RiskREP: Risk-Based Security Requirements Elicitation and Prioritization

Andrea Herrmann, A. Morali, Sandro Etalle, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingChapterAcademic

    192 Downloads (Pure)


    Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security‿ but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.
    Original languageUndefined
    Title of host publicationPerspectives in Business Informatics Research
    EditorsLaila Niedrite, Renate Strazdina, Benkt Wangler
    Place of PublicationBerlin
    Number of pages8
    ISBN (Print)978-9984-30-197-6
    Publication statusPublished - 6 Oct 2011
    Event1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011 - Riga, Latvia
    Duration: 6 Oct 20118 Oct 2011

    Publication series

    NameLecture Notes in Business Information Processing
    PublisherSpringer Verlag
    ISSN (Print)1865-1348


    Workshop1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011
    Other6-8 Oct 2011


    • METIS-278771
    • IR-78045
    • Prioritization
    • Elicitation
    • Requirements
    • SCS-Cybersecurity
    • Risk-Based
    • RiskREP
    • EWI-20462
    • SCS-Services
    • Security

    Cite this