The continuous rise of software complexity with increased functionality and accessibility of software and electronic components leads to an ever-growing demand for techniques to ensure software quality, dependability, reliability and security. For instance, the recent advancement of the Internet of Things constitutes new magnitudes of attack surfaces while having little resources to defeat security attacks. The risks that software systems do not meet their intended level of quality can have severe impact on vendors, customers and even – when it comes to critical systems and infrastructures - our daily life. The precise understanding of risks, as well as the focused treatment of risks, has become one of the corner stones for critical decision within complex social and technical environments.

Traditional approaches for ensuring system quality address risk implicitly rather than systematically. However, there is a growing interest in enhancing traditional approaches for ensuring system quality by taking risk systematically into account. For instance, traditional test approaches often address risks implicitly. Systems, functions, or modules, which are known to be critical, are tested more intensively than others. The basis of such kind of test planning is often a very simple and unstructured risk assessment, which is usually performed during or in the preparation of the test process. However, we know that humans are great in planning technical environments and processes, but often fail when it comes to the intuitive estimation of related risk.

This workshop addresses risk-based approaches for ensuring the quality of software and cyber-physical systems. We are interested in innovative techniques, tools, languages and methods from industry or research, that take risk into account in the process of assurance, compliance, validation, or testing of cyber-physical systems and software. We are interested in safety, security and reliability, and in particular the intersection between these areas. In this year's edition, contributions that address reliability or the Internet of Things are particularly encouraged.

Program Risk Workshop 2016, Tuesday October 18th, 9:00 – 17:30

9:00  – 10:00
Keynote (shared with ICTSS)
Arnaud Gotlieb: Constraint-Based Test Suite Optimization


10:30 – 12:00: Security Risk Management (Session 1)
Session chair: Jürgen Großmann

10:30 – 10:45
Welcome by Jürgen Großmann and Michael Felderer

10:45-11:10
Johannes Viehmann: Business Driven ICT Risk Management in the Banking Domain with RACOMAT

11:10- 11:35
Gencer Erdogan, Marit Natvig, Aida Omerovic and Isabelle C.R. Tardy: Towards Transparent Real-Time Privacy Risk Assessment of Intelligent Transport Systems

11:35 -12:00
Benjamin Aziz and Jeyong Jung: Check Your Blind Spots: A New Cyber-Security Metric for Measuring Incident Response Readiness

13:20 – 15:00: Security Risk Analysis (Session 2)
Session Chair: Michael Felderer

13:20 – 13:45
Pontus Johnson, Alexandre Vernotte, Dan Gorton, Mathias Ekstedt and Robert Lagerström: Quantitative Information Security Risk Estimation using Probabilistic Attack Graphs

13:45 – 14:10
Steve Muller, Carlo Harpes and Cédric Muller: Fast and Optimal Countermeasure Selection for Attack Defence Trees

14:10 – 14:35
Laurens Lemaire, Jan Vossaert, Bart De Decker and Vincent Naessens: An Assessment of Security Analysis Tools for Cyber-Physical Systems

14:35 – 15:00
Daniel Angermeier, Alexander Nieding and Jörn Eichler: Supporting risk assessment with the systematic identification, merging and validation of security goals

15:30 – 17:30: Risk-based Testing (Session 3)
Session chair: Jürgen Großmann

15:30 – 15:55
Gencer Erdogan and Ketil Stølen: Design Decisions in the Development of a Graphical Language for Risk-Driven Security Testing

15:55 – 16:20
Rudolf Ramler and Michael Felderer: Towards a Lightweight Approach for Estimating Probability in Risk-Based Software Testing

16:20 – 16:45
Martin Schneider and Marc-Florian Wendland: Gaining Certainty about Uncertainty Testing for Uncertainties of Cyber-Physical Systems at the Application Level

16:45 – 17:10
Michael Felderer, Florian Auer and Johannes Bergsmann: Risk Management during Development: Results of a Survey in Software Houses from Germany, Austria and Switzerland

17:10 – 17:30
Wrap up and next steps 

Accepted revised papers will be published as a post-proceedings in a special RISK 2016 Springer LNCS volume as it was for the RISK 2015 edition.

Program committee (to be completed):

•    Ina Schieferdecker (TU Berlin/Fraunhofer FOKUS, Germany)
•    Ketil Stolen (SINTEF ICT, Norway)
•    Ruth Breu (University of Innsbruck, Austria)
•    Ron Kenett (KPA Ltd. and Univ. of Torino, Italy)
•    Sardar Muhammad Sulaman (Lund University, Sweden)
•    Markus Schacher (KnowGravity Inc., Switzerland)
•    Rudolf Ramler (Software Competence Center Hagenberg, Austria)
•    Alessandra Bagnato (Softeam, France)
•    Kenji Taguchi (AIST, Japan)
•    Zhen Ru Dai (University of Applied Science Hamburg, Germany)
•    Fredrik Seehusen (SINTEF ICT, Norway)
•    Michael Felderer (University of Innsbruck, Austria)
•    Jürgen Großmann (Fraunhofer FOKUS, Germany)
•    Per Håkon Meland (SINTEF, Norway)
•    Luca Compagna (SAP Labs, France)
•    Fabio Martinelli (CNR-IIT Pisa, Italy)
•    Jörn Eichler (Fraunhofer AISEC, Germany)
•    Bruno Legeard (Femto-ST, France)
•    Xiaoying Bai (Tsinghua University, China) 

Organizers:

•   Jürgen Großmann (Fraunhofer FOKUS, Germany)
•   Michael Felderer (University of Innsbruck, Austria)

•   Fredrik Seehusen (SINTEF ICT, Norway)