% Compile from the repository root: % TEXINPUTS=tex/latex//: pdflatex examples/corasdiagram-demo.tex \documentclass[a4paper]{article} \usepackage[margin=18mm]{geometry} \usepackage{corasdiagram} \pagestyle{empty} \begin{document} \section*{CORAS Diagram Package Demo} \subsection*{1. Asset Diagram} \begin{figure}[h] \centering \begin{corasassetdiagram}[x=1cm,y=1cm] \corasstakeholder[ name=management, scope=asset-scope, title={Stakeholder} ] \corasindirectasset[ name=reputation, scope=asset-scope, title={Indirect\\Asset} ] \corasasset[ name=privacy, scope=asset-scope, title={Asset}, below of=reputation, vertical gap=18mm ] \corasasset[ name=availability, scope=asset-scope, title={Supporting\\Asset}, right of=privacy, horizontal gap=22mm ] \corasscope[ name=asset-box, scope=asset-scope, kind=asset-scope, stakeholder=management, stakeholder corner=left ] \corasrelates[from=privacy,to=reputation] \corasrelates[from=availability,to=reputation] \end{corasassetdiagram} \caption{Asset diagram} \end{figure} \subsection*{2. Threat Diagram} \begin{center} \begin{corasthreatdiagram}[x=1cm,y=1cm] \corasthreataccidental[ name=employee, order=1, title={Employee} ] \corasvulnerability[ name=oldweb, order=1, title={Old version of\\webserver} ] \corasscenario[ name=serverinfected, order=1, title={Servers infected\\by malicious code}, meta={1 per year} ] \corasunwantedincident[ name=disc, order=1, title={1. Disclosure\\of data}, meta={1 per year} ] \corasasset[ name=gdi1a, order=1, title={GDI1. Data\\privacy} ] \corasthreatnonhuman[ name=infra, order=2, title={IT-infrastructure} ] \corasvulnerability[ name=poorbackup, order=2, title={Poor backup\\solution} ] \corasscenario[ name=dbfail, order=2, title={Database fails to switch\\to backup}, meta={1 per year} ] \corasunwantedincident[ name=unavail, order=2, title={3. Unavailability\\of application} ] \corasasset[ name=cm3a, order=2, title={CM3. Application\\availability} ] \corascauses[from=employee,to=oldweb] \corascauses[from=oldweb,to=serverinfected] \corascauses[from=serverinfected,to=disc] \corasrelates[from=disc,to=gdi1a] \corascauses[from=infra,to=poorbackup] \corascauses[from=poorbackup,to=dbfail] \corascauses[from=dbfail,to=unavail] \corasrelates[from=unavail,to=cm3a] \end{corasthreatdiagram} \end{center} \subsection*{3. Risk Diagram} \begin{center} \begin{corasriskdiagram}[x=1cm,y=1cm] \corasthreataccidental[ name=employee2, title={Employee}, order=1 ] \corasthreatnonhuman[ name=infra2, title={IT-infrastructure}, order=2 ] \corasrisk[ name=r11, title={1.1 Disclosure\\of data}, meta={1 per year}, level=medium, order=1 ] \corasrisk[ name=r12, title={1.2 Service\\degradation}, meta={1 per 6 months}, level=low, order=2 ] \corasrisk[ name=r22, title={2.2 Unavailability\\of application}, meta={1 per year}, level=major, order=3 ] \corasasset[ name=gdi1b, title={GDI1. Data\\privacy}, order=1 ] \corasasset[ name=cm2b, title={CM2. Service\\quality}, order=2 ] \corasasset[ name=cm3b, title={CM3. Application\\availability}, order=3 ] \corascauses[from=employee2,to=r11] \corascauses[from=employee2,to=r12] \corascauses[from=infra2,to=r22] \corasrelates[from=r11,to=gdi1b] \corasrelates[from=r12,to=cm2b] \corasrelates[from=r22,to=cm2b] \corasrelates[from=r22,to=cm3b,route=hv] \end{corasriskdiagram} \end{center} \subsection*{4. Treatment Diagram} \begin{center} \begin{corastreatmentdiagram}[x=1cm,y=1cm] \corasthreataccidental[ name=employee3, order=1, title={Employee} ] \corasvulnerability[ name=oldweb3, order=1, title={Old version of\\webserver} ] \corasscenario[ name=serverinfected3, order=1, title={Servers infected\\by malicious code}, meta={1 per year} ] \corasunwantedincident[ name=disc3, order=1, title={Disclosure\\of data}, meta={1 per year} ] \corasasset[ name=gdi1c, order=1, title={GDI1. Data\\privacy} ] \corastreatment[ name=tawareness, title={Increase awareness\\of security risks}, order=1 ] \corastreatment[ name=tupgrade, title={Upgrade\\server}, order=2 ] \corastreatment[ name=tlimit, title={Limit remote\\access}, order=3 ] \corascauses[from=employee3,to=oldweb3] \corascauses[from=oldweb3,to=serverinfected3] \corascauses[from=serverinfected3,to=disc3] \corasrelates[from=disc3,to=gdi1c] \corasriskref[ name=rr11, from=disc3, to=gdi1c, label={Risk 1.1} ] \corastreats[from=tawareness,to=employee3] \corastreats[from=tupgrade,to=oldweb3] \corastreats[from=tlimit,to=serverinfected3] \end{corastreatmentdiagram} \end{center} \subsection*{5. Treatment Overview Diagram} \begin{center} \begin{corastreatmentoverviewdiagram}[x=1cm,y=1cm] \corasrisk[ name=or11, title={1.1 Disclosure\\of data}, meta={direct asset}, level=unacceptable, order=1 ] \corasrisk[ name=or22, title={2.2 Unavailability\\of application}, meta={direct asset}, level=acceptable, order=2 ] \corasasset[ name=gdi1d, order=1, title={GDI1. Data\\privacy} ] \corasasset[ name=cm3d, order=2, title={CM3. Application\\availability} ] \corasjunction[name=joverview] \corastreatment[ name=otlimit, title={Limit access\\to network}, order=1 ] \corastreatment[ name=otaware, title={Increase awareness\\of security risks}, order=2 ] \corastreatment[ name=otupgrade, title={Upgrade\\server}, order=3 ] \corasrelates[from=or11,to=gdi1d] \corasrelates[from=or22,to=cm3d] \corastreats[from=otlimit,to=joverview] \corastreats[from=otaware,to=joverview] \corastreats[from=otupgrade,to=joverview] \corastreats[from=joverview,to=or11] \corastreats[from=joverview,to=or22] \end{corastreatmentoverviewdiagram} \end{center} \end{document}