Towards Agile Security Risk Management in RE and Beyond

V. Nunes Leal Franqueira, Z. Bakalova, Thein Tan Tun, Maia Daneva

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    2 Citations (Scopus)
    207 Downloads (Pure)

    Abstract

    Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper takes the position that (1) these isolated security assurance practices should be fully integrated and should be embedded in short iterations of risk assessment, treatment and acceptance, providing input for updating security requirements and for security risk management, and that (2) available empirical data from public catalogs and databases should be used as a source of expertise, to leverage past experiences, and therefore reduce, although not eliminate, subjectivity of human judgment. Borrowing from the agile software development and project management philosophy, we introduce the idea of a light weight, agile approach to security risk management integrated to the development life cycle.
    Original languageEnglish
    Title of host publication2011 First International Workshop on Empirical Requirements Engineering (EmpiRE)
    PublisherIEEE Computer Society
    Pages33-36
    Number of pages4
    ISBN (Electronic)978-1-4577-1076-6
    ISBN (Print)978-1-4577-1075-9
    DOIs
    Publication statusPublished - Aug 2011
    EventFirst International Workshop on Empirical Requirements Engineering, EMPIRE 2011 - Trento, Italy
    Duration: 30 Aug 201130 Aug 2011
    Conference number: 1
    http://selab.fbk.eu/empire2011/

    Publication series

    Name
    PublisherIEEE Computer Society

    Workshop

    WorkshopFirst International Workshop on Empirical Requirements Engineering, EMPIRE 2011
    Abbreviated titleEmpiRE 2011
    CountryItaly
    CityTrento
    Period30/08/1130/08/11
    Internet address

    Fingerprint

    Risk management
    Project management
    Risk assessment
    Life cycle
    Software engineering

    Keywords

    • METIS-277709
    • IR-77812
    • Information Security Risk Management
    • SCS-Services
    • Security Assurance
    • Secure Engineering
    • EWI-20315
    • Agile Software Development

    Cite this

    Nunes Leal Franqueira, V., Bakalova, Z., Tun, T. T., & Daneva, M. (2011). Towards Agile Security Risk Management in RE and Beyond. In 2011 First International Workshop on Empirical Requirements Engineering (EmpiRE) (pp. 33-36). IEEE Computer Society. https://doi.org/10.1109/EmpiRE.2011.6046253
    Nunes Leal Franqueira, V. ; Bakalova, Z. ; Tun, Thein Tan ; Daneva, Maia. / Towards Agile Security Risk Management in RE and Beyond. 2011 First International Workshop on Empirical Requirements Engineering (EmpiRE). IEEE Computer Society, 2011. pp. 33-36
    @inproceedings{effa6f1f21f140f7b508ea9cb35755d0,
    title = "Towards Agile Security Risk Management in RE and Beyond",
    abstract = "Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper takes the position that (1) these isolated security assurance practices should be fully integrated and should be embedded in short iterations of risk assessment, treatment and acceptance, providing input for updating security requirements and for security risk management, and that (2) available empirical data from public catalogs and databases should be used as a source of expertise, to leverage past experiences, and therefore reduce, although not eliminate, subjectivity of human judgment. Borrowing from the agile software development and project management philosophy, we introduce the idea of a light weight, agile approach to security risk management integrated to the development life cycle.",
    keywords = "METIS-277709, IR-77812, Information Security Risk Management, SCS-Services, Security Assurance, Secure Engineering, EWI-20315, Agile Software Development",
    author = "{Nunes Leal Franqueira}, V. and Z. Bakalova and Tun, {Thein Tan} and Maia Daneva",
    year = "2011",
    month = "8",
    doi = "10.1109/EmpiRE.2011.6046253",
    language = "English",
    isbn = "978-1-4577-1075-9",
    publisher = "IEEE Computer Society",
    pages = "33--36",
    booktitle = "2011 First International Workshop on Empirical Requirements Engineering (EmpiRE)",
    address = "United States",

    }

    Nunes Leal Franqueira, V, Bakalova, Z, Tun, TT & Daneva, M 2011, Towards Agile Security Risk Management in RE and Beyond. in 2011 First International Workshop on Empirical Requirements Engineering (EmpiRE). IEEE Computer Society, pp. 33-36, First International Workshop on Empirical Requirements Engineering, EMPIRE 2011, Trento, Italy, 30/08/11. https://doi.org/10.1109/EmpiRE.2011.6046253

    Towards Agile Security Risk Management in RE and Beyond. / Nunes Leal Franqueira, V.; Bakalova, Z.; Tun, Thein Tan; Daneva, Maia.

    2011 First International Workshop on Empirical Requirements Engineering (EmpiRE). IEEE Computer Society, 2011. p. 33-36.

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    TY - GEN

    T1 - Towards Agile Security Risk Management in RE and Beyond

    AU - Nunes Leal Franqueira, V.

    AU - Bakalova, Z.

    AU - Tun, Thein Tan

    AU - Daneva, Maia

    PY - 2011/8

    Y1 - 2011/8

    N2 - Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper takes the position that (1) these isolated security assurance practices should be fully integrated and should be embedded in short iterations of risk assessment, treatment and acceptance, providing input for updating security requirements and for security risk management, and that (2) available empirical data from public catalogs and databases should be used as a source of expertise, to leverage past experiences, and therefore reduce, although not eliminate, subjectivity of human judgment. Borrowing from the agile software development and project management philosophy, we introduce the idea of a light weight, agile approach to security risk management integrated to the development life cycle.

    AB - Little attention has been given so far to the process of security risk management at the early stages of system development. Security has been addressed by isolated security assurance practices, some of which consider risks and mitigations but they do not provide an overview of the overall security state of the system being developed. This paper takes the position that (1) these isolated security assurance practices should be fully integrated and should be embedded in short iterations of risk assessment, treatment and acceptance, providing input for updating security requirements and for security risk management, and that (2) available empirical data from public catalogs and databases should be used as a source of expertise, to leverage past experiences, and therefore reduce, although not eliminate, subjectivity of human judgment. Borrowing from the agile software development and project management philosophy, we introduce the idea of a light weight, agile approach to security risk management integrated to the development life cycle.

    KW - METIS-277709

    KW - IR-77812

    KW - Information Security Risk Management

    KW - SCS-Services

    KW - Security Assurance

    KW - Secure Engineering

    KW - EWI-20315

    KW - Agile Software Development

    U2 - 10.1109/EmpiRE.2011.6046253

    DO - 10.1109/EmpiRE.2011.6046253

    M3 - Conference contribution

    SN - 978-1-4577-1075-9

    SP - 33

    EP - 36

    BT - 2011 First International Workshop on Empirical Requirements Engineering (EmpiRE)

    PB - IEEE Computer Society

    ER -

    Nunes Leal Franqueira V, Bakalova Z, Tun TT, Daneva M. Towards Agile Security Risk Management in RE and Beyond. In 2011 First International Workshop on Empirical Requirements Engineering (EmpiRE). IEEE Computer Society. 2011. p. 33-36 https://doi.org/10.1109/EmpiRE.2011.6046253