Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the probabilistic properties such as reliability that are the targets for system-level assurance. We enumerate the hazards to formal verification, consider how each of these may be countered, and propose relative weightings that an assessor may employ in assigning a probability of perfection.

Some of the complex systems with which the CoSMoS project is concerned are safety-critical, and if such systems are ever to be built and operated then they will need to be certified safe to operate. By looking at how conventional safety-critical systems are developed, we can find basic principles for safety-critical complex systems – this may be harder or easier than non-safety-specialists expect. In this paper, we outline current safety engineering methods and illustrate them using an artificial platelet case study. We also summarise our previous work on using simulation in safety engineering, and make some observations about applying simulation to very small systems.

Abstract. Argument structures are commonly used to develop and present cases for safety, security and other properties. Such argument structures tend to grow excessively. To deal with this problem, appropriate methods of their assessment are required. Two objectives are of particular interest: (1) systematic and explicit assessment of the compelling power of an argument, and (2) communication of the result of such an assessment to relevant recipients. The paper gives details of a new method which deals with both problems. We explain how to issue assessments and how they can be aggregated depending on the types of inference used in arguments. The method is fully implemented in a software tool. Its application is illustrated by examples. The paper also includes the results of experiments carried out to validate and calibrate the method.

The correct control of security often depends on decisions under uncertainty. Using quantified information about risk, one may hope to achieve more precise control by making better decisions. We discuss and examine how Prospect Theory, the major descriptive theory of risky decisions, predicts such decisions will go wrong and if such problems may be corrected. 1 Can security decisions go wrong? Security is both a normative and descriptive problem. We would like to normatively follow how to make correct decisions about security, but also descriptively understand where security decisions may go wrong. According to Schneier [1], security risk is both a subjective feeling and an objective reality, and sometimes those two views are different so that we fail acting correctly. Assuming that people act on perceived rather than actual risks, we will sometimes do things we should avoid, and sometimes fail to act like we should. In security, people may both feel secure when they are not, and feel insecure when they are actually secure [1]. With the recent attempts in security that aim to quantifying security properties, also known as security metrics, we are interested in

Participant(s): All partners Work package contributing to the deliverable: WP2 Nature: Version: 2.0