Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Collection - Related Assets

Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection

  • This research develops methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.
  • Publisher: Software Engineering Institute
  • During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.

    The Security Engineering Risk Analysis (SERA) method is an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Using SERA, acquisition and development organizations can move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.

  • Security Engineering Risk Analysis (SERA) November 2015 Author(s): This brochure describes Security Engineering Risk Analysis (SERA), its purpose and benefits.
  • Introduction to the Security Engineering Risk Analysis (SERA) Framework December 2014 Author(s): Christopher J. Alberts, Carol Woody, Audrey J. Dorofee This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
  • Best Practices for Trust in the Wireless Emergency Alerts Service April 2014 Author(s): Robert Ellison, Carol Woody, Suzanne Miller In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.
  • Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators March 2014 Author(s): The WEA Project Team In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.
  • Maximizing Trust in the Wireless Emergency Alerts (WEA) Service February 2014 Author(s): Carol Woody, Robert J. Ellison This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.
  • Combining Security and Privacy in Requirements Engineering December 2011 Author(s): Saeed Abu-Nimeh (Damballa), Nancy R. Mead In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.
  • Risk Management Framework August 2010 Author(s): Christopher J. Alberts, Audrey J. Dorofee In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.
  • A Framework for Categorizing Key Drivers of Risk April 2009 Author(s): Christopher J. Alberts, Audrey J. Dorofee This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.
  • Software Security Engineering: A Guide for Project Managers (book) March 2008 Author(s): Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.
  • Managing Information Security Risks: The OCTAVE Approach July 2002 Author(s): Christopher J. Alberts, Audrey J. Dorofee In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.
  • OCTAVE Criteria, Version 2.0 December 2001 Author(s): Christopher J. Alberts, Audrey J. Dorofee This 2001 report defines a general approach for evaluating and managing information security risks.
  • Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0 September 1999 Author(s): Christopher J. Alberts, Sandra Behrens, Richard D. Pethia, William R. Wilson The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.
  • Continuous Risk Management Guidebook January 1996 Author(s): Christopher J. Alberts, Audrey J. Dorofee, Ron Higuera, Richard L. Murphy, Julie A. Walker, Ray C. Williams This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.