Risk, as one of the inherent problem of software systems, needs to be analyzed and managed. There are several work have been proposed that cover all phases of Risk Analysis and Management (RA&M) process. Unfortunately, most of those work starts once the architecture of system has been defined. This approach results to some modification of the artifacts that are resulted from the prior phases of system development (e.g., requirement and design phases). My work is meant to provide a framework to do RA&M since the early phases of system development (i.e., early requirement analysis). Moreover, the framework will provide the traceability among RA&M results that have been resulted in each phases of system development. The framework also provides an automatic reasoner that can analyze the risk-level of the system qualitatively and quantitatively. adapt the framework (namely Goal-Risk Framework) in several areas, such as: Information Assurance and IT Governance and Security and Dependable System.
We aim how to analyze S&D requirements in critical systems. These systems are characterized as complex technical systems and tightly couple with human activities that interact with the systems. We also start to elicit several S&D patterns that can be used at organizational level for implementing an S&D system. Later, we realize in such setting the notion of perceived-risk is really central for guaranteeing the security and dependability of the system, and are trying to model actual-risk and perceived-risk, so that analysts can elicits the requirements with taking into account both aspect of risks.
We aim to derive a Business Continuity Plan considering the goals, risks, business processes, and architectures of services in an organization. Later, the BCP should comply with any standards (e.g., ISO 17799) and regulations (Basel II, Sarbanes-Oxley Act). Finally, the organization implements BCP in terms of a set of countermeasures to guarantee the continuity of the business and minimizing the loss and also employ a set monitoring mechanisms to ensure the risk level is acceptable and the effectiveness of the countermeasures.