RiskREP: Risk-Based Security Requirements Elicitation and Prioritization


Herrmann, Andrea and Morali, Ayse and Etalle, Sandro and Wieringa, Roel (2011) RiskREP: Risk-Based Security Requirements Elicitation and Prioritization. In: 1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011, 6-8 Oct 2011, Riga, Latvia (pp. pp. 1-8).

open access
Abstract:Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security” but need to be able to justify their security investment plans. In this paper, we present a Risk-Based Requirements Prioritization method (RiskREP) that extends misuse case-based methods with IT architecture based risk assessment and countermeasure definition and prioritization. Countermeasure prioritization is linked to business goals to achieve and based on cost of countermeasures and their effectiveness in reducing risks. RiskREP offers the potential to elicit complete security countermeasures, but also supports the deliberate decision and documentation of why the security analysis is focused on certain aspects. We illustrate RiskREP by an application to an action case.
Item Type:Conference or Workshop Item
Copyright:© 2011 Springer
Electrical Engineering, Mathematics and Computer Science (EEMCS)
Research Group:
Link to this item:http://purl.utwente.nl/publications/78045
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page