Ketil Stølen

Ketil Stølen
SINTEF | Stiftelsen for industriell og teknisk forskning · Department for Networked Systems and Services

PhD

About

271
Publications
110,037
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,448
Citations
Introduction
Stølen has broad experience from basic as well as applied research. He did his PhD at Manchester University on rely-guarantee reasoning. His research at Technische Universität München focused on the theory of refinement and rules for compositional and modular system development. At SINTEF Stølen led the development of the CORAS method for security risk assessment. He is a co-author of the CORAS book published in 2011. In 2015 he co-authored a book on cyber risk management. His current research focuses on issues related to internett of things, risk modeling, cyber security and cyber risk management.
Additional affiliations
December 1999 - present
SINTEF
Position
  • Principal Investigator
September 1998 - present
University of Oslo
Position
  • Professor II
September 1996 - November 1999
Institute for Energy Technology
Position
  • Research Associate
Education
September 1987 - September 1990
The University of Manchester
Field of study
  • Computer Science
September 1979 - May 1986
University of Oslo
Field of study
  • Computer Science

Publications

Publications (271)
Article
Full-text available
The paper presents STAIRS [1], an approach to the compositional development of UML interactions supporting the specification of mandatory as well as potential behavior. STAIRS has been designed to facilitate the use of interactions for requirement capture as well as test specification. STAIRS assigns a precise interpretation to the various steps in...
Conference Paper
Full-text available
A syntax-directed formal system for the development of totally correct programs with respect to an (unfair) shared-state parallel programming language is proposed. The programming language is basically a while-language extended with parallel- and await-constructs. The system is called LSP (Logic of Specified Programs) and can be seen of as an exten...
Book
Teknologivitenskap handler om design og utvikling av nye objekter og prosesser. Dette er håndboken for alle som jobber med forskning og utvikling av ny teknologi. En forsker i teknologivitenskap er opptatt av å finne løsninger på et problem gjennom innovativt design og utvikling av nye objekter eller prosesser. Der mer tradisjonelle vitenskaper ha...
Chapter
Security is of great importance for software intensive systems. Security incidents become more and more frequent in the last few years. Such incidents can lead to substantial damage, not only financially, but also in term of reputation loss. The security of a software system can be compromised by threats, which may harm assets with a certain likeli...
Chapter
Full-text available
Risk-driven testing and test-driven risk assessment are two strongly related approaches, though the latter is less explored. This chapter presents an evaluation of a test-driven security risk assessment approach to assess how useful testing is for validating and correcting security risk models. Based on the guidelines for case study research, two i...
Book
This book constitutes revised selected papers from the 4th International Workshop on Graphical Models for Security, GraMSec 2017, held in Santa Barbara, CA, USA, in August 2017. The 5 full and 4 short papers presented in this volume were carefully reviewed and selected from 19 submissions. The book also contains one invited paper from the WISER pr...
Conference Paper
Full-text available
We have developed a domain-specific modeling language named CORAL that employs risk assessment to help security testers select and design test cases based on the available risk picture. In this paper, we present CORAL and then discuss why the language is designed the way it is, and what we could have done differently.
Conference Paper
In this paper, we report the results from assessing the FLUIDE Framework for model-based specification of user interfaces supporting emergency responders. First, we outline the special challenges faced when developing such user interfaces, and the approach used in the FLUIDE Framework to meet these challenges. Then we introduce the framework, inclu...
Chapter
Full-text available
In order to decide whether a software system fulfills a specification, or whether a detailed specification preserves the properties of a more abstract specification, we need an understanding of what it means for one specification to fulfill another specification. This is particularly important when the specification contains one or more operators f...
Conference Paper
Full-text available
The FLUIDE Framework supports development of flexible emergency response user interfaces, meeting the special challenges when developing such user interfaces. This paper presents the FLUIDE Framework with particular emphasis on its specifications languages. We demonstrate the FLUIDE Framework by giving examples from the FLUIDE specification of the...
Chapter
Full-text available
The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a...
Chapter
The notion of cybersecurity is closely related to cyber-risk management. However, no universally accepted definition of cybersecurity seem to exist. This chapter therefore defines and explains what we mean by this concept. What characterizes cybersecurity, and what are the kinds of threats that cybersecurity shall prevent or provide protection from...
Chapter
This chapter is the first chapter of Part II, which is dedicated to a running example designed to demonstrate each step of the cyber-risk assessment process. The example concerns an advanced metering infrastructure in a smart grid. The chapter demonstrates the context establishment, which will guide the rest of the risk assessment. This includes de...
Chapter
Risk identification involves determining what could happen to cause potential harm to assets, which includes gaining insight into how, where and why such cyberincidents may occur. This chapter starts by giving an overview of risk identification techniques, before moving on to demonstrate how the risk identification process described in Chap. 5 can...
Chapter
