www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 2 !"#$%# !! on what? on what? why why ? ? how how ? ? who who ? ? www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 3 & ' ' ##(### ##(### # # #$%#) #$%#) * +#,#-#).)/ 0%#( 0%#( Risk identification Risk assessment Risk control ##. ##. ,). ,) 1# -##/. #$ (, (, www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 4 #$# www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 5 $#$$# $#$$# * $#2 * $# * 3$## $# $# * 3$# * 3$# * 4$#564 * $# 3$#$ 3$#$ * 7$# * )$# * )$# www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 6 $#2 ). ). $)$# $)$# - $)/ 3$# 3$# ' ' #) #) # # -/ -/ • { O O, Dom } |= not obstruction • { O O, Dom } |≠ false domain consistency 8 3 #$$$)feasibility G: TrainStoppedAtBlockSignal If If StopSignal Dom: If If TrainStopsAtStopSignal then then DriverResponsive O: Driver Un Unresponsive 9$)1# 9$)1# $$)- $$)- ) ) #/ #/ www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 7 $# 7.$#$# 7.$#$# {not O 1 , , not O n , Dom } |= domain completeness If If not not DriverUnresponsive and and not not BrakeSystemDown and and StopSignal then then TrainStoppedAtBlockSignal $4## $4## $$$((($: $$$((($: 3$##) 3$##) www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 8 3$#### #+ #+ Hazard Hazard $#$# $#$# Safety Safety Threat Threat $#$# $#$# Security Security – Disclosure, Corruption, DenialOfService, Inaccuracy Inaccuracy $#$# $#$# Accuracy Accuracy Misinformation Misinformation $#$# $#$# Information Information – NonInformation, WrongInformation, TooLateInformation, Dissatisfaction Dissatisfaction $#$# $#$# Satisfaction Satisfaction – NonSatisfaction, PartialSatisfaction, TooLateSatisfaction, Unusability Unusability $#$# $#$# Usability Usability Us ability Convenience Goal Functional goal Non-functional goal Quality of service Compliance Architectural Development Confident i ality Integrity Availability Distribution Installation Safety Security Performance Reliability Maintainability Cost Time Space Deadline Variability Software interoperability Interface User interaction Device interaction Satisfaction Information Stim-Response Accuracy Cost www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 9 $#$$# $#$$# * $#2 * $# * 3$## $# $# * 3$# * 3$# * 4$#564 * $# 3$#$ 3$#$ * 7$# * )$# * )$# www.wileyeurope .com/college/van lamsweerde Chap.9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 10 3$#56;3 # # -/ -/ * 'not * $# 56 564. 3 34# * $#$.. obstruction TrainStoppedAtBlockEntry If StopSignal StopSignal And Not TrainStoppedAtBlockEntry SignalNotVisible DriverUnresponsive BrakeSystemDown … root obstacle OR-refinement ResponsivenessCheck SentRegularly resolution countermeasure goal obstacle [...]... lamsweerde AirConditioningRaising Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 26 Identifying obstacles from necessary conditions for obstructed target Maintain goal [If CurrentCondition then] always GoodCondition always TrainStoppedIfStopSignal [CurrentCondition and] sooner-or-later not GoodCondition sooner-or-later not TrainStoppedIfStopSignal If Domain property If GoodCondition then... TargetCondition [CurrentCondition and] ne ver TargetCondition Domain property If TargetCondition then NecessaryCondition [CurrentCondition and] never NecessaryCondition Can also be used for eliciting relevant domain properties – what are necessary conditions for TargetCondition?” www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 28 Obstacle models. .. NecessaryCondition If TrainStoppedIfStopSignal If then DriverResponsive www.wileyeurope com/college/van lamsweerde [CurrentCondition and] sooner-or-later not NecessaryCondition sooner-or-later not DriverResponsive Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 27 Identifying obstacles from necessary conditions for obstructed target (2) Achieve goal [If CurrentCondition then] sooner-or-later... Which goals to consider in the goal model? – leafgoals (requirements or expectations): easier to refine what is wanted than what is not wanted (+ up-propagation in goal model) – based on annotated Priority & Category (Hazard, Security, ) www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 17 Identifying obstacles For obstacle to selected assertion... [TrafficControllerOnDutyOnSector] obstructed by NoSectorControllerOnDuty → goal weakening: TrafficControllerOnDutyOnSector or WarningToNextSector www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 35 Exploring alternative countermeasures (4) Obstacle prevention: introduce new goal Avoid [obstacle] e.g AccelerationCommandCorrupted → Avoid [AccelerationCommandCorrupted]... resolution based on • likelihood/severity of obstacle • non-functional/quality goals in goal model Obstacle identification www.wileyeurope com/college/van lamsweerde Obstacle assessment Obstacle resolution Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 32 Exploring alternative countermeasures By use of model transformation operators – encode resolution tactics Goal substitution: consider... the goal model www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 16 Obstacle analysis and goal model elaboration are intertwined data dependency Goal model elaboration Obstacle identification Obstacle assessment Obstacle resolution Goal- obstacle analysis loop terminates when remaining obstacles can be tolerated – unlikely or acceptable consequences... [SafeAccelerationComputed] obstructed by ComputedAccelerationNotSafe OnBoardTrainController www.wileyeurope com/college/van lamsweerde → VitalStationComputer Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 34 Exploring alternative countermeasures (3) Goal weakening: weaken the obstructed goal ’s formulation so weakening that it no longer gets obstructed – for if-then goal specs: add conjunct... take appropriate action according to that command [ FormalSpec in temporal logic for analysis, not in this chapter ] [ Category Hazard ] [ Likelihood likely ] [ Criticality catastrophic] features www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 14 Risk analysis on goal models: outline Goal obstruction by obstacles – What are obstacles? –... OR-refinements when or-connective gets in www.wileyeurope com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 19 Identifying obstacles by tautology-based refinement MotorReversed Iff MovingOnRunway MovingOnRunway Iff WheelsTurning www.wileyeurope com/college/van lamsweerde MotorReversed Iff WheelsTurning Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 20 Identifying . Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 4 #$# www.wileyeurope .com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models. service Compliance Architectural Development Confident i ality Integrity Availability Distribution Installation Safety Security Performance Reliability Maintainability Cost Time Space Deadline Variability Software interoperability Interface User interaction Device interaction Satisfaction Information Stim-Response Accuracy Cost www.wileyeurope .com/college/van lamsweerde Chap .9: Risk Analysis on Goal Models © 2009 John Wiley and Sons 9 $#$$# $#$$# * $#2 *. Unusability Unusability $#$# $#$# Usability Usability Us ability Convenience Goal Functional goal Non-functional goal Quality of service Compliance Architectural Development Confident i ality Integrity Availability Distribution Installation Safety Security Performance Reliability Maintainability Cost Time Space Deadline Variability Software interoperability Interface User interaction Device interaction Satisfaction Information Stim-Response Accuracy Cost www.wileyeurope