Abstract
Security risk analysis should be conducted regularly for organizations to maintain an acceptable level of security. In principle, all risks that are unacceptable according to the predefined criteria should be mitigated. However, risk mitigation comes at a cost, and only the countermeasures that cost-efficiently mitigate risks should be implemented. This report presents an approach to integrate the countermeasure cost-benefit assessment into the risk analysis, and to provide decision makers with the necessary decision support. The approach comes with the necessary modeling support, a calculus for reasoning about the countermeasure cost and effect, as well as means for visualization of the results to aid decision makers. The approach is generic in the sense that the modeling and analysis techniques can be instantiated in several established approaches to risk assessment. In this report we demonstrate the instantiation in CORAS and exemplify the approach using an eHealth scenario.