RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

Andrea Herrmann, A. Morali, Sandro Etalle, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingChapterAcademic

    140 Downloads (Pure)

    Abstract

    Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.
    Original languageUndefined
    Title of host publicationPerspectives in Business Informatics Research
    EditorsLaila Niedrite, Renate Strazdina, Benkt Wangler
    Place of PublicationBerlin
    PublisherSpringer
    Pages155-162
    Number of pages8
    ISBN (Print)978-9984-30-197-6
    Publication statusPublished - 6 Oct 2011

    Publication series

    NameLecture Notes in Business Information Processing
    PublisherSpringer Verlag
    Number106
    ISSN (Print)1865-1348

    Keywords

    • METIS-278771
    • IR-78045
    • Prioritization
    • Elicitation
    • Requirements
    • SCS-Cybersecurity
    • Risk-Based
    • RiskREP
    • EWI-20462
    • SCS-Services
    • Security

    Cite this

    Herrmann, A., Morali, A., Etalle, S., & Wieringa, R. J. (2011). RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. In L. Niedrite, R. Strazdina, & B. Wangler (Eds.), Perspectives in Business Informatics Research (pp. 155-162). (Lecture Notes in Business Information Processing; No. 106). Berlin: Springer.