Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Audrey J. Dorofee
June 2016 - Special Report Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines

Topics: Pervasive Mobile Computing

Authors: Christopher J. Alberts, Audrey J. Dorofee, Carol Woody, PhD

This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.

March 2015 - Technical Note Defining a Maturity Scale for Governing Operational Resilience

Topics: Cyber Risk and Resilience Management

Authors: Katie C. Stewart, Julia H. Allen, Audrey J. Dorofee, Michelle A. Valdez, Lisa R. Young

Governing operational resilience requires the appropriate level of sponsorship, a commitment to strategic planning that includes resilience objectives, and proper oversight of operational resilience activities.

December 2014 - Technical Note Introduction to the Security Engineering Risk Analysis (SERA) Framework

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, Audrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

November 2014 - Conference Paper An Incident Management Ontology

Topics: Incident Management

Authors: Dave Mundie, Robin Ruefle, Audrey J. Dorofee, John McCloud, Samuel J. Perl, Matthew L. Collins

In this paper, the authors describe the shortcomings of the incident management meta-model and how an incident management ontology addresses those shortcomings.

May 2014 - Technical Note An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)

Topics: Incident Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Robin Ruefle, Mark Zajicek

The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.

May 2013 - White Paper A Systemic Approach for Assessing Software Supply-Chain Risk

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison

In this paper, the authors highlight the approach being implemented by SEI researchers and provides a summary of the status of this work.

February 2012 - Technical Note Mission Risk Diagnostic (MRD) Method Description

Topics: Cybersecurity Engineering, Measurement and Analysis

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.

September 2011 - CERT Research Report Supply Chain Assurance Overview

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this section of the research report, the authors attempt to integrate development and acquisition practices with risk-based evaluations and mitigations.

December 2010 - Technical Note Software Supply Chain Risk Management: From Products to Systems of Systems

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

August 2010 - Technical Report Risk Management Framework

Topics: Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.

October 2009 - Presentation Rethinking Risk Management Tutorial

Authors: Christopher J. Alberts, Audrey J. Dorofee

Presented at the NDIA Systems Engineering Conference 2009 by Audrey Dorofee and Christopher Alberts.

June 2009 - Webinar A Practical Approach for Managing Risk

Topics: Acquisition Support, Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this 2009 webinar, the authors provide an overview of the Mosaic approach, a suite of methods used to manage risk across the lifecycle and supply chain.

April 2009 - Presentation A Technical Overview of Risk and Opportunity Management

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors provide a technical overview of systemic risk and opportunity management for distributed environments.

April 2009 - Technical Report A Framework for Categorizing Key Drivers of Risk

Topics: Risk and Opportunity Management, Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.

March 2009 - Presentation New Directions in Risk: A Success-Oriented Approach (2009)

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe the analysis of wireless network data, MAC layer information in netflow tools, and how the tools convert flow data.

July 2008 - Technical Note Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments

Topics: Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.

March 2008 - Presentation Using the Mission Diagnostic: Lessons Learned (2008)

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

Presented at SEPG 2008, March 17-20, 2008 Tampa, Florida

March 2008 - Technical Note Lessons Learned Applying the Mission Diagnostic

Topics: Acquisition Support

Authors: Audrey J. Dorofee, Lisa Marino, Christopher J. Alberts

This technical note describes the adaptation of the Mission Diagnostic (MD) necessary for a customer and the lessons we learned from its use.

March 2008 - Technical Report Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success

Topics: Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP).

March 2008 - Technical Report Incident Management Mission Diagnostic Method, Version 1.0

Topics: Incident Management

Authors: Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

This report is superseded by the Mission Risk Diagnostic for Incident Management Capabilities, CMU/SEI-2014-TN-004.

April 2007 - Technical Report Incident Management Capability Metrics Version 0.1

Topics: Incident Management

Authors: Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

In this report, the authors present metrics to provide a baseline or benchmark of incident management practices.

March 2007 - Presentation Assuring Mission Success in Complex Settings

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe lessons learned from actual incidents of fraud, theft of sensitive information, and IT sabotage.

