RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)

Andrea Herrmann, A. Morali

Research output: Book/ReportReport

Abstract

Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.
LanguageUndefined
Place of PublicationEnschede
PublisherCentre for Telematics and Information Technology (CTIT)
Number of pages19
StatePublished - 31 Aug 2010

Publication series

NameCTIT Technical Report Series
PublisherUniversity of Twente, Centre for Telematics and Information Technology
No.TR-CTIT-10-28
ISSN (Print)1381-3625

Keywords

  • METIS-271001
  • EWI-18342
  • RISK ASSESSMENT
  • Security requirements engineering
  • IR-72721

Cite this

Herrmann, A., & Morali, A. (2010). RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). (CTIT Technical Report Series; No. TR-CTIT-10-28). Enschede: Centre for Telematics and Information Technology (CTIT).
Herrmann, Andrea ; Morali, A./ RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). Enschede : Centre for Telematics and Information Technology (CTIT), 2010. 19 p. (CTIT Technical Report Series; TR-CTIT-10-28).
@book{044171e8631c449793b0f6594057cadd,
title = "RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)",
abstract = "Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.",
keywords = "METIS-271001, EWI-18342, RISK ASSESSMENT, Security requirements engineering, IR-72721",
author = "Andrea Herrmann and A. Morali",
year = "2010",
month = "8",
day = "31",
language = "Undefined",
series = "CTIT Technical Report Series",
publisher = "Centre for Telematics and Information Technology (CTIT)",
number = "TR-CTIT-10-28",
address = "Netherlands",

}

Herrmann, A & Morali, A 2010, RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). CTIT Technical Report Series, no. TR-CTIT-10-28, Centre for Telematics and Information Technology (CTIT), Enschede.

RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). / Herrmann, Andrea; Morali, A.

Enschede : Centre for Telematics and Information Technology (CTIT), 2010. 19 p. (CTIT Technical Report Series; No. TR-CTIT-10-28).

Research output: Book/ReportReport

TY - BOOK

T1 - RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)

AU - Herrmann,Andrea

AU - Morali,A.

PY - 2010/8/31

Y1 - 2010/8/31

N2 - Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.

AB - Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.

KW - METIS-271001

KW - EWI-18342

KW - RISK ASSESSMENT

KW - Security requirements engineering

KW - IR-72721

M3 - Report

T3 - CTIT Technical Report Series

BT - RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)

PB - Centre for Telematics and Information Technology (CTIT)

CY - Enschede

ER -

Herrmann A, Morali A. RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). Enschede: Centre for Telematics and Information Technology (CTIT), 2010. 19 p. (CTIT Technical Report Series; TR-CTIT-10-28).