Christopher J. Alberts
Software Engineering Institute
Christopher Alberts is a Principal Engineer/Senior Cybersecurity Analyst in the CERT® Division at the Software Engineering Institute.
Alberts leads applied research projects in software assurance and cybersecurity. He is currently leading two projects: Security Engineering Risk Analysis (SERA) and Software Assurance Framework (SAF). The SERA Method defines a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems across the lifecycle and supply chain. The SAF is a compilation of software assurance practices that an organization can use to assess its current capability for acquiring and engineering secure software-reliant systems and chart a course for improvement.
Prior to his current projects, Alberts developed the OCTAVE® approach for evaluating information security risks and the Continuous Risk Management method for managing software development project risks. His research interests include risk analysis, measurement, and assessment.
Alberts has co-authored two books, Managing Information Security Risks: The OCTAVE Approach (Addison-Wesley 2002) and the Continuous Risk Management Guidebook (Software Engineering Institute 1996). He has also published more than 50 technical reports and articles.
Prior to the SEI, Alberts worked at Carnegie Mellon Research Institute and AT&T Bell Laboratories.
Alberts holds a BS and Master’s in Mechanical Engineering from Carnegie Mellon University.
Contact: Christopher Alberts
Publications by Christopher J. Alberts
-
A Method for Assessing Cloud Adoption Risks
November 17, 2022 • Podcast
Christopher J. Alberts
Chris Alberts discusses with Suzanne Miller a prototype set of cloud adoption risk factors and describes a method that managers can employ to assess their cloud initiatives against these risk factors.
learn more -
Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
November 11, 2022 • Technical Note
Christopher J. AlbertsMichael S. BandorCharles M. Wallen
This report provides an overview of the Acquisition Security Framework (ASF), a description of the practices developed thus far, and a plan for completing the ASF body of work.
read -
Acquisition Security Framework (ASF): An Acquisition and Supplier Perspective on Managing Software-Intensive Systems’ Cybersecurity Risk
October 04, 2022 • White Paper
Christopher J. AlbertsMichael S. BandorCharles M. Wallen
The Acquisition Security Framework (ASF) contains practices that support programs acquiring/building a secure, resilient software-reliant system to manage risks.
read -
A Prototype Set of Cloud Adoption Risk Factors
October 27, 2021 • White Paper
Christopher J. Alberts
Alberts discusses the results of a study to identify a prototype set of risk factors for adopting cloud technologies.
read -
Security Engineering Risk Analysis (SERA) Threat Archetypes
December 16, 2020 • White Paper
Christopher J. AlbertsCarol Woody, PhD
This report examines the concept of threat archetypes and how analysts can use them during scenario development.
read -
Cloud Increases the Role of Acquisition in Cybersecurity
April 06, 2020 • Article
Carol Woody, PhDChristopher J. AlbertsJohn Klein
This article describes how an organization might address cybersecurity when it adopts cloud technology to replace physical data centers and monitoring and testing can no longer be performed directly on the equipment the system uses.
read -
Operational Test & Evaluation (OT&E) Roadmap for Cloud-Based Systems
September 02, 2019 • White Paper
Carol Woody, PhDChristopher J. AlbertsJohn Klein
This paper provides an overview of the preparation and work that the AEC needs to perform to successfully transition the Army to cloud computing.
read -
Integrating Threat Modeling with the SERA Method
May 08, 2019 • Video
Christopher J. Alberts
Chris Alberts discusses the Security Engineering Risk Analysis (SERA) Method and the SEI's work to integrate threat modeling into its scope.
watch -
An Approach for Integrating the Security Engineering Risk Analysis (SERA) Method with Threat Modeling
February 06, 2019 • White Paper
Christopher J. AlbertsCarol Woody, PhD
This report examines how cybersecurity data generated by a threat modeling method can be integrated into a mission assurance context using the SERA Method.
read -
Incident Management Capability Assessment
December 19, 2018 • Technical Report
Audrey J. DorofeeRobin RuefleMark Zajicek
The capabilities presented in this report provide a benchmark of incident management practices.
read -
SEI Cyber Minute: Security Engineering Risk Analysis
July 06, 2018 • Video
Christopher J. Alberts
Chris Alberts introduces the Security Engineering Risk Analysis (SERA) method, which can help your organization control the most significant cybersecurity risks it faces.