March 2007 - Technical Note Executive Overview of SEI MOSAIC: Managing for Success Using a Risk-Based Approach

Topics: Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

This 2007 report provides an overview of the concepts and foundations of MOSAIC, a suite of advanced, risk-based analysis methods for assessing complex, distributed programs, processes, and information-technology systems.

October 2006 - Presentation Advanced Risk Analysis for High-Performing Organizations

Topics: Risk and Opportunity Management, Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe Advanced Risk Analysis for High-Performing Organizations.

September 2005 - Technical Note Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments

Topics: Cybersecurity Engineering, Measurement and Analysis

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this 2005 report, the authors present concepts and theories underlying the Mission Assurance Analysis Protocol.

January 2005 - Handbook OCTAVE-S Implementation Guide, Version 1

Topics: Cyber Risk and Resilience Management

Authors: Cecilia Albert, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2005 handbook, the authors provide detailed guidelines for conducting an OCTAVE-S evaluation.

October 2004 - Technical Report Defining Incident Management Processes for CSIRTs: A Work in Progress

Topics: Incident Management

Authors: Christopher J. Alberts, Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

In this report, the authors present a prototype best practice model for performing incident management processes and functions.

January 2004 - Presentation Rethinking Risk Management (2004)

Authors: Christopher J. Alberts, Audrey J. Dorofee

This presentation explores if state-of-the-practice risk assessments accurately characterize the security risk confronting healthcare organizations. It also examines if risks are overlooked by state-of-the-practice risk assessments.

August 2003 - User's Guide Introduction to the OCTAVE Approach

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.

July 2002 - Book Managing Information Security Risks: The OCTAVE Approach

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.

December 2001 - Technical Report OCTAVE Criteria, Version 2.0

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering

Authors: Cecilia Albert, Audrey J. Dorofee

This 2001 report defines a general approach for evaluating and managing information security risks.

October 2001 - Technical Report OCTAVE Catalog of Practices, Version 2.0

Topics: Cyber Risk and Resilience Management

Authors: Cecilia Albert, Audrey J. Dorofee, Julia H. Allen

In this report, the authors describe OCTAVE practices, which enable organizations to identify risks and mitigate them.

June 2001 - User's Guide OCTAVE Method Implementation Guide Version 2.0 Volume 2: Preliminary Activities

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this list of preliminary activities, the authors describe activities you will complete to implement the OCTAVE method.

June 2001 - User's Guide OCTAVE Method Implementation Guide Version 2.0 Volume 1: Introduction

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors describe everything you will need to understand and implement OCTAVE method.

February 2001 - Article HIPAA and Information Security Risk: Implementing an Enterprise-Wide Risk Management Strategy

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this article, the authors describe an information security risk evaluation that enables risks assessment and mitigation consistent with HIPAA guidelines.

March 1996 - Technical Report A Collaboration in Implementing Team Risk Management

Authors: David P. Gluch, Audrey J. Dorofee, E. Hubbard, J. Travalent

This report presents results of a collaborative development effort to transition the Software Engineering Institute (SEI) team risk management process into practice.

January 1996 - Book Continuous Risk Management Guidebook

Topics: Risk and Opportunity Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Ron Higuera, Richard L. Murphy, Julie A. Walker, Ray C. Williams

This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.

July 1994 - Special Report Team Risk Management: A New Model for Customer-Supplier Relationships

Authors: Ron Higuera, Audrey J. Dorofee, Julie A. Walker, Ray C. Williams

This 1994 report presents the concepts of Team Risk management by providing a description of the overall process that engages both the customer and supplier in a cooperative framework using explicit methods to manage project risks.

May 1994 - Special Report An Introduction to Team Risk Management (Version 1.0)

Authors: Ron Higuera, David P. Gluch, Audrey J. Dorofee, Richard L. Murphy, Julie A. Walker, Ray C. Williams

This 1994 report defines the organizational structure and operational activities for managing risks throughout all phases of the life-cycle of a software-dependent development program.