Common use of CORAS representation Clause in Contracts

CORAS representation. Figure 21 shows a fragment of a CORAS diagram showing two nodes (threat scenarios S1 and S2) that may each lead to another node (threat scenario S3). This is represented by the 'leads-to' relation from each of S1 and S2 to S3. The likelihood of S3 thus depends on the likelihood of S1 and the conditional likelihood of an occurrence of S1 actually leading to an occurrence of S3, and similarly for S2. Notice that the diagram is meant to represent an example of a more general case, where one or more nodes may lead to another node. Moreover, even if all nodes in this particular fragment are threat scenarios, each of them could equally well have been replaced by an incident without having any impact on the reasoning presented here. The likelihood contribution from S1 to S3 again has two direct sub-nodes, showing that it depends on the likelihood of S1 (l_S1) as well as the conditional likelihood of an occurrence of S1 actually leading to S3 (cl_S1_to_S3). Similarly, the likelihood contribution from S2 to S3 depends on the likelihood of S2 (l_S2) as well as the conditional likelihood of S2 leading to S3 (cl_S2_to_S3). Figure 22 shows only one example, where there are two incoming branches to S3. In general, the number of direct sub-nodes to S3 will be equal to the number of incoming branches. However, it is important to avoid having to too many incoming branches to a node, as this makes it hard to define the utility function. When using five-step scales as in the example, even three incoming branches would give 125 possible combinations. This is can already be hard to handle, and more branches would be completely unfeasible. In such cases, we recommend restructuring the model, as further explained in the DEXi manual [1]. Observe that the nodes representing likelihoods of S1 and S2 occur at the bottom/leaf layer of the DEXi fragment in Figure 22. As these may again depend on incoming branches, the model allows any finite number of levels in the DEXi tree.

CORAS representation. Figure 21 16 shows a fragment of a CORAS diagram showing two nodes (threat scenarios S1 and S2) that may each lead to another node (threat scenario S3). This is represented by the 'leads-to' relation from each of S1 and S2 to S3. The likelihood of S3 thus depends on the likelihood of S1 and the conditional likelihood of an occurrence of S1 actually leading to an occurrence of S3, and similarly for S2. Notice that the diagram is meant to represent an example of a more general case, where one or more nodes may lead to another node. Moreover, even if all nodes in this particular fragment are threat scenarios, each of them could equally well have been replaced by an incident without having any impact on the reasoning presented here. Figure 17 shows a DEXi fragment corresponding to the CORAS fragment in Figure 16. The likelihood contribution from S1 to S3 again has two direct sub-nodes, showing that it depends on the likelihood of S1 (l_S1) as well as the conditional likelihood of an occurrence of S1 actually leading to S3 (cl_S1_to_S3). Similarly, the likelihood contribution from S2 to S3 depends on the likelihood of S2 (l_S2) as well as the conditional likelihood of S2 leading to S3 (cl_S2_to_S3). Figure 22 17 shows only one example, where there are two incoming branches to S3. In general, the number of direct sub-nodes to S3 will be equal to the number of incoming branches. However, it is important to avoid having to too many incoming branches to a node, as this makes it hard to define the utility function. When using five-step scales as in the example, even three incoming branches would give 125 possible combinations. This is can already be hard to handle, and more branches would be completely unfeasible. In such cases, we recommend restructuring the model, as further explained in the DEXi manual [1]. Observe that the nodes representing likelihoods of S1 and S2 occur at the bottom/leaf layer of the DEXi fragment in Figure 2217. As these may again depend on incoming branches, the model allows any finite number of levels in the DEXi tree.