Skip to main content
SpringerLink
Log in

Supporting Risk Assessment with the Systematic Identification, Merging, and Validation of Security Goals

  • Conference paper
  • First Online:
Risk Assessment and Risk-Driven Quality Assurance (RISK 2016)

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 10224))

Included in the following conference series:

Abstract

Assessing security-related risks in software or systems engineering is a challenging task: often, a heterogeneous set of distributed stakeholders creates a complex system of (software) components which are highly connected to each other, consumer electronics, or Internet-based services. Changes during development are frequent and must be evaluated and handled efficiently. Consequently, risk assessment itself becomes a complex task and its results must be comprehensible by all actors in the distributed environment. Especially, systematic and repeatable identification of security goals based on a model of the system under development (SUD) is not well-supported in established methods. Thus, we demonstrate how the systematic identification, merging, and validation of security goals based on a model of the SUD in a concrete implementation of our method Modular Risk Assessment (MoRA) supports security engineers to handle this challenge.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Board, C.C.E.: Common Methodology for Information Technology Security Evaluation – Version 3.1 – Revision 4. Evaluation methodology (2012)

    Google Scholar 

  2. BSI. Standard 100-1: Managementsysteme für Informationssicherheit (ISMS). Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)

    Google Scholar 

  3. BSI. Standard 100-2: IT-Grundschutz Vorgehensweise. Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)

    Google Scholar 

  4. BSI. Standard 100-3: Risikoanalyse auf der Basis von IT-Grundschutz. Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)

    Google Scholar 

  5. Eichler, J.: Model-based Security Engineering for Electronic Business Processes. PhD thesis, Technische Universität München (2015)

    Google Scholar 

  6. Eichler, J., Angermeier, D.: Modular risk assessment for the development of secure automotive systems. In: 31. VDI/VW-Gemeinschaftstagung Automotive Security (2015)

    Google Scholar 

  7. Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14. ACM (2016)

    Google Scholar 

  8. ISO/IEC. 15408-1: Information technology – security techniques – evaluation criteria for IT security – part 1: Introduction and general model (2009)

    Google Scholar 

  9. ISO/IEC. 31000: Risk management – principles and guidelines (2009)

    Google Scholar 

  10. ISO/IEC. 27005: Information technology – security techniques – information security risk management (2011)

    Google Scholar 

  11. Kohnfelder, L., Garg, P.: The threats to our products. Microsoft Interface, Microsoft Corporation (1999)

    Google Scholar 

  12. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)

    MATH  Google Scholar 

  13. Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology, vol. 30. ACM (2005)

    Google Scholar 

  14. Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stan. Interfaces 29(2), 244–253 (2007)

    Article  Google Scholar 

  15. Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modelling secure information systems. Inf. Syst. 30(8), 609–629 (2005)

    Article  Google Scholar 

  16. O’Connor, M., Das, A.: SQWRL: a query language for OWL. In: Proceedings of the 6th International Conference on OWL: Experiences and Directions, vol. 529, pp. 208–215. CEUR-WS.org (2009)

    Google Scholar 

  17. Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)

    Article  Google Scholar 

  18. Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

    Google Scholar 

  19. Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). doi:10.1007/978-3-319-15618-7_13

    Google Scholar 

  20. Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)

    Article  Google Scholar 

  21. Weldemariam, K., Villafiorita, A.: Procedural security analysis: a methodological approach. J. Syst. Softw. 84(7), 1114–1129 (2011)

    Article  Google Scholar 

  22. Wynn, J., Whitmore, J., Upton, G., Spriggs, L., McKinnon, D., McInnes, R., Graubart, R., Clausen, L.: Threat assessment & remediation analysis (TARA): Methodology description version 1.0. Technical report, DTIC Document (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fraunhofer AISEC, Garching near Munich, Germany

    Daniel Angermeier, Alexander Nieding & Jörn Eichler

Authors
  1. Daniel Angermeier
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Alexander Nieding
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jörn Eichler
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Daniel Angermeier .

Editor information

Editors and Affiliations

  1. Fraunhofer FOKUS CC SQC, Berlin, Germany

    Jürgen Großmann

  2. Department of Computer Science, Universität Innsbruck, Innsbruck, Austria

    Michael Felderer

  3. SINTEF ICT, Oslo, Norway

    Fredrik Seehusen

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Angermeier, D., Nieding, A., Eichler, J. (2017). Supporting Risk Assessment with the Systematic Identification, Merging, and Validation of Security Goals. In: Großmann, J., Felderer, M., Seehusen, F. (eds) Risk Assessment and Risk-Driven Quality Assurance. RISK 2016. Lecture Notes in Computer Science(), vol 10224. Springer, Cham. https://doi.org/10.1007/978-3-319-57858-3_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-57858-3_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-57857-6

  • Online ISBN: 978-3-319-57858-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation