Cybersecurity Engineering Research: Security Engineering Risk Analysis (SERA) Collection

This research develops methods for analyzing security-related design weaknesses that cannot be corrected easily during operations.

Publisher:

Software Engineering Institute

Abstract

During the acquisition and development of software-reliant systems, the normal focus is on meeting functional requirements; security is often deferred to later lifecycle activities. In fact, security features are usually addressed during system operation and sustainment, not engineered into systems. As a result, many software-reliant systems are deployed with significant residual security risk, putting operations in jeopardy.

The Security Engineering Risk Analysis (SERA) method is an approach for identifying and analyzing the impact of design weaknesses early in the lifecycle. Early detection and remediation of design weaknesses helps to reduce residual security risk when a system is deployed. Using SERA, acquisition and development organizations can move beyond compliance to consider cybersecurity risks from a mission/operational perspective and identify a more complete set of security requirements.

Collection Contents

Results per page

Security Engineering Risk Analysis (SERA)

November 20, 2015 • Brochure

This brochure describes Security Engineering Risk Analysis (SERA), its purpose and benefits.
read
Introduction to the Security Engineering Risk Analysis (SERA) Framework

December 4, 2014 • Technical Note

By Christopher J. Alberts, Carol Woody, Audrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
read
Best Practices for Trust in the Wireless Emergency Alerts Service

April 29, 2014 • Podcast

By Robert Ellison, Carol Woody, Suzanne Miller

In this podcast, CERT researchers Robert Ellison and Carol Woody discuss research aimed at increasing alert originators' trust in the WEA service and the public's trust in the alerts that they receive.
learn more
Wireless Emergency Alerts (WEA) Cybersecurity Risk Management Strategy for Alert Originators

March 31, 2014 • Special Report

By The WEA Project Team

In this report, the authors describe a cybersecurity risk management (CSRM) strategy that alert originators can use throughout WEA adoption, operations, and sustainment, as well as a set of governance activities for developing a plan to execute the CSRM.
read
Maximizing Trust in the Wireless Emergency Alerts (WEA) Service

February 28, 2014 • Special Report

By Carol Woody, Robert J. Ellison

This 2014 report presents recommendations for stakeholders of the Wireless Emergency Alerts (WEA) service that resulted from the development of two trust models, focusing on how to increase both alert originators' and the public's trust in WEA.
read
Combining Security and Privacy in Requirements Engineering

December 31, 2011 • Book Chapter

By Saeed Abu-Nimeh (Damballa), Nancy R. Mead

In this book chapter, the authors present SQUARE, a security requirements approach, privacy requirement elicitation, and security risk assessment techniques.
read
Risk Management Framework

August 1, 2010 • Technical Report

By Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.
read
A Framework for Categorizing Key Drivers of Risk

April 1, 2009 • Technical Report

By Christopher J. Alberts, Audrey J. Dorofee

This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.
read
Software Security Engineering: A Guide for Project Managers (book)

March 1, 2008 • Book

By Julia H. Allen, Sean Barnum, Robert J. Ellison, Gary McGraw, Nancy R. Mead

In this book, the authors provide sound practices likely to increase the security and dependability of your software during development and operation.
read
Managing Information Security Risks: The OCTAVE Approach

July 9, 2002 • Book

By Christopher J. Alberts, Audrey J. Dorofee

In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.
read
OCTAVE Criteria, Version 2.0

December 1, 2001 • Technical Report

By Christopher J. Alberts, Audrey J. Dorofee

This 2001 report defines a general approach for evaluating and managing information security risks.
read
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0

September 1, 1999 • Technical Report

By Christopher J. Alberts, Sandra Behrens, Richard D. Pethia, William R. Wilson

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.
read
Continuous Risk Management Guidebook

January 1, 1996 • Book

By Christopher J. Alberts, Audrey J. Dorofee, Ron Higuera, Richard L. Murphy, Julie A. Walker, Ray C. Williams

This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.
read