watch -
The CERT Software Assurance Framework
August 31, 2017 • Podcast
Carol Woody, PhDChristopher J. Alberts
In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework, a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
learn more -
Assessing DoD System Acquisition Supply Chain Risk Management
May 01, 2017 • Article
Christopher J. AlbertsJohn HallerCharles M. Wallen
In this Crosstalk article, the authors discuss the growing challenge of cyber risks in the defense supply chain.
read -
Prototype Software Assurance Framework (SAF): Introduction and Overview
April 06, 2017 • Technical Note
Christopher J. AlbertsCarol Woody, PhD
In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.
read -
Security Measurement: Establishing Confidence that Security Is Sufficient
March 23, 2017 • Presentation
Carol Woody, PhDChristopher J. Alberts
The SEI is researching how measurement can be used to establish confidence in software security. This presentation shares our progress to date.
read -
Security Requirements Engineering
July 07, 2016 • Webinar
Christopher J. Alberts
Learn the importance of developing security requirements in the same time frame as functional requirements.
watch -
Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines
June 09, 2016 • Special Report
Christopher J. AlbertsAudrey J. DorofeeCarol Woody, PhD
This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.
read -
Designing Security Into Software-Reliant Systems
June 25, 2015 • Podcast
Christopher J. Alberts
In this podcast, CERT researcher Christopher Alberts introduces the SERA Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
learn more -
Introduction to the Security Engineering Risk Analysis (SERA) Framework
December 04, 2014 • Technical Note
Christopher J. AlbertsCarol WoodyAudrey J. Dorofee
This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.
read -
A Systematic Approach for Assessing Workforce Readiness
August 18, 2014 • Technical Report
Christopher J. AlbertsDavid McIntire
In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.
read -
Security and Wireless Emergency Alerts
June 26, 2014 • Podcast
Christopher AlbertsCarol WoodySuzanne Miller
In this podcast Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks.
learn more -
An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)
May 30, 2014 • Technical Note
Christopher J. AlbertsAudrey J. DorofeeRobin Ruefle
The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.
read -
Best Practices in Wireless Emergency Alerts
February 19, 2014 • Special Report
John McGregorJoseph P. ElmElizabeth Trocki Stark (SRA International, Inc.)
This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, and cybersecurity risk management.
read -
A Systemic Approach for Assessing Software Supply-Chain Risk
May 14, 2013 • White Paper
Audrey J. DorofeeCarol WoodyChristopher J. Alberts
In this paper, the authors highlight the approach being implemented by SEI researchers for assessing and managing software supply-chain risks and provides a summary of the status of this work.
read -
Competency Lifecycle Roadmap: Toward Performance Readiness
September 01, 2012 • Technical Note
Sandra BehrensChristopher J. AlbertsRobin Ruefle
In this report, the authors describe the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness.
read -
The Evolution of a Science Project: A Preliminary System Dynamics Model of a Recurring Software-Reliant Acquisition Behavior
July 01, 2012 • Technical Report
William E. NovakAndrew P. MooreChristopher J. Alberts
This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.
read -
Deriving Software Security Measures from Information Security Standards of Practice
February 16, 2012 • White Paper
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this paper, the authors describe an approach for deriving measures of software security from common standard practices for information security.
read -
Risk-Based Measurement and Analysis: Application to Software Security
February 01, 2012 • Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.
read -
Mission Risk Diagnostic (MRD) Method Description
February 01, 2012 • Technical Note
Christopher J. AlbertsAudrey J. Dorofee
In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.
read -
Supply Chain Assurance Overview
September 01, 2011 • CERT Research Report
Robert J. EllisonChristopher J. AlbertsRita C. Creel
In this section of the research report, the authors attempt to integrate development and acquisition practices with risk-based evaluations and mitigations.
read -
Security Measurement and Analysis
January 01, 2011 • Presentation
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this presentation, the authors describe work being performed by the SEI in the area of security measurement and analysis.
read -
Software Supply Chain Risk Management: From Products to Systems of Systems
December 01, 2010 • Technical Note
Robert J. EllisonChristopher J. AlbertsRita C. Creel
In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.
read -
Integrated Measurement and Analysis Framework for Software Security
September 01, 2010 • Technical Note
Christopher J. AlbertsJulia H. AllenRobert W. Stoddard
In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).
