Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

18595 Model-based Qualitative Risk Assessment for Availability of IT Infrastructures
Home Policy Brochure Browse Search User Area Contact Help

Zambon, Emmanuele and Etalle, S. and Wieringa, R.J. and Hartel, P.H. (2011) Model-based Qualitative Risk Assessment for Availability of IT Infrastructures. Software and Systems Modeling, 10 (4). pp. 553-580. ISSN 1619-1366 *** ISI Impact 0,990 ***

This is the latest version of this eprint.

Full text available as:


913 Kb
Open Access

Official URL:

Exported to Metis


For today’s organisations, having a reliable information system is crucial to safeguard enterprise revenues (think of on-line banking, reservations for e-tickets etc.). Such a system must often offer high guarantees in terms of its availability; in other words, to guarantee business continuity, IT systems can afford very little downtime. Unfortunately, making an assessment of IT availability risks is difficult: incidents affecting the availability of a marginal component of the system may propagate in unexpected ways to other more essential components that functionally depend on them. General-purpose risk assessment (RA) methods do not provide technical solutions to deal with this problem. In this paper we present the qualitative time dependency (QualTD) model and technique, which is meant to be employed together with standard RA methods for the qualitative assessment of availability risks based on the propagation of availability incidents in an IT architecture. The QualTD model is based on our previous quantitative time dependency (TD) model (Zambon et al. in BDIM ’07: Second IEEE/IFIP international workshop on business-driven IT management. IEEE Computer Society Press, pp 75–83, 2007), but provides more flexible modelling capabilities for the target of assessment. Furthermore, the previous model required quantitative data which is often too costly to acquire, whereas QualTD applies only qualitative scales, making it more applicable to industrial practice. We validate our model and technique in a real-world case by performing a risk assessment on the authentication and authorisation system of a large multinational company and by evaluating the results with respect to the goals of the stakeholders of the system. We also perform a review of the most popular standard RA methods and discuss which type of method can be combined with our technique.

Item Type:Article
Research Group:EWI-IS: Information Systems, EWI-DIES: Distributed and Embedded Security
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:PROSECCO: Next Generation Protection and Security of Content
Uncontrolled Keywords:Information risk management, Risk assessment, Availability, Information security, System modelling
ID Code:18595
Deposited On:17 October 2010
ISI Impact Factor:0,990
More Information:statisticsmetis

Available Versions of this Item

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item