Security risk management by qualitative vulnerability analysis

G. Elahi, E. Yu, N. Zannone

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

9 Citations (Scopus)
397 Downloads (Pure)


Security risk assessment in the requirements phase is challenging because probability and damage of attacks are not always numerically measurable or available in the early phases of development. Selecting proper security solutions is also problematic because mitigating impacts and side-effects of solutions are not often quantifiable either. In the early development phases, analysts need to assess risks in the absence of numerical measures or deal with a mixture of quantitative and qualitative data. We propose a risk analysis process which intertwines security requirements engineering with a vulnerability-centric and qualitative risk analysis method. The proposed method is qualitative and vulnerability-centric, in the sense that by identifying and analyzing common vulnerabilities the probability and damage of risks are evaluated qualitatively. We also propose an algorithmic decision analysis method that considers risk factors and alternative security solutions, and helps analysts select the most cost-effective solution. The decision analysis method enables making a decision when some of the available data is qualitative.
Original languageEnglish
Title of host publicationProceedings of the Third International Workshop on Security Measurements and Metrics (Metrisec), 21 September 2011, Banff, Alberta, Canada
EditorsJ. Walden, L. Williams
Place of PublicationNew York
PublisherIEEE Computer Society
ISBN (Print)978-1-4673-1245-5
Publication statusPublished - 2011


Dive into the research topics of 'Security risk management by qualitative vulnerability analysis'. Together they form a unique fingerprint.

Cite this