Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Christopher J. Alberts
August 2017 - Podcast The CERT Software Assurance Framework

Authors: Carol Woody, PhD, Christopher J. Alberts

In this podcast, Carol Woody and Christopher Alberts introduce the prototype Software Assurance Framework, a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

May 2017 - Article Assessing DoD System Acquisition Supply Chain Risk Management

Topics: Cybersecurity Engineering, Acquisition Support, Risk and Opportunity Management

Authors: John Haller, Charles M. Wallen, Carol Woody, PhD, Christopher J. Alberts

In this Crosstalk article, the authors discuss the growing challenge of cyber risks in the defense supply chain.

April 2017 - Technical Note Prototype Software Assurance Framework (SAF): Introduction and Overview

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, PhD

In this report, the authors discuss the Software Assurance Framework (SAF), a collection of cybersecurity practices that programs can apply across the acquisition lifecycle and supply chain.

March 2017 - Presentation Security Measurement: Establishing Confidence that Security Is Sufficient

Topics: Science of Cybersecurity

Authors: Carol Woody, PhD, Christopher J. Alberts

The SEI is researching how measurement can be used to establish confidence in software security. This presentation shares our progress to date.

July 2016 - Webinar Security Requirements Engineering

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts

Learn the importance of developing security requirements in the same time frame as functional requirements.

June 2016 - Special Report Wireless Emergency Alerts Commercial Mobile Service Provider (CMSP) Cybersecurity Guidelines

Topics: Pervasive Mobile Computing

Authors: Christopher J. Alberts, Audrey J. Dorofee, Carol Woody, PhD

This report provides members of the Commercial Mobile Service Provider (CMSP) community with practical guidance for better managing cybersecurity risk exposure, based on an SEI study of the CMSP element of the Wireless Emergency Alert pipeline.

June 2015 - Podcast Designing Security Into Software-Reliant Systems

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts

In this podcast, CERT researcher Christopher Alberts introduces the SERA Framework, a systematic approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

December 2014 - Technical Note Introduction to the Security Engineering Risk Analysis (SERA) Framework

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Carol Woody, Audrey J. Dorofee

This report introduces the SERA Framework, a model-based approach for analyzing complex security risks in software-reliant systems and systems of systems early in the lifecycle.

August 2014 - Technical Report A Systematic Approach for Assessing Workforce Readiness

Topics: Incident Management

Authors: Christopher J. Alberts, David McIntire

In this report, the authors present the Competency Lifecycle Roadmap and the readiness test development method, both used to maintain workforce readiness.

June 2014 - Podcast Security and Wireless Emergency Alerts

Topics: Cybersecurity Engineering

Authors: Christopher Alberts, Carol Woody, Suzanne Miller

In this podcast Carol Woody and Christopher Alberts discuss guidelines that they developed to ensure that the WEA service remains robust and resilient against cyber attacks.

May 2014 - Technical Note An Introduction to the Mission Risk Diagnostic for Incident Management Capabilities (MRD-IMC)

Topics: Incident Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Robin Ruefle, Mark Zajicek

The Mission Risk Diagnostic for Incident Management Capabilities revises the Incident Management Mission Diagnostic Method with updated and expanded drivers.

February 2014 - Special Report Best Practices in Wireless Emergency Alerts

Topics: Cyber Risk and Resilience Management

Authors: John McGregor, Joseph P. Elm, Elizabeth Trocki Stark (SRA International, Inc.), Jennifer Lavan (SRA International, Inc.), Rita C. Creel, Christopher J. Alberts, Carol Woody, Robert J. Ellison, Tamara Marshall-Keim

This report presents four best practices for the Wireless Emergency Alerts (WEA) service, including implementing WEA in a local jurisdiction, training emergency staff in using WEA, cross-jurisdictional governance of WEA, and cybersecurity risk management.

June 2013 - Technical Note Isolating Patterns of Failure in Department of Defense Acquisition

Topics: Acquisition Support

Authors: Lisa Brownsword, Christopher J. Alberts, David J. Carney, Patrick R. Place, Charles (Bud) Hammons, John J. Hudak

This report documents an investigation into issues related to aligning acquisition strategies with business and mission goals.

May 2013 - White Paper A Systemic Approach for Assessing Software Supply-Chain Risk

Topics: Acquisition Support, Cybersecurity Engineering, Software Assurance

Authors: Audrey J. Dorofee, Carol Woody, Christopher J. Alberts, Rita C. Creel, Robert J. Ellison

In this paper, the authors highlight the approach being implemented by SEI researchers and provides a summary of the status of this work.

September 2012 - Technical Note Competency Lifecycle Roadmap: Toward Performance Readiness

Topics: Incident Management

Authors: Sandra Behrens, Christopher J. Alberts, Robin Ruefle

In this report, the authors describe the Competency Lifecycle Roadmap (CLR), a preliminary roadmap for understanding and building workforce readiness.