There is no universal agreement on how to measure risk. The definition of risk in ISO 31000, for example, comes with five notes, each defining risk in a slightly different way. Traditionally, risk value is a function of two factors, namely likelihood and consequence. However, within the field of cybersecurity, three-factor and many-factor definitio...
Chapter
How organizations should conduct risk management largely depends on the kind and nature of the systems of concern. In this book we are concerned about systems that make use of a cyberspace, namely cyber-systems. We therefore need to establish a clear understanding of cyber-systems. This chapter explains what we mean by a cyberspace, a cyber-system...
Chapter
Risk treatment involves deciding on strategies and controls to deal with cyber-risks, and starts with identification of treatments for selected risks. After identifying treatments we assess their effect and consider whether the residual risk is acceptable. If it is, the documentation is finalized and the process terminates, otherwise we need to go...
Chapter
The selection of the right scale for the right purpose is essential. The selection of scales is particularly important when measuring expert judgments. This chapter gives an overview of relevant kinds of scales and provides advice on which to use when and how the scale should be defined. The chapter also discusses the strengths and weaknesses of qu...
Chapter
In relation to risk assessment the issue of uncertainty appears at several levels. We may talk about uncertainty in the meaning of a specific risk appearing with some likelihood. We may also talk about how certain we are that this estimate of likelihood is correct. In the latter case, we basically estimate our trust in the former estimate. In this...
Chapter
In this chapter we specialize risk management, which was introduced in Chap. 2, to the domain of cyber-systems. We highlight what is special about cyber-systems and cyber-threats from a risk management perspective, focusing in particular on the nature of cyber-risks and the options and means we have for managing them. First we explain what we mean...
Chapter
Risk analysis involves determining the level of risk, typically in terms of the likelihood of incidents to happen and the consequence for assets. This can be done qualitatively or quantitatively. In order to determine the risk level, it is usually necessary to perform an analysis of the related threats and vulnerabilities. This also helps us to bet...
Chapter
Full-text available
Risk evaluation is the process of comparing the results of the risk analysis with the risk evaluation criteria defined during the context establishment to determine whether the cyber-risks are acceptable. We also need to consider whether some risks that we have regarded as separate actually are instances of the same risk and therefore should be agg...
Chapter
This chapter gives an introduction to risk management in general and explains the central concepts. We begin by explaining what risk is and presenting the terminology we need in order to talk about risk. Thereafter we introduce risk management and explain what it involves for an organization to manage risk in a systematic and effective manner. Subs...
Chapter
This chapter presents the main conclusions of the book. It is structured into three parts. First we draw conclusions on the general theme of cyber-risk management as described in Part I and Part II. Then we do the same for the four issues addressed in further detail in Part III. A technical brief is by its very definition short; hence, much has jus...
Chapter
Risk assessment is said to be unreliable for risks of low likelihood and very high consequence. In this chapter we explain why, and offer guidelines on how to deal with such situations. We also discuss the problem of the “unknown unknown”, often referred to as the “black swan problem”.
Article
Full-text available
The authors present the results of an evaluation in which the objective was to assess how useful testing is for validating and correcting security risk models. The evaluation is based on two industrial case studies. In the first case study the authors analyzed a multilingual financial Web application, while in the second case study they analyzed a...
Article
UML sequence diagrams and similar notations are much used to specify and analyze computer systems and their requirements. Probabilities are often essential, in particular for capturing soft real-time constraints. It is also important to be able to specify systems at different levels of abstraction. Refinement is a means to relate abstract specifica...
Article
Full-text available
Risk analysis and testing are conducted for different purposes. Risk analysis and testing nevertheless involve processes that may be combined to the benefit of both. We may use testing to support risk analysis and risk analysis to support testing. This paper surveys literature on the combined use of risk analysis and testing. First, the existing ap...
Article
Full-text available
Changes, such as the introduction of new technology, may have considerable impact on the risk to which a system or organization is exposed. For example, in the oil and gas domain, introduction of technology that allows offshore installations to be operated from onshore means that fewer people are exposed to risk on the installation, but it also int...
Technical Report
This report exemplifies the application of a pattern-based method, called Safe Control Systems (SaCS), on a case taken from the railway domain. The method is supported by a pattern language and provides guidance on development of conceptual safety designs. By a conceptual safety design, we mean an early stage specification of system requirements, s...
Technical Report
This technical report exemplifies the application of a pattern-based method, called Safe Control Systems (SaCS), on a case from the nuclear domain. The method is supported by a pattern language and provides guidance on development of conceptual safety designs. By a conceptual safety design we mean an early stage specification of system requirements...
Chapter
Full-text available
The criticality of risk management is evident when considering the information society of today, and the emergence of Future Internet technologies such as Cloud services. Information systems and services become ever more complex, heterogeneous, dynamic and interoperable, and many different stakeholders increasingly rely on their availability and pr...
Conference Paper
Full-text available
Risk-driven testing is a testing approach that aims at focusing the testing process on the aspects or features of the system under test that are most exposed to risk. Current risk-driven testing approaches succeed in identifying the aspects or features that are most exposed to risks, and thereby support testers in planning the testing process accor...
Chapter
Full-text available
Established standards on security and risk management provide guidelines and advice to organizations and other stakeholders on how to fulfill their security needs. However, realizing and ensuring compliance with such standards may be challenging. This is partly because the descriptions are very generic and have to be refined and interpreted by secu...
Article
Full-text available
In this paper, we present the Safe Control Systems (SaCS) pattern language for the development of conceptual safety designs and conduct an analytical evaluation of the appropriateness of the language for its intended task. By a conceptual safety design we mean an early stage specification of system requirements, system design, and safety case for a...
Conference Paper
Full-text available
In this paper, we present an analytic evaluation of the Safe Control Systems (SaCS) pattern language for the development of conceptual safety designs. By a conceptual safety design we mean an early stage specification of system requirements, system design, and safety case for a safety critical system. The SaCS pattern language may express basic pat...
Book
This book constitutes the thoroughly refereed conference proceedings of the First International Workshop on Risk Assessment and Risk-driven Testing, RISK 2013, held in conjunction with 25th IFIP International Conference on Testing Software and Systems, ICTSS 2013, in Istanbul, Turkey, in November 2013. The revised full papers were carefully reviewe...
Technical Report
Full-text available
Realizing security and risk management standards may be challenging , partly because the descriptions of what to realize are often generic and have to be refined by security experts. Removing this ambiguity is time intensive for security experts, because the experts have to interpret all the required tasks in the standard on their own. In our previ...
Technical Report
This report describes the syntax and semantics of the SaCS pattern language. SaCS is a pattern- based method that defines the systematic application of SaCS patterns for design conceptualisation of safety critical systems. The method is supported by the SaCS pattern language that consists of a set of patterns and a notation for describing the combi...
Article
Full-text available
Having a sequence diagram specification and a computer system, we need to answer the question: Is the system compliant with the sequence diagram specification in the desired way? We present a procedure for answering this question for sequence diagrams with underspecification and inherent nondeterminism. The procedure is independent of any concrete...
Conference Paper
Full-text available
Risk is unavoidable in business and risk management is needed amongst others to set up good security policies. Once the risks are evaluated, the next step is to decide how they should be treated. This involves managers making decisions on proper countermeasures to be implemented to mitigate the risks. The countermeasure expenditure, together with i...
Article
Full-text available
Our earlier research indicated the feasibility of the PREDIQT method for model-based prediction of impacts of architectural design changes, on the different quality characteristics of a system. The PREDIQT method develops and makes use of a multi-layer model structure, called prediction models. Usefulness of the prediction models requires a structu...
Conference Paper
Full-text available
The Safe Control Systems (SaCS) method is a pattern-based method supporting the development of conceptual designs for safety critical systems. A pattern language offers support for the method by six different kinds of basic patterns, operators for combining patterns, and a graphical notation for visualising a pattern composition. Intended users of...
Chapter
Systems of systems are collections of systems interconnected through the exchange of services. Their often complex service dependencies and very dynamic nature make them hard to analyze and predict with respect to quality in general, and security in particular. In this chapter, the authors put forward a method for the capture and monitoring of impa...
Article
When adapting a system to new usage patterns, processes or technologies, it is necessary to foresee the implications of the architectural design changes on system quality. Examination of quality outcomes through implementation of the different architectural design alternatives is often unfeasible. We have developed a method called PREDIQT with the...
Conference Paper
Full-text available
Information systems are ever more connected to the Internet, which gives wide opportunities for interacting with other actors, systems and resources and for exploiting the open and vast marked. This pushes the limits for security mechanisms which in general are too rigorous to fully adapt to such a dynamic and heterogeneous environment. Trust mecha...
Chapter
Full-text available
Systems of systems are collections of systems interconnected through the exchange of services. Their often complex service dependencies and very dynamic nature make them hard to analyze and predict with respect to quality in general, and security in particular. In this chapter, the authors put forward a method for the capture and monitoring of impa...
Conference Paper
Full-text available
This article exemplifies the application of a pattern-based method, called SaCS (Safe Control Systems), on a case taken from the nuclear domain. The method is supported by a pattern language and provides guidance on the development of design concepts for safety critical systems. The SaCS language offers six different kinds of basic patterns as well...