RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

Andrea Herrmann, A. Morali, Sandro Etalle, Roelf J. Wieringa

Abstract

Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.
Original languageUndefined
Title of host publicationPerspectives in Business Informatics Research
EditorsLaila Niedrite, Renate Strazdina, Benkt Wangler
Place of PublicationBerlin
PublisherSpringer Verlag
Pages155-162
Number of pages8
ISBN (Print)978-9984-30-197-6
StatePublished - 6 Oct 2011

Publication series

NameLecture Notes in Business Information Processing
PublisherSpringer Verlag
Number106
ISSN (Print)1865-1348

Fingerprint

Risk assessment
Industry
Costs

Keywords

  • METIS-278771
  • IR-78045
  • Prioritization
  • Elicitation
  • Requirements
  • SCS-Cybersecurity
  • Risk-Based
  • RiskREP
  • EWI-20462
  • SCS-Services
  • Security

Cite this

Herrmann, A., Morali, A., Etalle, S., & Wieringa, R. J. (2011). RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. In L. Niedrite, R. Strazdina, & B. Wangler (Eds.), Perspectives in Business Informatics Research (pp. 155-162). (Lecture Notes in Business Information Processing; No. 106). Berlin: Springer Verlag.

Herrmann, Andrea; Morali, A.; Etalle, Sandro; Wieringa, Roelf J. / RiskREP: Risk-Based Security Requirements Elicitation and Prioritization.

Perspectives in Business Informatics Research. ed. / Laila Niedrite; Renate Strazdina; Benkt Wangler. Berlin : Springer Verlag, 2011. p. 155-162 (Lecture Notes in Business Information Processing; No. 106).

Research output: ScientificChapter

@inbook{76cd81e30e514a94bcf6a31700f9ce9b,
title = "RiskREP: Risk-Based Security Requirements Elicitation and Prioritization",
abstract = "Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.",
keywords = "METIS-278771, IR-78045, Prioritization, Elicitation, Requirements, SCS-Cybersecurity, Risk-Based, RiskREP, EWI-20462, SCS-Services, Security",
author = "Andrea Herrmann and A. Morali and Sandro Etalle and Wieringa, {Roelf J.}",
year = "2011",
month = "10",
isbn = "978-9984-30-197-6",
series = "Lecture Notes in Business Information Processing",
publisher = "Springer Verlag",
number = "106",
pages = "155--162",
editor = "Laila Niedrite and Renate Strazdina and Benkt Wangler",
booktitle = "Perspectives in Business Informatics Research",

}

Herrmann, A, Morali, A, Etalle, S & Wieringa, RJ 2011, RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. in L Niedrite, R Strazdina & B Wangler (eds), Perspectives in Business Informatics Research. Lecture Notes in Business Information Processing, no. 106, Springer Verlag, Berlin, pp. 155-162.

RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. / Herrmann, Andrea; Morali, A.; Etalle, Sandro; Wieringa, Roelf J.

Perspectives in Business Informatics Research. ed. / Laila Niedrite; Renate Strazdina; Benkt Wangler. Berlin : Springer Verlag, 2011. p. 155-162 (Lecture Notes in Business Information Processing; No. 106).

Research output: ScientificChapter

TY - CHAP

T1 - RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

AU - Herrmann,Andrea

AU - Morali,A.

AU - Etalle,Sandro

AU - Wieringa,Roelf J.

PY - 2011/10/6

Y1 - 2011/10/6

N2 - Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.

AB - Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.

KW - METIS-278771

KW - IR-78045

KW - Prioritization

KW - Elicitation

KW - Requirements

KW - SCS-Cybersecurity

KW - Risk-Based

KW - RiskREP

KW - EWI-20462

KW - SCS-Services

KW - Security

M3 - Chapter

SN - 978-9984-30-197-6

T3 - Lecture Notes in Business Information Processing

SP - 155

EP - 162

BT - Perspectives in Business Informatics Research

PB - Springer Verlag

ER -

Herrmann A, Morali A, Etalle S, Wieringa RJ. RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. In Niedrite L, Strazdina R, Wangler B, editors, Perspectives in Business Informatics Research. Berlin: Springer Verlag. 2011. p. 155-162. (Lecture Notes in Business Information Processing; 106).