A systematic approach to define the domain of information system security risk management

Intentional Perspectives on Information Systems Engineering

Volumn , Issue , 2010, Pages 289-306

  Dubois, Éric ^a   Heymans, Patrick ^b   Mayer, Nicolas ^a   Matulevičius, Raimundas ^c  

^a LUXEMBOURG INSTITUTE OF SCIENCE AND TECHNOLOGY   (Luxembourg)

^b UNIVERSITY OF NAMUR   (Belgium)

^c UNIVERSITY OF TARTU   (Estonia)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84892326872     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.1007/978-3-642-12544-7_16     Document Type: Chapter

References (57)

1. Alberts CJ, Dorofee AJ (2001) OCTAVE method implementation guide version 2.0. Carnegie Mellon University, Software Engineering Institute, Pittsburgh, PA
2. Asnar Y, Giorgini P (2006) Modelling risk and identifying countermeasure in organizations. In: Proceedings of the 1st interational workshop on critical information intrastructures security (CRITIS'06), Springer, Berlin, pp 55-66
3. AS/NZS 4360 (2004) Risk management. SAI Global
4. Bresciani P, Giorgini P, Giunchiglia F, Mylopoulos J, Perin, A (2004) TROPOS: an agentoriented software development methodology. Autonomous Agents Multi-Agent Systems 8:203-236
5. CLUSIF (1998) MARION (Méthodologie d'Analyse des Risques Informatique et d'Optimation par Niveau) available at http://www.clusif.asso.fr
6. CLUSIF (2007) MEHARI 2007: concepts and mechanisms. http://www.clusif. asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-management.pdf. Last Accessed 21 Feb. 2010
7. Cockburn A (2001) Writing effective use cases. Addison-Wesley Longman Publishing Co., Boston, MA, USA
8. Common Criteria version 2.3 (2005) Common criteria for information technology security evaluation, CCMB-2005-08-002. http://www.tse.org.tr/turkish/ belgelendirme/ortakkriter/ccpart2v2.3.pdf. Last Accessed 21 Feb. 2010
9. DCSSI (2004) EBIOS - expression of needs and identification of security objectives. http://www.ssi.gouv.fr/archive/en/confidence/ebiospresentation.html. Last Accessed 21 Feb. 2010
10. Direction des Constructions Navales (1989) MELISA (Méthode d'Evaluation de la Vulnérabilité Résiduelle des Systèmes d'Information). Paris, France
11. Dubois E, Mayer N, Rifaut A, Rosener V (2006) Contributions méthologiques pour l'amélioration de l'analyse des risques. In: Enjeux de la sécurité multimédia (Traité IC2, série Informatique et systèmes d'information). Hermes Science Publications, Paris, pp 79-131
12. Elahi G, Yu E, Zannone N (2010) A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities.. Reqs Eng Journal 15(1):41-62
13. ENISA (European Network and Information Security Agency) (2006) Inventory of risk assessment and risk management methods. http://www.enisa.europa.eu/act/ rm/files/deliverables/inventory-of-risk-assessment-and-risk-management-methods. Last Accessed 21 Feb. 2010
14. Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Reqs Eng Journal 15(1):7-40
15. Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. CMU/SEI-2003-TN-033 Carnegie Mellon University, Software Engineering Institute, Pittsburgh, PA
16. Firesmith DG (2007) Engineering safety and security related requirements for software intensive systems. In: Companion to the proceedings of the 29th international conference on software engineering (COMPANION'07). IEEE Computer Society, p 169
17. Giorgini P, Massacci F, Zannone N (2005) Security and trust requirements engineering. In: Foundations of security analysis and design III. LNCS, vol 3655. Springer, pp 237-272
18. Haley CB, Laney RC, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34:133-153
19. Haley CB, Moffett JD, Laney RC, Nuseibeh B (2006) A framework for security requirements engineering. In: Proceedings of the 2nd international workshop on software engineering for secure systems (SESS'06), ACM, pp 35-42
20. Harel D, Rumpe B (2004) Meaningful modeling: what's the semantics of "semantics"? Computer 37:64-72
21. Insight Consulting (2003) CRAMM (CCTA Risk Analysis and Management Method) User Guide version 5.0. SIEMENS
22. ISO/IEC Guide 73 (2002) Risk management - vocabulary - guidelines for use in standards. International Organization for Standardization, Geneva
23. ISO/IEC 13335-1 (2004) Information technology - security techniques - management of information and communications technology security - part 1: concepts and models for information and communications technology security management.. International Organization for Standardization, Geneva
24. ISO 14001 (2004) Environmental management systems - requirements with guidance for use. International Organization for Standardization, Geneva
25. ISO/IEC 27001 (2005) Information technology - security techniques - information security management systems - requirements.. International Organization for Standardization, Geneva 26.
26. Jackson M (1995) Software requirements & specifications: a lexicon of practice, principles and prejudices. ACM/Addison-Wesley, New York
27. Jackson M (2001) Problem frames: analyzing and structuring software development problems. Addison-Wesley, New York
28. Jürjens J (2002) UMLsec: extending uml for secure systems development. In: Proceedings of the 5th international conference on the unified modeling language (UML'02). LNCS, vol 2460. Springer, pp 412-425
