Ensuring Dependability in Socio-Technical System by Risk Analysis Yudistira Asnar Department of ICT, University of Trento via Sommarive 14, Trento, Italy [email protected] Abstract Organizations and individuals are becoming more and more dependent on computer systems to achieve their goals and to deliver their responsibilities. This introduces at design time the need of considering humans as part of the system and consequently dependability becomes a critical issue to take into consideration during the development of the system. Traditionally, dependability is measured in terms of availability, reliability, and integrity of the system. However, in this new scenario dependability of a software system has to be closely related with the organizational-setting where the system will operate. In this paper, we briefly introduce a framework, based on Tropos methodology, to model/analyse risk and assess the dependability of a system in a particular organizational-setting. The framework supports the analyst in eliciting the necessary countermeasures to mitigate risks and, consequently, ensure the dependability of the system within a certain level of risk.

1. Introduction Dependability has already been a major criterion to represent the quality of the system together with “security”. In [2], Avizenis et al. defines dependability as an integrating concept that encompasses: availability, reliability, safety, integrity, and maintainability of a system. All those concepts have an overlap i.e., they are threaten by the existence of malicious uncertain event (e.g., fault, error, attack, threat, and hazard). Dependability in socio-technical systems (i.e., systems where humans and organizations are part of the system itself) is even more complicated to analyse and assess, because here, organization, individual, and system (e.g., computer system) relate one to the other to achieve their goals and deliver their responsibilities. Moreover, socio-technical model extends the dependability considerations to human and social aspects besides only the technical one. Tropos [3], particularly its goal model framework [5, 6],

Paolo Giorgini Department of ICT, University of Trento via Sommarive 14, Trento, Italy [email protected]

proposes a formal was for requirement analysis that has been proved effectively in modelling organizational-setting, in terms of stakeholders’ goals, dependencies among stakeholders (social actors), and dependencies between stakeholders and system-to-be (system actor). Tropos categorizes dependency into three types: an actor (depender) depends on another (dependee) for goals(dependum) to be fulfilled, tasks to be performed, and resources to be furnished1 . In this paper, we propose a framework to analyse the impacts of uncertain events to the goals and elicits necessary treatments to mitigate those events such that their impacts are below certain levels defined by the stakeholders. In the next section, we will briefly explain the idea while the detailed framework and the steps for analysis are reported in [1].

2. Goal-Risk Framework Our framework consists of three layers analysis (Fig. 1, i.e., goal, event, and treatment, inspired by Defect, Detection, and Prevention (DDP) [4]. Each layer is constructed with several trees and they relate one to another with contribution relation. In the goal layer, the analyst refines (AND or OR decomposition) the stakeholders’ goals and the goals that the other actors depend on until they are tangible (i.e., there is an actor that can fulfil it). For instance in Fig. 1, the goal of reach location of Accident&Emergency (A&E) in time (G1 ) is OR-decomposed into distribute ambulance all over the area(G3 ) or dispatch A&E report to the closest ambulance (G4 ), s.t. the fulfilment of one of them implies the fulfilment of G1 . Moreover, goal analysis allows the analyst to model the influence of the satisfaction (or denial) of a goal to the satisfaction (or denial) of other goals using contribution relations (e.g., positive or negative). Dispatching the closest ambulance (G4 ) gives negative contribution to the achievement of allocating the 1 We explain the framework with goal term, but this principle also holds for task and resource

cost. The framework [1] does reasoning over the model doing cost-benefit analysis to elicit a set of solution such that it satisfies stakeholders’ goals and has minimum-cost.

3. Conclusion In this work, we present a modelling framework to analyse and assess the dependability of a socio-technical system. The framework puts emphasis on the dependability at organizational level besides only at system level, because we argue that the dependability of a system is closely related to the organizational-setting where the system will operate. Following the process introduced in [1], the analyst can perform risk and trade-off analysis and ends with eliciting leaf-goals that are needed to satisfy stakeholders’ goals and necessary countermeasures to mitigate risks. The process also incorporates minimal cost analysis to choose among different possible solutions. The framework has implemented as an extension of the GR-Tool3 (GR-Tool) developed within the Tropos project with capability drawing and analysing the goal-risk models.

Acknowledgement Figure 1. London Amb. Serv. Case Study [7] −

proper ambulance (G2 ) (i.e., G4 7−→ G2 ) because it is possible that the closest ambulance does not suit with the accident. In [6], the authors demonstrate how to choose leaf-goals such that they satisfy the stakeholders’ goal and minimum-cost. In event layer, the analyst defines uncertain events2 that could impact the goal layer, especially negative impact. The impact level of event to the goal layer denotes as a sign of contribution relation (Fig. 1), in the qualitative framework we divide on 4 levels (e.g., +,++,−,−−). For instance in Fig. 1, indiscipline&lazy ambulance crew(E5 ) obstructs the achievement of allocating proper ambulance (G2 ). Later, the event can be analysed using decomposition and contribution relation, with the same intuition with the goal layer, shown in mass accident (E3 ) agitates the occurrence unavailable proper ambulance (E4 ) and unidentified traffic jam(E8 ). In treatment layer, the analyst elicits alternative treatment that could be applied for mitigating the risk of the system. The same analysis with event layer can also be done in treatment layer, applying double dispatch for each A&E (T1 ) reduces the likelihood of having ambulance failure after dispatching (E8 ) because there are at least 2 ambulances that are assigned to handle an A&E. Since we define risk with two mandatory properties (e.g., likelihood and severity)n, a treatment can mitigate a risk in two ways, reducing likelihood or severity, and a treatment has a 2 A risk is defined as uncertain with negative impact, and an opportunity with positive impact

This work has been partly supported by the projects EU-IST-IP SERENITY 27587, FIRB-ASTRO RBNE0195K5 004, and PAT-FU-MOSTRO n. 35 (D.P.G.P. 1587 - date: 09/07/2004).

References [1] Y. Asnar, P. Giorgini, and J. Mylopoulos. Risk Modelling and Reasoning in Goal Models. Technical Report DIT-06-008, DIT - University of Trento, February 2006. [2] A. Avizienis, J.-C. Laprie, B. Randell, and C. E. Landwehr. Basic Concepts and Taxonomy of Dependable and Secure Computing. IEEE Trans. Dependable Sec. Comput., 1(1):11– 33, 2004. [3] P. Bresciani, A. Perini, P. Giorgini, F. Giunchiglia, and J. Mylopoulos. Tropos: An Agent-Oriented Software Development Methodology. Autonomous Agents and Multi-Agent Systems, 8(3):203–236, 2004. [4] M. S. Feather, S. L. Cornford, K. A. Hicks, and K. R. Johnson. Applications of tool support for risk-informed requirements reasoning. Computer Systems Science & Engineering, 20(1):5–17, January 2005. [5] P. Giorgini, J. Mylopoulos, E. Nicchiarelli, and R. Sebastiani. Formal Reasoning Techniques for Goal Models. Journal of Data Semantics, October 2003. [6] P. Giorgini, J. Mylopoulos, and R. Sebastiani. Simple and Minimum-Cost Satisfiability for Goal Models. In CAISE ’04: In Proceedings International Conference on Advanced Information Systems Engineering, volume 3084, pages 20–33. Springer, June 2004. London ambulance service - official website. [7] LAS. http://www.londonambulance.nhs.uk/, April 2006. 3 http://sesa.dit.unitn.it/goaleditor/