Issue 7820: The treatment options should include "Accept" (uml-qos-ft-ftf) Source: BAE SYSTEMS (Mr. Kevin Dockerill, kevin.dockerill@baesystems.com) Nature: Enhancement Severity: Minor Summary: The treatment options should include "Accept" since some risk assessments will accept a risk. The treatment should include a rationale (e.g. why do you accept or transfer the risk). Resolution: Revised Text: Definition of "TreatmentOption" in Section 11.1.5 is changed to: "TreatmentOption: Main classes of providing treatment [5], and hence the relation between a treatment and the scenario it applies to. The options are - Avoid: Decide not to carry on the activity that may lead to risks. - ReduceConsequence: Reduce the impact on assets of the resulting risks. - ReduceLikelihood: Reduce the frequency of the scenario leading to risks. - Transfer: Involve other party bearing or shearing the resulting risks. - Retain: Keep the resulting risks." This also means changes in the metamodel, in the profile and in the example. Changes in Figure 11-4. Changes to the text on pages 46-47: Second paragraph is removed. "ThreatAgent" changed to "Threat" Added definition: "IncidentScenario: A scenario leading to an unwanted incident" In definition of "Initiate": "unwanted incident" changed to "scenario" Section 11.1.5 Changes to Figure 11-6: Changes to text on page 49: Definition of "Treatment" changed to: "Treatment: Ways of treating scenarios leading to risks." Section 11.2.1 Changes to Figure 11-8: Changes to text on page 49: "Ownership" is changed to "Interest" Section 11.2.2 Changes to Figure 11-9: Changes to text on page 51: Text is changed to: "As seen in Figure 11-9, SWOTElement and EnterpriseAsset are modeled as Classifier" Section 11.2.3 Changes to Figure 11-10: Changes to text on page 51: Text is changed to: "The subprofile for unwanted incidents is shown in Figure 11-10. As the acting part Threat is modeled as Actor and ThreatScenario, as the behavioral aspect, is modeled as UseCase. IncidentScenario, which also represents behavior, is also modeled as UseCase, while UnwantedIncident is not given an explicit representation. Initiate is represented by DirectedRelationship. Vulnerabilities may be seen as (unwanted) features of the assets they apply to, and are modeled as Feature." Actions taken: September 30, 2004: rewceived issue March 8, 2006: closed issue Discussion: Treatment option "Retain" added. Rationale should be treated as other "textual elements", see comments on issues 7813 and 7818. End of Annotations:===== m: webmaster@omg.org Date: 30 Sep 2004 06:34:09 -0400 To: Subject: Issue/Bug Report -------------------------------------------------------------------------------- Name: Kevin Dockerill Company: BAE SYSTEMS, Warton, Lancs UK mailFrom: Kevin.dockerill@baesystems.com Notification: No Specification: UML Profile for Modeling Quality of Service and Fault Tolerance Characteristics and Mechanisms Section: fig. 12-6 FormalNumber: Ptc/2004-06-01 Version: Draft RevisionDate: 7/21/2004 Page: 57 Nature: Enhancement Severity: Minor HTTP User Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description The treatment options should include "Accept" since some risk assessments will accept a risk. The treatment should include a rationale (e.g. why do you accept or transfer the risk).