Risk and business goal based security requirement and countermeasure prioritization

A. Herrmann, A. Morali, S. Etalle, R.J. Wieringa

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

7 Citations (Scopus)


Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement "good-enough security" but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case.
Original languageEnglish
Title of host publicationWorkshops on Business Informatics Research (BIR 2011 International Workshops and Doctoral Consortium, Riga, Latvia, October 6, 2011, Revised Selected Papers)
EditorsL. Niedrite, R. Strazdina, B. Wangler
Place of PublicationBerlin
ISBN (Print)978-3-642-29230-9
Publication statusPublished - 2012

Publication series

NameLecture Notes in Business Information Processing
ISSN (Print)1865-1348


Dive into the research topics of 'Risk and business goal based security requirement and countermeasure prioritization'. Together they form a unique fingerprint.

Cite this