Abstract
In security management, the concept of security requirements has replaced risk analysis when assessing appropriate measurements. However, it is not clear how elicited requirements can be prioritized? State of the art methods to prioritize the holistic nature of security requirements are applicable only after major revisions. This dilemma is the starting-point for proposing a qualitative decision matrix approach which is quick and where the results are reproducible and sufficiently accurate. This article describes how the parameters for a prioritization are derived and how the prioritization is carried through.
Chapter PDF
Similar content being viewed by others
References
Adler, M. and Ziglio, E. (1995). Gazing into the oracle: the Delphi method and its application to social policy and public health. London-Jessica Kingsley.
Beck, K. (2000). extreme programming explained. Addison Wesley.
Boston-Consulting-Group (1972). Perspectives and Experience. Boston, Mass.
CCTA CRAMM (1996). CCTA Risk Analysis and Management Method. Central Computer and Telecommunication Agency, United Kingdom, user manual edition.
Dalkey, N. and Helmer, O. (1963). An experimental application of the delphi method to the use of experts. Management Science, (9): 458–467.
Fowler, F. (1995). Improving Survey Questions, volume 38 of Applied Social Research Methods Series. Sage Publications.
Gordon, L. A., Loeb, M. P., Lucyshyn, W., and Richardson, R. (2004). 2004 csi/fbi computer crime and security survey. Technical report, CSI/FBI.
Hitchings, J. (1995). Achieving an integrated design: the way forward for information security. In Eloff and von Solms, editors, Information security — the next decade, pages 369–383. IFIP, Chapman & Hall.
ISO 13335-1 (1996). ISO/IEC TR 13335-1: 1996 Information technology — Guidelines for the management of IT Security — Part 1: Concepts and models for IT Security. International Standard Organization.
ISO 17799 (2000). ISO/IEC 17799: 2000, Information technology — Code of practice for information security management. International Standard Organization.
Jacobson, I., Booch, G., and Rumbaugh, J. (1999). The Unified Software Development Process. Object technology series. Addison Wesley Longman.
Lambin, J.-J. (1997). Strategic marketing management. McGraw-Hill.
Leffingwell, D. and Widrog, D. (2000). Managing software requirements: a unified approach. Addison Wesley.
Moses, R. H. (1992). Risk Analysis and Management. In K.M. Jackson and J. Hruska, editors, Computer Security Reference Book, pages 227–263. Butterworth Heinemann.
Pfleeger, C. and Pfleeger, S. L. (2003). Security in Computing. Addison & Wesley, 3ed edition.
Robertson, S. and Robertson, J. (1999). Mastering the requirements process. Addison-Weseley.
Wei, H., Frinke, D., Carter, O., and Ritter, C. (2001). Cost-benefit analysis for network intrusion detection systems. In 28th Annual Computer Security Conference.
Zuccato, A. (2002a). A modified mean value approach to assess security risks. In Labuschagne, L. and Eloff, M., editors, 2nd annual conference of Information Security for South Africa — ISSA-2 Proceedings. South African Computer society.
Zuccato, A. (2002b). Towards a systemic-holistic security management. Licenciate thesis, Karlstad Unviersity Studies.
Zuccato, A. (2004). Holistic security requirement engineering for electronic commerce. Computers & Security, 23/1: 63–76.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 International Federation for Information Processing
About this paper
Cite this paper
Zuccato, A. (2005). A Decision Matrix Approach. In: Sasaki, R., Qing, S., Okamoto, E., Yoshiura, H. (eds) Security and Privacy in the Age of Ubiquitous Computing. SEC 2005. IFIP Advances in Information and Communication Technology, vol 181. Springer, Boston, MA. https://doi.org/10.1007/0-387-25660-1_3
Download citation
DOI: https://doi.org/10.1007/0-387-25660-1_3
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-25658-0
Online ISBN: 978-0-387-25660-3
eBook Packages: Computer ScienceComputer Science (R0)