read -
Risk Management Framework
August 01, 2010 • Technical Report
Christopher J. AlbertsAudrey J. Dorofee
In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.
read -
A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project
August 01, 2010 • Technical Report
Lisa BrownswordCarol WoodyChristopher J. Alberts
In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.
read -
Cyber Assurance
March 01, 2010 • White Paper
Christopher J. AlbertsRobert J. EllisonCarol Woody
This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of cyber assurance.
read -
Rethinking Risk Management Tutorial
October 26, 2009 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
Presented at the NDIA Systems Engineering Conference 2009 by Audrey Dorofee and Christopher Alberts.
read -
Rethinking Risk Management
July 07, 2009 • Podcast
Christopher J. AlbertsJulia H. Allen
In this podcast, Christopher Alberts urges business leaders to adopt new approaches to addressing risks across the life cycle and supply chain.
learn more -
A Technical Overview of Risk and Opportunity Management
April 24, 2009 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
In this presentation, the authors provide a technical overview of systemic risk and opportunity management for distributed environments.
read -
A Framework for Categorizing Key Drivers of Risk
April 01, 2009 • Technical Report
Christopher J. AlbertsAudrey J. Dorofee
This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.
read -
New Directions in Risk: A Success-Oriented Approach (2009)
March 23, 2009 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
In this presentation, the authors describe the analysis of wireless network data, MAC layer information in netflow tools, and how the tools convert flow data.
read -
Multi-View Decision Making (MVDM) Workshop
February 01, 2009 • Special Report
Christopher J. AlbertsJames SmithCarol Woody
In this report, the authors describe the value of multi-view decision making, a set of practices that reflect the realities of complex development efforts.
read -
Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments
July 01, 2008 • Technical Note
Christopher J. AlbertsAudrey J. DorofeeLisa Marino
In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.
read -
Using the Mission Diagnostic: Lessons Learned (2008)
March 17, 2008 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
Presented at SEPG 2008, March 17-20, 2008 Tampa, Florida
read -
Lessons Learned Applying the Mission Diagnostic
March 01, 2008 • Technical Note
Audrey J. DorofeeLisa MarinoChristopher J. Alberts
This technical note describes the adaptation of the Mission Diagnostic (MD) necessary for a customer and the lessons we learned from its use.
read -
Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success
March 01, 2008 • Technical Report
Christopher J. AlbertsAudrey J. DorofeeLisa Marino
This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP).
read -
Results of SEI Independent Research and Development Projects (FY 2006)
July 01, 2007 • Technical Report
Christopher J. AlbertsEileen C. ForresterSuzanne Garcia-Miller
This report describes the IRAD projects that were conducted during fiscal year 2006 (October 2005 through September 2006).
read -
Assuring Mission Success in Complex Settings
March 15, 2007 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
In this presentation, the authors describe lessons learned from actual incidents of fraud, theft of sensitive information, and IT sabotage.
read -
Executive Overview of SEI MOSAIC: Managing for Success Using a Risk-Based Approach
March 01, 2007 • Technical Note
Christopher J. AlbertsAudrey J. DorofeeLisa Marino
This 2007 report provides an overview of the concepts and foundations of MOSAIC, a suite of advanced, risk-based analysis methods for assessing complex, distributed programs, processes, and information-technology systems.
read -
Assuring Mission Success in Complex Environments
February 06, 2007 • Podcast
Christopher J. AlbertsJulia H. Allen
In this podcast, participants discuss analysis tools for assessing complex organizational and technological issues that are beyond traditional approaches.
learn more -
Considering Operational Security Risk During System Development
January 03, 2007 • Article
Carol WoodyChristopher J. Alberts
In this article, the authors examine OCTAVE, an operational security-risk methodology, and apply it to security-related risks during system development.
read -
Advanced Risk Analysis for High-Performing Organizations
October 26, 2006 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
In this presentation, the authors describe Advanced Risk Analysis for High-Performing Organizations.
read -
Common Elements of Risk
April 01, 2006 • Technical Note
Christopher J. Alberts
This technical note begins to define a foundation for effective risk management by identifying the basic elements of risk and exploring how these elements can affect the potential for mission success.
read -
Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments
September 01, 2005 • Technical Note
Christopher J. AlbertsAudrey J. Dorofee
In this 2005 report, the authors present concepts and theories underlying the Mission Assurance Analysis Protocol.
read -
OCTAVE-S Implementation Guide, Version 1
January 01, 2005 • Handbook
Christopher J. AlbertsAudrey J. DorofeeJames F. Stevens
In this 2005 handbook, the authors provide detailed guidelines for conducting an OCTAVE-S evaluation.
read -
Defining Incident Management Processes for CSIRTs: A Work in Progress
October 01, 2004 • Technical Report
Christopher J. AlbertsAudrey J. DorofeeGeorgia Killcrece
In this report, the authors present a prototype best practice model for performing incident management processes and functions.
read -
Rethinking Risk Management (2004)
January 01, 2004 • Presentation
Christopher J. AlbertsAudrey J. Dorofee
This presentation explores if state-of-the-practice risk assessments accurately characterize the security risk confronting healthcare organizations. It also examines if risks are overlooked by state-of-the-practice risk assessments.
read -
Introduction to the OCTAVE Approach
August 01, 2003 • User's Guide
Christopher J. AlbertsAudrey J. DorofeeJames F. Stevens
In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.
read -
Managing Information Security Risks: The OCTAVE Approach
July 09, 2002 • Book
Christopher J. AlbertsAudrey J. Dorofee
In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.
read -
OCTAVE Criteria, Version 2.0
December 01, 2001 • Technical Report
Christopher J. AlbertsAudrey J. Dorofee
This 2001 report defines a general approach for evaluating and managing information security risks.
read -
OCTAVE Catalog of Practices, Version 2.0
October 01, 2001 • Technical Report
Christopher J. AlbertsAudrey J. DorofeeJulia H. Allen
In this report, the authors describe OCTAVE practices, which enable organizations to identify risks and mitigate them.
read -
OCTAVE Method Implementation Guide Version 2.0 Volume 2: Preliminary Activities
June 01, 2001 • User's Guide
Christopher J. AlbertsAudrey J. Dorofee
In this list of preliminary activities, the authors describe activities you will complete to implement the OCTAVE method.
read -
OCTAVE Method Implementation Guide Version 2.0 Volume 1: Introduction
June 01, 2001 • User's Guide
Christopher J. AlbertsAudrey J. Dorofee
In this report, the authors describe everything you will need to understand and implement OCTAVE method.
read -
HIPAA and Information Security Risk: Implementing an Enterprise-Wide Risk Management Strategy
February 17, 2001 • Article
Christopher J. AlbertsAudrey J. Dorofee
In this article, the authors describe an information security risk evaluation that enables risks assessment and mitigation consistent with HIPAA guidelines.
read -
Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0
September 01, 1999 • Technical Report
Christopher J. AlbertsSandra BehrensRichard D. Pethia
The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.
read -
Securing Desktop Workstations
February 01, 1999 • Security Improvement Module
Derek SimmelGary FordJulia H. Allen
The practices recommended in this 1999 report are designed to help you configure and deploy networked workstations that satisfy your organization‰s security requirements. The practices may also be useful in examining the configuration of previously deployed workstations.
read -
Responding to Intrusions
February 01, 1999 • Security Improvement Module
Klaus-Peter KossakowskiSuresh KondaWilliam R. Wilson
This 1999 report is one of a series of SEI publications that are intended to provide practical guidance to help organizations improve the security of their networked computer systems. This report is intended for system and network administrators, managers of information systems, and security personnel responsible for networked information resources.
read -
Securing Network Servers (1999)
February 01, 1999 • Security Improvement Module
Gary FordDerek SimmelDwayne Vermeulen
The practices recommended in this 1999 report are designed to help administrators configure and deploy network servers that satisfy organizational security requirements.
read -
Preparing to Detect Signs of Intrusion
June 01, 1998 • Security Improvement Module
John KochmarJulia H. AllenChristopher J. Alberts
The practices contained in this 1998 report identify advance preparations you must make to enable you to obtain evidence of an intrusion or an intrusion attempt.
read -
Software Acquisition Risk Management Key Process Area (KPA) Guidebook Version 1.0
August 01, 1997 • Handbook
Brian P. GallagherChristopher J. AlbertsRick Barbour
This 1997 guidebook provides guidelines for implementing a software acquisition risk management program that satisfies the goals of the ARM KPA of the SA-CMM.
read -
Continuous Risk Management Guidebook
January 01, 1996 • Book
Christopher J. AlbertsAudrey J. DorofeeRon Higuera
This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.
read