Risk and business goal based security requirement and countermeasure prioritization

A. Herrmann, A. Morali, S. Etalle, R.J. Wieringa

Onderzoeksoutput: Hoofdstuk in Boek/Rapport/CongresprocedureConferentiebijdrageAcademicpeer review

6 Citaten (Scopus)


Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement "good-enough security" but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case.
Originele taal-2Engels
TitelWorkshops on Business Informatics Research (BIR 2011 International Workshops and Doctoral Consortium, Riga, Latvia, October 6, 2011, Revised Selected Papers)
RedacteurenL. Niedrite, R. Strazdina, B. Wangler
Plaats van productieBerlin
ISBN van geprinte versie978-3-642-29230-9
StatusGepubliceerd - 2012

Publicatie series

NaamLecture Notes in Business Information Processing
ISSN van geprinte versie1865-1348


Duik in de onderzoeksthema's van 'Risk and business goal based security requirement and countermeasure prioritization'. Samen vormen ze een unieke vingerafdruk.

Citeer dit