Detailed information regarding RASEN support for the key areas and levels below is available by selecting them. Supported areas have a blue background

Systematic and risk driven Real time assessment Continuous risk-based testing Integrated
Systematic compliance assessment Quantitative assessment Risk based testing Partially Integrated
Check list based compliance assessment Qualitative assessment Planned testing Stand alone
Ad-hoc compliance assessment Checklist assessment Unstructured testing None
Legal and compliance assessment Risk assessment Security testing Tool support

Artefacts supporting systematic and risk-driven legal and compliance assessment

Legal and compliance assessment refers to the overall process employed with the objective of adhering to the requirements of laws, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards.  The overall process should support, to the extent possible, the documentation of compliance.  Systematic and risk-driven compliance assessment involves a defined process for risk-driven compliance where compliance requirements are prioritized based on their risks. This approach is supported by a systematic documentation that enables the mapping of different risks and controls to relevant compliance requirements.

Prerequisites: Qualitative risk assessment and Integrated tool support


Combining  Security Risk  Assessment and Security  Testing

Complex networked systems have become an integral part of our supply infrastructure. Mobile devices, home automation, smart grids and even vehicles are connected via the Internet and becoming accessible and thus vulnerable to hacker attacks. While the number of security incidents drastically increases, we are more than ever dependent on a secure and mature ICT infrastructure. One of the keys to maintain such a secure and dependable infrastructure are mature, systematic and capable proactive measures to reduce or prevent the risks of security incidents. This paper describes the systematic integration of security risk assessment and security testing to enable efficient and focused security assessments of networked systems.

Articles & Presentations

An Integrated Approach to Compliance and Security Risk Assessment

Organizations that rely on information and communications technology (ICT) infrastructures need to maintain a high level of information security and protection from cyber-attacks. This is not only due to the self-interest of protecting business critical infrastructures; it is also due to laws that deal with information security. For this reason, technical and legal risks often need to be understood in combination. The RASEN project proposes an approach to integrate compliance and security risk assessment.

Currently not available for download

Assessing legal risks of closed generic top-level domains

Since the recent introduction of new generic top-level domains (TLDs), a variety of new Internet domain names have become available for registration. These include new domain endings such as <.berlin>, <.club> or <.global>, which anyone can purchase. At the same time, an entire class of new TLD applications has arguably failed. Several well-known corporations applied for „closed generic TLDs?. The applicants wanted to reserve these generic words for internal use, thus disallowing third party registrations. Examples included <.beauty> (L?Oreal), <.ketchup> (Heinz), <.blog> (Google) and <.book> (Amazon). These applications have either been withdrawn or will be converted into open TLDs, largely as a consequence of changes or clarifications in rules for TLDs published by the Internet Corporation for Assigned Names and Numbers (ICANN). This article advances two arguments. The first argument is that these applications for closed generic TLDS were fairly risky because they implied some level of legal risk for the applicants. The failures indicate that some risks have now materialized. The article also discusses what methods, if any, TLD applicants could have used to identify and manage such risks. The second argument put forth is that standard risk management techniques can and should be applied to the analysis of legal risk.

Legal risk management: a method for proactive management of legal risks

It is commonplace that legal services are often sought reactively i.e. when a legal problem has already occurred. Such an approach has not always been viewed as satisfactory because disputes and litigation consumes time and resources which could otherwise be used more productively. In the book ‘The Future of Law’, Richard Susskind predicts a paradigm shift in the approach to a legal problem: from problem solving to problem prevention: where understanding legal problems and identifying associated risks and controlling them before any question of escalation becomes a priority. This raises the questions of what kind of methods a lawyer can employ to ensure legal risk management. One possibility is to supplement the conventional legal method of identifying which law applies to a given case with methods for risk analysis developed in other disciplines, such as IT Security. In such disciplines, the risks can be identified, analyzed and addressed in a structured way. The question remains: to what extent, and in which way, such methods for risk management may be applied within the legal domain.

Currently not available

Modeling Compliance Risk: A structured approach

This article presents a structured and systematic approach for identifying and modelling compliance risks. The sophistication with which modern business is carried out and the unprecedented access to a global market means that businesses are exposed to increasing and diverse regulatory requirements in and across jurisdictions. Compliance with such requirements is practically challenging, partly due to the complexity of regulatory environments. One possibility in this regard is a risk-based approach to compliance, where resources are allocated to those compliance issues that are most risky. Despite the need for risk-based compliance, few specific methods and techniques for identifying and modelling compliance risks have been developed. Due to the lack of methodological and tool support, compliance risk identification often involves unstructured brainstorming, with uncertain outcomes. The proposed approach consists of a five-step process for the structured identification and assessment of compliance risks. This process aims at facilitating the identification of compliance risks and their documentation in a consistent and reusable fashion. As part of the process, the article provides a systematic approach for a graphical modelling of compliance risks, which aims at facilitating communication among experts from different backgrounds. The creation of graphical models can be partly automated based on natural language patterns for regulatory requirements. Furthermore, the structuring of the compliance requirement in a template aims at simplifying the modelling of compliance risks and facilitating a potential future automated model.

Risk Management for Outsourcing to the Cloud

This short paper describes our ongoing research about security risk management for IT projects which might eventually take benefit from outsourcing to external Cloud services. Choosing appropriate, secure enough Cloud services from multiple offers might be difficult. Hence, we develop the Cloud Security Guide CSG to assist. It contains a specialized methodology for Cloud risk assessment supporting particularly the extraction of security relevant information from user contracts or terms and conditions of public Cloud services. Discovering that many providers fail to communicate their safeguards, we also decided to develop a provider's guide for risk management and for the communication of risk treatments.

Utilizing Security Risk Analysis and Security Testing in the Legal Domain

In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.

Structuring Compliance Risk Identification Using CORAS: Compliance as an Asset

The global scale of modern business and information technology enables companies to trade across borders but at the risk of being subject to laws in diverse jurisdictions. The regulatory requirements with which businesses have to comply are drastically increasing not only in sheer number but also in complexity, confronting businesses with the need to adapt to a complex, evolving regulatory environment. Crucial to a business's survival and profitability in such environment are understanding and managing legal and compliance risks. This need has spurred significant recent interest in integrated governance, risk, and compliance (GRC) management. A central element in integrated GRC management is following a risk-based approach to compliance which prioritizes compliance requirements based on their level of risk. Despite the need for risk-based compliance, few specific methods or approaches for identifying compliance risks have been developed. This paper presents a structured method for identifying compliance risks from compliance requirements and the business environment.


ISO 31000




The CORAS tool is an open source diagram editor that supports the CORAS risk analysis language. The CORAS language is a graphical language whose constructs correspond to notions that are relevant during a risk analysis, e.g. threats, vulnerabilities, risks, unwanted incidents, threat scenarios and assets. The CORAS tool is intended to be used intensively during workshops where information is gathered through structured brainstorming. The tool is also intended to be used to document a risk analysis and to present the risk analysis results. The CORAS tool is designed to support on-the-fly modeling using all five kinds of basic CORAS diagrams, thus facilitating the entire CORAS risk analysis process.

Usage guide: Download: