Security Risk Management by Qualitative Vulnerability Analysis
- 1 September 2011
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2011 Third International Workshop on Security Measurements and Metrics
Abstract
Security risk assessment in the requirements phase is challenging because risk factors, such as probability and damage of attacks, are not always numerically measurable or available in the early phases of development. This makes the selection of proper security solutions problematic because mitigating impacts and side-effects of solutions are not often quantifiable. In the early development phases, analysts need to assess risks in the absence of numerical measures or deal with a mixture of quantitative and qualitative data. We propose a risk analysis process which intertwines security requirements engineering with a vulnerability-centric and qualitative risk analysis method. The proposed method is qualitative and vulnerability-centric, in the sense that by identifying and analyzing common vulnerabilities the probability and damage of risks are evaluated qualitatively. We also propose an algorithmic decision analysis method that considers risk factors and alternative security solutions, and helps analysts select the most cost-effective solution. The decision analysis method enables making a decision when some of the available data is qualitative.Keywords
This publication has 13 references indexed in Scilit:
- Trust Trade-off Analysis for Security Requirements EngineeringPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- A Broad, Quantitative Model for Making Early Requirements DecisionsIEEE Software, 2008
- Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems DevelopmentNotes on Numerical Fluid Mechanics and Multidisciplinary Design, 2008
- Reasoning about partial goal satisfaction for requirements and design engineeringPublished by Association for Computing Machinery (ACM) ,2004
- Elaborating security requirements by construction of intentional anti-modelsPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2004
- Multi-criteria preference analysis for systematic requirements negotiationPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- The CORAS MethodologyPublished by IGI Global ,2003
- Security attribute evaluation methodPublished by Association for Computing Machinery (ACM) ,2002
- Security Management Standard — ISO 17799/BS 7799BT Technology Journal, 2001
- A cost-value approach for prioritizing requirementsIEEE Software, 1997