RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)

Andrea Herrmann, A. Morali

    Research output: Book/ReportReportProfessional

    371 Downloads (Pure)


    Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.
    Original languageUndefined
    Place of PublicationEnschede
    PublisherCentre for Telematics and Information Technology (CTIT)
    Number of pages19
    Publication statusPublished - 31 Aug 2010

    Publication series

    NameCTIT Technical Report Series
    PublisherUniversity of Twente, Centre for Telematics and Information Technology
    ISSN (Print)1381-3625


    • METIS-271001
    • EWI-18342
    • Security requirements engineering
    • IR-72721

    Cite this