July 2012 - Technical Report The Evolution of a Science Project: A Preliminary System Dynamics Model of a Recurring Software-Reliant Acquisition Behavior

Topics: Acquisition Support

Authors: William E. Novak, Andrew P. Moore, Christopher J. Alberts

This report uses a preliminary system dynamics model to analyze a specific adverse acquisition dynamic concerning the poorly controlled evolution of small prototype efforts into full-scale systems.

February 2012 - White Paper Deriving Software Security Measures from Information Security Standards of Practice

Topics: Measurement and Analysis

Authors: Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard

In this paper, the authors describe an approach for deriving measures of software security from common standard practices for information security.

February 2012 - Technical Note Risk-Based Measurement and Analysis: Application to Software Security

Topics: Cybersecurity Engineering, Software Assurance, Measurement and Analysis

Authors: Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard

In this report, the authors present the concepts of a risk-based approach to software security measurement and analysis and describe the IMAF and MRD.

February 2012 - Technical Note Mission Risk Diagnostic (MRD) Method Description

Topics: Cybersecurity Engineering, Measurement and Analysis

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors describe the Mission Risk Diagnostic (MRD) method, which is used to assess risk in systems across the lifecycle and supply chain.

September 2011 - CERT Research Report Supply Chain Assurance Overview

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this section of the research report, the authors attempt to integrate development and acquisition practices with risk-based evaluations and mitigations.

January 2011 - Presentation Security Measurement and Analysis

Topics: Measurement and Analysis

Authors: Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard

In this presentation, the authors describe work being performed by the SEI in the area of security measurement and analysis.

December 2010 - Technical Note Software Supply Chain Risk Management: From Products to Systems of Systems

Topics: Cybersecurity Engineering

Authors: Robert J. Ellison, Christopher J. Alberts, Rita C. Creel, Audrey J. Dorofee, Carol Woody

In this report, the authors consider current practices in software supply chain analysis and suggest some foundational practices.

September 2010 - Technical Note Integrated Measurement and Analysis Framework for Software Security

Topics: Measurement and Analysis

Authors: Christopher J. Alberts, Julia H. Allen, Robert W. Stoddard

In this report, the authors address how to measure software security in complex environments using the Integrated Measurement and Analysis Framework (IMAF).

August 2010 - Technical Report Risk Management Framework

Topics: Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors specify (1) a framework that documents best practice for risk management and (2) an approach for evaluating a program's risk management practice in relation to the framework.

August 2010 - Technical Report A Framework for Modeling the Software Assurance Ecosystem: Insights from the Software Assurance Landscape Project

Topics: Software Assurance, Cybersecurity Engineering

Authors: Lisa Brownsword, Carol Woody, Christopher J. Alberts, Andrew P. Moore

In this report, the authors describe the SEI Assurance Modeling Framework, piloting to prove its value, and insights gained from that piloting.

March 2010 - White Paper Cyber Assurance

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Robert J. Ellison, Carol Woody

This paper, extracted from the 2009 CERT Research Report, describes planned research tasks in the field of cyber assurance.

October 2009 - Presentation Rethinking Risk Management Tutorial

Authors: Christopher J. Alberts, Audrey J. Dorofee

Presented at the NDIA Systems Engineering Conference 2009 by Audrey Dorofee and Christopher Alberts.

July 2009 - Podcast Rethinking Risk Management

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Julia H. Allen

In this podcast, Christopher Alberts urges business leaders to adopt new approaches to addressing risks across the life cycle and supply chain.

June 2009 - Webinar A Practical Approach for Managing Risk

Topics: Acquisition Support, Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this 2009 webinar, the authors provide an overview of the Mosaic approach, a suite of methods used to manage risk across the lifecycle and supply chain.

April 2009 - Presentation A Technical Overview of Risk and Opportunity Management

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors provide a technical overview of systemic risk and opportunity management for distributed environments.

April 2009 - Technical Report A Framework for Categorizing Key Drivers of Risk

Topics: Risk and Opportunity Management, Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

This 2009 report features a systemic approach for managing risk that takes into account the complex nature of distributed environments.

March 2009 - Presentation New Directions in Risk: A Success-Oriented Approach (2009)

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe the analysis of wireless network data, MAC layer information in netflow tools, and how the tools convert flow data.

February 2009 - Special Report Multi-View Decision Making (MVDM) Workshop

Topics: Acquisition Support, Cybersecurity Engineering, Risk and Opportunity Management, System of Systems, Software Assurance

Authors: Christopher J. Alberts, James Smith, Carol Woody

In this report, the authors describe the value of multi-view decision making, a set of practices that reflect the realities of complex development efforts.

July 2008 - Technical Note Preview of the Mission Assurance Analysis Protocol (MAAP): Assessing Risk and Opportunity in Complex Environments

Topics: Acquisition Support, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

In this 2008 document, the authors preview a core set of activities and outputs that define a MAAP assessment.

