RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

Andrea Herrmann; A. Morali; Sandro Etalle; Roelf J. Wieringa

RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

Andrea Herrmann, A. Morali, Sandro Etalle, Roelf J. Wieringa

Research output: Chapter in Book/Report/Conference proceeding › Chapter › Academic

354 Downloads (Pure)

Abstract

Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.

Original language	Undefined
Title of host publication	Perspectives in Business Informatics Research
Editors	Laila Niedrite, Renate Strazdina, Benkt Wangler
Place of Publication	Berlin
Publisher	Springer
Pages	155-162
Number of pages	8
ISBN (Print)	978-9984-30-197-6
Publication status	Published - 6 Oct 2011
Event	1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011 - Riga, Latvia Duration: 6 Oct 2011 → 8 Oct 2011

Publication series

Name	Lecture Notes in Business Information Processing
Publisher	Springer Verlag
Number	106
ISSN (Print)	1865-1348

Workshop

Workshop	1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011
Period	6/10/11 → 8/10/11
Other	6-8 Oct 2011

Keywords

METIS-278771
IR-78045
Prioritization
Elicitation
Requirements
SCS-Cybersecurity
Risk-Based
RiskREP
EWI-20462
SCS-Services
Security

Access to Document

Cite this

@inbook{76cd81e30e514a94bcf6a31700f9ce9b,

title = "RiskREP: Risk-Based Security Requirements Elicitation and Prioritization",

abstract = "Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.",

keywords = "METIS-278771, IR-78045, Prioritization, Elicitation, Requirements, SCS-Cybersecurity, Risk-Based, RiskREP, EWI-20462, SCS-Services, Security",

author = "Andrea Herrmann and A. Morali and Sandro Etalle and Wieringa, {Roelf J.}",

year = "2011",

month = oct,

day = "6",

language = "Undefined",

isbn = "978-9984-30-197-6",

series = "Lecture Notes in Business Information Processing",

publisher = "Springer",

number = "106",

pages = "155--162",

editor = "Laila Niedrite and Renate Strazdina and Benkt Wangler",

booktitle = "Perspectives in Business Informatics Research",

address = "Germany",

note = "1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011 ; Conference date: 06-10-2011 Through 08-10-2011",

}

Herrmann, A, Morali, A, Etalle, S & Wieringa, RJ 2011, RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. in L Niedrite, R Strazdina & B Wangler (eds), Perspectives in Business Informatics Research. Lecture Notes in Business Information Processing, no. 106, Springer, Berlin, pp. 155-162, 1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011, 6/10/11.

RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. / Herrmann, Andrea; Morali, A.; Etalle, Sandro et al.
Perspectives in Business Informatics Research. ed. / Laila Niedrite; Renate Strazdina; Benkt Wangler. Berlin: Springer, 2011. p. 155-162 (Lecture Notes in Business Information Processing; No. 106).

Research output: Chapter in Book/Report/Conference proceeding › Chapter › Academic

TY - CHAP

T1 - RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

AU - Herrmann, Andrea

AU - Morali, A.

AU - Etalle, Sandro

AU - Wieringa, Roelf J.

PY - 2011/10/6

Y1 - 2011/10/6

N2 - Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.

AB - Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.

KW - METIS-278771

KW - IR-78045

KW - Prioritization

KW - Elicitation

KW - Requirements

KW - SCS-Cybersecurity

KW - Risk-Based

KW - RiskREP

KW - EWI-20462

KW - SCS-Services

KW - Security

M3 - Chapter

SN - 978-9984-30-197-6

T3 - Lecture Notes in Business Information Processing

SP - 155

EP - 162

BT - Perspectives in Business Informatics Research

A2 - Niedrite, Laila

A2 - Strazdina, Renate

A2 - Wangler, Benkt

PB - Springer

CY - Berlin

T2 - 1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011

Y2 - 6 October 2011 through 8 October 2011

ER -