| 1. |
- Ekstedt, Mathias, et al.
(författare)
-
A Tool for Enterprise Architecture Analysis of Maintainability : CSMR 2009, PROCEEDINGS
- 2009
-
Ingår i: EUR CON SFTWR MTNCE REENGR. - Los Almitos : IEEE COMPUTER SOC. - 9780769535890 ; , s. 327-328
-
Konferensbidrag (refereegranskat)abstract
- A tool for Enterprise Architecture analysis using a probabilistic mathematical framework is demonstrated. The Model-View-Controller tool architecture is outlined, before the use of the tool is considered. A sample abstract maintainability model is created, showing the dependence of system maintainability on documentation quality. developer expertise, etc. Finally, a concrete model of an ERP system is discussed.
|
|
| 2. |
|
|
| 3. |
- Ekstedt, Mathias, et al.
(författare)
-
securiCAD by foreseeti : A CAD tool for enterprise cyber security management
- 2015
-
Ingår i: Proceedings of the 2015 IEEE 19th International Enterprise Distributed Object Computing Conference Workshops and Demonstrations, EDOCW 2015. - 9781467393317
-
Konferensbidrag (refereegranskat)abstract
- This paper presents a CAD tool for enterprise cyber security management called securiCAD. It is a software developed during ten years of research at KTH Royal Institute of Technology, and it is now being commercialized by foreseeti (a KTH spin-off company). The idea of the tool is similar to CAD tools used when engineers design and test cars, buildings, etc. Specifically, the securiCAD user first models the IT environment, an existing one or one under development, and then securiCAD, using attack graphs, calculates and highlights potential weaknesses and avenues of attacks. The main benefits with securiCAD are; 1) built in security expertise, 2) visualization, 3) holistic security assessments, and 4) scenario comparison (decision-making) capabilities.
|
|
| 4. |
- Ekstedt, Mathias, et al.
(författare)
-
Setting the Information Systems Goals
- 2007
-
Ingår i: Enterprise Architecture. - : Studentlitteratur. - 9789144027524 ; , s. 92-152
-
Bokkapitel (övrigt vetenskapligt/konstnärligt)
|
|
| 5. |
- Engström, Viktor, et al.
(författare)
-
Automated Security Assessments of Amazon Web Service Environments
- 2022
-
Ingår i: ACM Transactions on Privacy and Security. - : Association for Computing Machinery (ACM). - 2471-2566 .- 2471-2574. ; 26:2, s. 1-31
-
Tidskriftsartikel (refereegranskat)abstract
- Migrating enterprises and business capabilities to cloud platforms like Amazon Web Services (AWS) has become increasingly common. However, securing cloud operations, especially at large scales, can quickly become intractable. Customer-side issues such as service misconfigurations, data breaches, and insecure changes are prevalent. Furthermore, cloud-specific tactics and techniques paired with application vulnerabilities create a large and complex search space. Various solutions and modeling languages for cloud security assessments exist. However, no single one appeared sufficiently cloud-centered and holistic. Many also did not account for tactical security dimensions. This article, therefore, presents a domain-specific modeling language for AWS environments. When used to model AWS environments, manually or automatically, the language automatically constructs and traverses attack graphs to assess security. Assessments, therefore, require minimal security expertise from the user. The modeling language was primarily tested on four third-party AWS environments through securiCAD Vanguard, a commercial tool built around the AWS modeling language. The language was validated further by measuring performance on models provided by anonymous end users and a comparison with a similar open source assessment tool. As of March 2020, the modeling language could represent essential AWS structures, cloud tactics, and threats. However, the tests highlighted certain shortcomings. Data collection steps, such as planted credentials, and some missing tactics were obvious. Nevertheless, the issues covered by the DSL were already reminiscent of common issues with real-world precedents. Future additions to attacker tactics and addressing data collection should yield considerable improvements.
|
|
| 6. |
- Franke, Ulrik, et al.
(författare)
-
A formal method for cost and accuracy trade-off analysis in software assessment measures
- 2009
-
Ingår i: RCIS 2009. - NEW YORK : IEEE. - 9781424428649 ; , s. 295-302
-
Konferensbidrag (refereegranskat)abstract
- Creating accurate models of information systems is an important but challenging task. It is generally well understood that such modeling encompasses general scientific issues, but the monetary aspects of the modeling of software systems are not equally well acknowledged. The present paper describes a method using Bayesian networks for optimizing modeling strategies, perceived as a trade-off between these two aspects. Using GeNIe, a graphical tool with the proper Bayesian algorithms implemented, decision support can thus be provided to the modeling process. Specifically, an informed trade-off can be made, based on the modeler's prior knowledge of the predictive power of certain models, combined with his projection of their costs. It is argued that this method might enhance modeling of large and complex software systems in two principal ways: Firstly, by enforcing rigor and making hidden assumptions explicit. Secondly, by enforcing cost awareness even in the early phases of modeling. The method should be used primarily when the choice of modeling can have great economic repercussions.
|
|
| 7. |
- Franke, Ulrik, et al.
