To main content

Risk-Based Elicitation of Security Requirements According to the ISO 27005 Standard

Abstract

Security is of great importance for software intensive systems. Security incidents become more and more frequent in the last few years. Such incidents can lead to substantial damage, not only financially, but also in term of reputation loss. The security of a software system can be compromised by threats, which may harm assets with a certain likelihood, thus constituting a risk. All such risks should be identified, and unacceptable risks should be reduced. The task of dealing with risks is called risk management and should be performed right from the beginning of the software development process. Security requirements can be used to address security aspects during requirements engineering. We propose a risk-based method to elicit security requirements based on functional requirements. Our method complies to the ISO 27005 standard for security risk management. We provide guidance for all steps of that process, and the results are collected in a model. We also define validation conditions to support the identification of errors when carrying out the process as early as possible.
Read the publication

Category

Academic article

Language

English

Author(s)

  • Roman Wirtz
  • Maritta Heisel
  • Angela Borchert
  • Rene Meis
  • Aida Omerovic
  • Ketil Stølen

Affiliation

  • SINTEF Digital / Sustainable Communication Technologies
  • Duisburg-Essen University

Year

2019

Published in

Communications in Computer and Information Science (CCIS)

ISSN

1865-0929

Volume

1023

Page(s)

71 - 97

View this publication at Norwegian Research Information Repository