July 2002

In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.

OCTAVE Criteria, Version 2.0

December 2001

This 2001 report defines a general approach for evaluating and managing information security risks.

Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0

September 1999

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.

Continuous Risk Management Guidebook

January 1996

This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.