March 2008 - Presentation Using the Mission Diagnostic: Lessons Learned (2008)

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

Presented at SEPG 2008, March 17-20, 2008 Tampa, Florida

March 2008 - Technical Note Lessons Learned Applying the Mission Diagnostic

Topics: Acquisition Support

Authors: Audrey J. Dorofee, Lisa Marino, Christopher J. Alberts

This technical note describes the adaptation of the Mission Diagnostic (MD) necessary for a customer and the lessons we learned from its use.

March 2008 - Technical Report Mission Diagnostic Protocol, Version 1.0: A Risk-Based Approach for Assessing the Potential for Success

Topics: Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

This 2008 document describes the core set of activities and outputs that defines mission diagnostic protocol (MDP).

March 2007 - Presentation Assuring Mission Success in Complex Settings

Topics: Risk and Opportunity Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe lessons learned from actual incidents of fraud, theft of sensitive information, and IT sabotage.

March 2007 - Technical Note Executive Overview of SEI MOSAIC: Managing for Success Using a Risk-Based Approach

Topics: Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee, Lisa Marino

This 2007 report provides an overview of the concepts and foundations of MOSAIC, a suite of advanced, risk-based analysis methods for assessing complex, distributed programs, processes, and information-technology systems.

February 2007 - Podcast Assuring Mission Success in Complex Environments

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Julia H. Allen

In this podcast, participants discuss analysis tools for assessing complex organizational and technological issues that are beyond traditional approaches.

January 2007 - Article Considering Operational Security Risk During System Development

Topics: Cybersecurity Engineering, Software Assurance

Authors: Carol Woody, Christopher J. Alberts

In this article, the authors examine OCTAVE, an operational security-risk methodology, and apply it to security-related risks during system development.

October 2006 - Presentation Advanced Risk Analysis for High-Performing Organizations

Topics: Risk and Opportunity Management, Acquisition Support

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this presentation, the authors describe Advanced Risk Analysis for High-Performing Organizations.

April 2006 - Technical Note Common Elements of Risk

Authors: Christopher J. Alberts

This technical note begins to define a foundation for effective risk management by identifying the basic elements of risk and exploring how these elements can affect the potential for mission success.

September 2005 - Technical Note Mission Assurance Analysis Protocol (MAAP): Assessing Risk in Complex Environments

Topics: Cybersecurity Engineering, Measurement and Analysis

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this 2005 report, the authors present concepts and theories underlying the Mission Assurance Analysis Protocol.

October 2004 - Technical Report Defining Incident Management Processes for CSIRTs: A Work in Progress

Topics: Incident Management

Authors: Christopher J. Alberts, Audrey J. Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek

In this report, the authors present a prototype best practice model for performing incident management processes and functions.

January 2004 - Presentation Rethinking Risk Management (2004)

Authors: Christopher J. Alberts, Audrey J. Dorofee

This presentation explores if state-of-the-practice risk assessments accurately characterize the security risk confronting healthcare organizations. It also examines if risks are overlooked by state-of-the-practice risk assessments.

September 2003 - Technical Report Interpreting Capability Maturity Model Integration (CMMI) for COTS-Based Systems

Topics: Process Improvement, CMMI

Authors: Barbara Tyson, Christopher J. Alberts, Lisa Brownsword

This 2003 report shows that developing and maintaining COTS-based systems is more than selecting products and managing vendor relationships.

August 2003 - User's Guide Introduction to the OCTAVE Approach

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee, James F. Stevens, Carol Woody

In this 2003 report, the authors describe the OCTAVE method, an approach for managing information security risks.

July 2002 - Book Managing Information Security Risks: The OCTAVE Approach

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this book, the authors provide a systematic way to evaluate and manage information security risks through the use of the OCTAVE approach.

June 2001 - User's Guide OCTAVE Method Implementation Guide Version 2.0 Volume 2: Preliminary Activities

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this list of preliminary activities, the authors describe activities you will complete to implement the OCTAVE method.

June 2001 - User's Guide OCTAVE Method Implementation Guide Version 2.0 Volume 1: Introduction

Topics: Cyber Risk and Resilience Management

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this report, the authors describe everything you will need to understand and implement OCTAVE method.

February 2001 - Article HIPAA and Information Security Risk: Implementing an Enterprise-Wide Risk Management Strategy

Topics: Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee

In this article, the authors describe an information security risk evaluation that enables risks assessment and mitigation consistent with HIPAA guidelines.

September 1999 - Technical Report Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Framework, Version 1.0

Topics: Cyber Risk and Resilience Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Sandra Behrens, Richard D. Pethia, William R. Wilson

The Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) is a framework for identifying and managing information security risks.

January 1996 - Book Continuous Risk Management Guidebook

Topics: Risk and Opportunity Management, Cybersecurity Engineering

Authors: Christopher J. Alberts, Audrey J. Dorofee, Ron Higuera, Richard L. Murphy, Julie A. Walker, Ray C. Williams

This book describes the underlying principles, concepts, and functions of risk management and provides guidance on how to implement it as a continuous practice in your projects and organization.