Whatever information survivability is, it must crically depend on the software architecture of the systems that are to process the information that must survive. This means that being able to analyze the architecture of a system for its ability to survive threats, its ability to be useful while surviving these threats, its ability to be modified to survive new threats and still be useful, etc is important.

Analyzing an architecture depends on understanding for which qualities the architecture is to be analyzed. Each quality has its own evaluation technique. What is universal for all of the qualities, however, is that the qualities themselves are too vague. For example, how modifiable is a system for which the communication protocol can be changed simply but the addition of a new command is difficult? The same argument applies to reliability, performance, and security. In order to analyze an architecture for a particular quality, one must get below the quality to more specific characterizations.

We have developed the Software Architecture Analysis Method (SAAM) [1] which is a method for analyzing software architecture for developmental qualities such as modifiability. We are currently working on extending the analysis method to encompass other qualities. The basis of SAAM for the developmental qualities is the use of scenarios to caputure the kinds of modifications that might be expected for the system under consideration. Scenarios are short and focussed such as "add a feature to highlight a specific field when the values are out of range" or "port the system to a new operating system". The implications of these specific scenarios can be tracked through the architecture to enable a prediction of the difficulty of making these modifications in the final system.

The same level of detail is necessary when analyzing for other qualities. When discussinf reliability, for another example, it is important to distinguish between the case where an incorrect answer is given and the case when no answer is given. If the concern is that no answer is given then analyzing the architecture will focus on parallel, indpendent paths to a result. If the concern is that the incorrect answer is given then a voting scheme needs to be in place.

In summary, the ability to analyze an architecture for various qualities is important to determine how well a system will survive an information attack and analyzing an architecture for different qualities depends on an understanding both of software architecture and the particular qualities involved.