CAIRIS

It may not be obvious unless you follow commits to github, but there have been several useful updates to CAIRIS in recent months. We summarise some of these below:

Installation via Vagrant

There are already several different ways of installing CAIRIS, but we’re always looking for opportunities to get people up and running with CAIRIS quickly. If you have Vagrant and VirtualBox, you can now install CAIRIS by doing little more than cloning the cairis repository, changing to the repository root directory, and typing vagrant up. Further details can be found here.

Support for STPA

STPA (System-Theoretic Process Analysis) is a hazard analysis technique that assumes accidents may be caused by unsafe interactions between system components, which may or may not have failed. Because CAIRIS supports concepts that are analogous to those used by STPA, we’ve made some changes to CAIRIS’ obstacle modelling capability to add support for eliciting losses and hazards, and added STPA specific types to data flows (i.e. control and feedback) making it possible to model control actions. It’s also now possible to associate losses/hazards with such actions for modelling unsafe control actions, and we’ve introduced a new Control Structure model to CAIRIS.

Further details of CAIRIS’ STPA support can be found here.

Support for user goal modelling

CAIRIS has supported social goal modelling for some time via the ability to export data to jUCMNav. This makes it possible to visualise the impact of persona user goals on other aspects of the broader socio-technical environment. However, once exported, keeping jUCMNav models in sync with CAIRIS has always been a challenge. CAIRIS now has native support for modelling user goals. It’s even possible for CAIRIS to automatically generate partially completed Excel workbooks that make it easier to quickly create user goals, which can be re-imported back to CAIRIS.

Further details of CAIRIS’ support for user goal modelling here.

Identifying tainted data flows

We added a number of new model validation checks to CAIRIS, including the ability to spot pre-process and post-process taint associated with data flow diagrams. Pre-process taint checks identify instances where means, motives, and opportunity are present for human errors and violations, and are performed on data flows going from human entities to processes contextualised as tasks. Post-process taint checks identify instances where exceptions resulting from processes are unresolved, and these exceptions impact information flowing from processes.

The theory behind this work was recently presented at GraMSec 2020, and described in this presentation.

Interoperability with diagrams.net

diagrams.net (previously known as draw.io) is an easy to use, open source online and desktop diagramming tool. Because we found that many asset models and DFDs start life as sketches in this tool, we’ve introduced the ability to import asset models and DFDs created in diagrams.net directly into CAIRIS. Check out the documentation for more guidance on how to do this.

More stability

As more people use CAIRIS, we find more opportunities to make things more stable and more usable. As a result, we’re constantly making changes to make things more stable and more efficient. You can help us make CAIRIS even better by creating an issue for any problems you find, or suggestions you have.