Towards a measurement framework for security risk management

CEUR Workshop Proceedings

Volumn 413, Issue , 2008, Pages

  Mayer, Nicolas ^a,b   Dubois, Eric ^a   Matulevičius, Raimundas ^b   Heymans, Patrick ^b  

^a LUXEMBOURG INSTITUTE OF SCIENCE AND TECHNOLOGY   (Luxembourg)

^b UNIVERSITY OF NAMUR   (Belgium)

Author keywords

[No Author keywords available]

Indexed keywords

CLASS DIAGRAMS; DOMAIN MODEL; GOAL-QUESTION-METRIC; MANAGING INFORMATION SYSTEMS; MODELLING LANGUAGE; RESEARCH METHODS; SECURITY RISK MANAGEMENTS; UML CLASS DIAGRAMS;

ITERATIVE METHODS; RISK MANAGEMENT;

MODELS;

EID: 84885655277     PISSN: 16130073     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (22)

1. DCSSI: EBIOS - Expression of Needs and Identification of Security Objectives. http://www.ssi.gouv.fr/en/confidence/ebiospresentation.html, France (2004)
2. CLUSIF: MEHARI 2007 (MEthode Harmonisée d'Analyse du Risque Informatique). https://www.clusif.asso.fr/fr/production/mehari/, France (2007)
3. Alberts, C.J., Dorofee, A.J.: OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University - Software Engineering Institute (2001)
4. Insight Consulting: CRAMM (CCTA Risk Analysis and Management Method) User Guide version 5.0. SIEMENS (2003)
5. Mayer, N.: Managing security IT risk: a goal-based requirements engineering approach. In: RE'05 Doctoral Consortium, in conjunction with the 13th IEEE International Requirements Engineering Conference (RE'05). (2005)
6. Mayer, N., Rifaut, A., Dubois, E.: Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'05). (2005) 83-97
7. Dubois, E., Mayer, N., Rifaut, A., Rosener, V.: Contributions méthodologiques pour l'amélioration de l'analyse des risques. In Ebrahimi, T., Leprévost, F., Warusfel, B., eds.: Enjeux de la sécurité multimédia (Traité IC2, série Informatique et systèmes d'information). Hermes (2006) 79-131
8. Mayer, N., Heymans, P., Matulevičius, R.: Design of a modelling language for information system security risk management. In: Proceedings of the 1st International Conference on Research Challenges in Information Science (RCIS '07), Ouarzazate, Morocco (2007) 121-132
9. Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with security risk management. In: Proceedings of the 3rd International Conference on Availability, Security and Reliability (ARES '08), Symposium on Requirements Engineering for Information Security (SREIS '08). IEEE Computer Society (2008) 1397-1404
10. Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting Secure Tropos for security risk management during early phases of the information systems development. In: Proceedings of the 20th International Conference on Advanced Information Systems Engineering (CAiSE '08). Springer (2008)
11. Basili, V.R., Caldiera, G., Rombach, H.D.: The goal question metric approach. In: Encyclopedia of Software Engineering. John Wiley & Sons, Inc. (1994) 532-538
12. ISO/IEC 27005: Information technology - Security techniques - Information security risk management. (2008)
13. Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg (2002)
14. Bundesamt für Sicherheit in der Informationstechnik: BSI Standard 100-3 Risk analysis based on IT-Grundschutz (September 2005)
15. Vraalsen, F., Mahler, T., Lund, M.S., Hogganvik, I., den Braber, F., Stølen, K.: Assessing enterprise risk level: The CORAS approach. In Khadraoui, D., Herrmann, F., eds.: Advances in Enterprise Information Technology Security. Idea group (2007) 311-333
16. ISACA: CISA Review Manual 2006. Information Systems Audit and Control Association (2006)
17. CLUSIF, Groupe de travail ROSI: Retour sur investissement en sécurité des systèmes d'information: quelques clés pour argumenter (2004)
18. Sonnenreich, W., Albanese, J., Stout, B.: Return on security investment (ROSI): A practical quantitative model. In Fernández-Medina, E., Castro, J.C.H., Castro, L.J.G., eds.: WOSIS, INSTICC Press (2005) 239-252
19. Microsoft: The Security Risk Management Guide. (2004)
20. Mayer, N.: Information system security risk management metrics definition, http://www.nmayer.eu/publis/ISSRMmetrics-TR-11-06.pdf. Technical report, CRP Henri Tudor (2008)
21. ISO/IEC 27001: Information technology - Security techniques - Information security management systems - Requirements. (2005)
22. Houmb, S.H., Georg, G., France, R., Bieman, J., Jürjens, J.: Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In: Proceedings of the 10th IEEE International Conference on Engineering of Complex Computer Systems (ICECCS'05), Shangai, IEEE Computer Society (2005) 195-204