Author Topic: Modelling security and security classification (Read 5210 times)

Eamonn John Casey · « **on:** August 08, 2018, 12:17:37 am »

Hi!

Got a question from our security group about what would be an appropriate modelling language to use for modelling security. I see that there is:
1. a Risk MDG as standard.
2. ArchiMate Motivation could also work
3. some years ago there was an ArchiMate white paper for modelling security but that is still not implemented as part of the language.

What have you been using?

/ Eamonn J. //

Sunshine · « **Reply #1 on:** August 08, 2018, 07:19:36 am »

Yes you can use Archimate to manage enterprise risk and security. I use ArchiMate already so I use the paper by the open group which provides details on how to do this Ref W172. There was an earlier one W150 mapping it to ArchiMate v2.1
Here is a link to the latest
https://publications.opengroup.org/w172

You just have to map (crowbar) the elements on to Archimate
Threat Agent -> Actor
Threat Event -> Business Event
Loss Event -> Business Event
Risk->Assessment
Control Objective -> Goal
Vulnerability-> Assessment
Security Requirement-> Requirement
Security Principle -> Principle
Control Measure -> Requirement
Asset at Risk -> Resource
Implemented Control Measure->Business Service, Application Service, Technology Service
Security Domain-> Group

However that being said the Risk Taxonomy MDG looks like it might be better suited so I'd be tempted to use that rather than shoehorn it into ArchiMate notation.
The most important thing is to understand the metamodel for your security group and the viewpoints they need - find some examples and use them for guidance

Glassboy · « **Reply #2 on:** August 08, 2018, 09:43:06 am »

Quote from: Sunshine on August 08, 2018, 07:19:36 am

However that being said the Risk Taxonomy MDG looks like it might be better suited so I'd be tempted to use that rather than shoehorn it into ArchiMate notation.
The most important thing is to understand the metamodel for your security group and the viewpoints they need - find some examples and use them for guidance

I created a MDG for the ArchiMate notation and the original methodology it is based on. I just have to find where I put them :-)

Sunshine · « **Reply #3 on:** August 08, 2018, 12:30:52 pm »

Quote from: Glassboy on August 08, 2018, 09:43:06 am

Quote from: Sunshine on August 08, 2018, 07:19:36 am

However that being said the Risk Taxonomy MDG looks like it might be better suited so I'd be tempted to use that rather than shoehorn it into ArchiMate notation.
The most important thing is to understand the metamodel for your security group and the viewpoints they need - find some examples and use them for guidance

I created a MDG for the ArchiMate notation and the original methodology it is based on. I just have to find where I put them :-)

MDG for the ArchiMate - Me too which I created back in 2007 before it was available in Sparx EA. Still using an updated version of it today

However the official ArchiMate Standard does not have those risk taxonomy types defined. The easiest option would be to use the Risk Taxonomy MDG that comes with Sparx EA.

Glassboy · « **Reply #4 on:** August 08, 2018, 12:44:04 pm »

Quote from: Sunshine on August 08, 2018, 12:30:52 pm

However the official ArchiMate Standard does not have those risk taxonomy types defined. The easiest option would be to use the Risk Taxonomy MDG that comes with Sparx EA.

I extended ArchiMate according to one of the white papers. I didn't really like it in practice tho'.

Sparx Systems Forum

News: