CSP Forum


Compositional Risk Assessment and Security Testing of Networked Systems

Project Progress:

01 Oct 2012 - 30 Sep 2015

Project Objectives

The RASEN project works on techniques for combining two existing security disciplines: risk assessment and security testing. This marriage brings mutual benefits to both fields. Traditional risk assessment is usually done through a series of workshops with experts, and there is always a degree of uncertainty to the information they provide. Security testing, on the other hand, typically requires execution of a huge number of tests and it may not be feasible to cover all of them in a short time. RASEN streamlines interaction between these two fields to allow an organization to have a global view on its security status and improve the results of both disciplines.

Innovation Targets

The project mainly focuses on organizing bi-directional information exchange from risk analysis to security testing and vice-versa. The main expected innovations are:

- The risk-based security testing technique that allows to prioritize security tests to be executed based on the result of risk analysis.
- The test-based risk assessment technique to reduce uncertainty of risk analysis by using results of security testing of the system.
- The legal security risk assessment methodology, which will be used by organizations to show that software systems they develop are compliant with existing laws and regulations.
- A compositional risk assessment methodology to allow execution of risk assessment on large-scale systems in a modular way.

Market acceptance gaps

RASEN will deliver prototype tools for its methodologies. Yet the project foresees potential gaps for adoption of its results in the absence of industrial-level tools that are required by practitioners.

Mitigation strategies

The project pays special attention to its tool support in order to lower the threshold for adoption.


The results of RASEN will help organizations to conduct security assessments of large-scale information systems through the combination of security risk assessment and security testing, taking into account also the context in which the system is used, such as liability and legal dimensions.

Zoom in

The use cases explored by RASEN are:

- A healthcare system use case with a strong focus on compliance with privacy regulations (by Info World).
- A financial software system use case with a focus on test prioritization and compliance with regulations regarding financial systems (by EVRY).
- A business process software system use case with a focus on scalability (by Software AG)