29. van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering (ICSE'04), IEEE Computer Society, pp 148-157
30. van Lamsweerde A, Letier E (2000) Handling obstacles in goal-oriented requirements engineering. IEEE Trans Softw Eng 26:978-1005
31. Lin L, Nuseibeh B, Ince D, Jackson M (2004) Using abuse frames to bound the scope of security problems. In: Proceedings of the 12th IEEE international conference on requirements engineering (RE'04), IEEE Computer Society, pp 354-355
32. Lin L, Nuseibeh B, Ince D, Jackson M, Moffett JD (2003) Analysing security threats and vulnerabilities using abuse frames. Technical report No: 2003/10, Open University
33. Lin L, Nuseibeh B, Ince D, Jackson M, Moffett JD (2003) Introducing abuse frames for analysing security requirements. In: Proceedings of the 11th IEEE international conference on requirements engineering (RE'03), IEEE Computer Society, pp 371-372
34. Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international conference on requirements engineering (RE'03), IEEE Computer Society, p 151
35. Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language (UML'02), Springer, pp 426-441
36. Matulevicius R, Mayer N, Heymans P (2008) Alignment of misuse cases with security risk management. In: Proceedings of the 3rd international conference on availability, reliability and security (ARES'08), IEEE Computer Society, pp 1397-1404
37. Matulevicius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management during early phases of the information systems development.. In: Proceedings of the 20th international conference on advanced information systems engineering (CAiSE'08). LNCS, vol 5074. Springer, pp 541-555
38. Mayer N (2009) Model-based management of information system security risk. PhD thesis, University of Namur
39. Mayer N, Genon N (2006) Design of a modelling language for information system security risk management-elicitation of relationships between concepts and meta-model of each source.. Technical report. University of Namur
40. Mayer N, Heymans P, Matulevičius R (2007) Design of a modelling language for information system security risk management. In: Proceedings of the 1st international conference on research challenges in information science (RCIS'07), IEEE Xplore Digital Library, pp 121-132
41. Mayer N, Rifaut, A, Dubois E (2005) Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th international workshop on requirements engineering: foundation for software quality (REFSQ'05), Springer, pp 83-97
42. McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference (ACSAC'99), IEEE Computer Society, pp 55-65
43. Mead NR, Hough ED, Stehney TR (2005) Security quality requirements engineering (SQUARE) methodology. Technical report CMU/SEI-2005-TR-009, ESC-TR-2005-009Carnegie Mellon University - Software Engineering Institute, Pittsburgh, PA
44. Moffett JD, Nuseibeh B (2003) A framework for security requirements engineering. Report YCS 368 Department of Computer Science, University of York, UK
45. Moody DL (2009) Evidence-based notation design: towards a scientific basis for constructing visual notations in software engineering.. IEEE Trans Softw Eng 35(6):756-779
46. Mouratidis H, Giorgini P (2010) Extending i. and tropos to model security. In: Yu E, Giorgini P, Maiden N, Mylopoulos J (eds) Social modeling for requirements engineering. MIT (in press), Cambridge, Massachusetts (USA)
47. Mouratidis H, Giorgini P, Manson GA, Philp I (2002) A natural extension of tropos methodology for modelling security. In: Proceedings of the agent oriented methodologies workshop (OOPSLA'02)
48. Oladimeji EA, Supakkul S, Chung L (2006) Security threat modeling and analysis: a goal-oriented approach. In: Proceedings of the 10th international conference on software engineering and applications (SEA'06), pp 178-185
49. Olle TW, Hagelstein J, Macdonald IG., Rolland C, Sol HG, Van Assche FJM, Verrijn-Stuart AA (1992) Information systems methodology: a framework for understanding, 2nd edn. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USA
50. Rolland C (1998) An information system methodology supported by an expert design tool. Elsevier Science, University of Paris
51. Sindre G, Opdahl AL (2004) Eliciting security requirements with misuse cases. Reqs Eng J 10(1):34-44
52. Stoneburner G, Goguen A, Feringa A (2002) NIST special publication 800-30: risk management guide for information technology systems. National Institute of Standards and Technology, Gaithersburg
53. Stoneburner G, Hayden C, Feringa A (2004) NIST special publication 800-27 rev. A: engineering principles for information technology security (a baseline for achieving security). National Institute of Standards and Technology, Gaithersburg
54. The Project Management Institute (2001) Project management body of knowledge www.pmi.org
55. Vraalsen F, Mahler T, Lund MS, Hogganvik I, den Braber F, Stalen K (2007) Assessing enterprise risk level: the CORAS approach. In: Khadraoui D, Herrmann F (eds) Advances in enterprise information technology security. Idea Group, IGI Global, Hershey, Pennsylvania pp 311-333
56. Wikipedia (2008) Information system definition. http://en. wikipedia.org/wiki/Information-system
57. Yu E (1996) Modelling strategic relationships for process reengineering. PhD Thesis, University of Toronto, Toronto, ON, Canada