Symposium on Requirements Engineering for Information Security, 2002.
Download the PDF version.
Best practice dictates that security requirements be based on risk assessments; however, simplistic risk assessments that result in lists or sets of scenarios do not provide sufficient information to prioritize requirements when faced with resource constraints (e.g., time, money). Multi-attribute risk assessments provide a convenient framework for systematically developing quantitative risk assessments that the security manager can use to prioritize security requirements. This paper presents a multi-attribute risk assessment process and results from two industry case studies that used the process to identify and prioritize their risks.
_________________________________________________________
Brought to you by Composable Software Systems Research Group in the School of Computer Science at Carnegie Mellon University.
[Last modified 02-OCT-02. Mail suggestions to the Maintainer.]