(författare)
-
A Method for Choosing Software Assessment Measures using Bayesian Networks and Diagnosis : CSMR 2009, PROCEEDINGS
- 2009
-
Ingår i: 13TH EUROPEAN CONFERENCE ON SOFTWARE MAINTENANCE AND REENGINEERING: CSMR 2009, PROCEEDINGS. - LOS ALAMITOS, CA. : IEEE COMPUTER SOC.. - 9780769535890 ; , s. 241-245
-
Konferensbidrag (refereegranskat)abstract
- Creating accurate models of information systems is an important but challenging task. While the scienti c aspects of such modeling are generally acknowledged, the monetary aspects of the modeling of software systems are not. The present paper describes a Bayesian method for optimizing modeling strategies, perceived as a trade-off between these two aspects. Speci cally, an informed trade-off can be made, based on the modeler's prior knowledge of the predictive power of certain models, combined with her projection of the costs. It is argued that this method enhances modeling of large and complex software systems in two principal ways: Firstly, by enforcing rigor and making hidden assumptions explicit. Secondly, by enforcing cost awareness even in the early phases of modeling. The method should be used primarily when the choice of modeling can have great economic repercussions.
|
|
| 8. |
- Franke, Ulrik, et al.
(författare)
-
Decision Support oriented Enterprise Architecture Metamodel Management using Classification Trees
- 2009
-
Ingår i: 2009 13TH ENTERPRISE DISTRIBUTED OBJECT COMPUTING CONFERENCE WORKSHOPS (EDOCW 2009). - NEW YORK : IEEE. ; , s. 328-335
-
Konferensbidrag (refereegranskat)abstract
- Models are an integral part of the discipline of Enterprise Architecture (EA). To stay relevant to management decision-making needs, the models need to be based upon suitable metamodels. These metamodels, in turn, need to be properly and continuously maintained. While there exists several methods for metamodel development and maintenance, these typically focus on internal metamodel qualities and metamodel engineering processes, rather than on the actual decision-making needs and their impact on the metamodels used. The present paper employs techniques from information theory and learning classification trees to propose a method for metamodel management based upon the value added by entities and attributes to the decision-making process. This allows for the removal of those metamodel parts that give the least "bang for the bucks" in terms of decision support. The method proposed is illustrated using real data from an ongoing research project on systems modifiability
|
|
| 9. |
- Johnson, Pontus, et al.
(författare)
-
A Meta Language for Threat Modeling and Attack Simulations
- 2018
-
Ingår i: ACM International Conference Proceeding Series. - New York, NY, USA : ACM.
-
Konferensbidrag (refereegranskat)abstract
- Attack simulations may be used to assess the cyber security of systems. In such simulations, the steps taken by an attacker in order to compromise sensitive system assets are traced, and a time estimate may be computed from the initial step to the compromise of assets of interest. Attack graphs constitute a suitable formalism for the modeling of attack steps and their dependencies, allowing the subsequent simulation. To avoid the costly proposition of building new attack graphs for each system of a given type, domain-specific attack languages may be used. These languages codify the generic attack logic of the considered domain, thus facilitating the modeling, or instantiation, of a specific system in the domain. Examples of possible cyber security domains suitable for domain-specific attack languages are generic types such as cloud systems or embedded systems but may also be highly specialized kinds, e.g. Ubuntu installations; the objects of interest as well as the attack logic will differ significantly between such domains. In this paper, we present the Meta Attack Language (MAL), which may be used to design domain-specific attack languages such as the aforementioned. The MAL provides a formalism that allows the semi-automated generation as well as the efficient computation of very large attack graphs. We declare the formal background to MAL, define its syntax and semantics, exemplify its use with a small domain-specific language and instance model, and report on the computational performance.
|
|
| 10. |
- Johnson, Pontus, et al.
(författare)
-
Automatic Probabilistic Enterprise IT Architecture Modeling : a Dynamic Bayesian Networks Approach
- 2016
-
Ingår i: 2016 IEEE 20TH INTERNATIONAL ENTERPRISE DISTRIBUTED OBJECT COMPUTING WORKSHOP (EDOCW). - : IEEE. - 9781467399333 ; , s. 122-129
-
Konferensbidrag (refereegranskat)abstract
- Enterprise architecture modeling and model maintenance are time-consuming and error-prone activities that are typically performed manually. This position paper presents new and innovative ideas on how to automate the modeling of enterprise architectures. We propose to view the problem of modeling as a probabilistic state estimation problem, which is addressed using Dynamic Bayesian Networks (DBN). The proposed approach is described using a motivating example. Sources of machine-readable data about Enterprise Architecture entities are reviewed.
|
|
