Risk and Business Goal Based Security Requirement and Countermeasure Prioritization

Andrea Herrmann, A. Morali, Sandro Etalle, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingChapterAcademicpeer-review

    7 Citations (Scopus)
    263 Downloads (Pure)


    Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case.
    Original languageUndefined
    Title of host publicationWorkshops on Business Informatics Research (BIR 2011)
    EditorsLaila Niedrite, Renate Strazdina, Benkt Wangler
    Place of PublicationLondon
    Number of pages13
    ISBN (Print)978-3-642-29230-9
    Publication statusPublished - May 2012
    EventWorkshops on Business Informatics Research, BIR 2011 - Riga, Latvia
    Duration: 6 Oct 20118 Oct 2011

    Publication series

    NameLecture Notes in Business Information Processing
    PublisherSpringer Verlag
    ISSN (Print)1865-1348


    WorkshopWorkshops on Business Informatics Research, BIR 2011
    Other6-8 October 2011


    • IR-80250
    • METIS-287844
    • Non-Functional Requirements
    • Security
    • SCS-Cybersecurity
    • Misuse Cases
    • EWI-21259
    • Prioritization
    • SCS-Services
    • IT architecture

    Cite this