Risk and Business Goal Based Security Requirement and Countermeasure Prioritization


Herrmann, Andrea and Morali, Ayse and Etalle, Sandro and Wieringa, Roel (2012) Risk and Business Goal Based Security Requirement and Countermeasure Prioritization. In: Workshops on Business Informatics Research, BIR 2011, 6-8 October 2011, Riga, Latvia (pp. pp. 64-76).

open access
Abstract:Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security” but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case.
Item Type:Conference or Workshop Item
Copyright:© 2012 Springer
Electrical Engineering, Mathematics and Computer Science (EEMCS)
Research Group:
Link to this item:http://purl.utwente.nl/publications/80250
Official URL:https://doi.org/10.1007/978-3-642-29231-6_6
Export this item as:BibTeX
HTML Citation
Reference Manager


Repository Staff Only: item control page