Abstract
Security is of great importance for software intensive systems. Security incidents become more and more frequent in the last few years. Such incidents can lead to substantial damage, not only financially, but also in term of reputation loss. The security of a software system can be compromised by threats, which may harm assets with a certain likelihood, thus constituting a risk. All such risks should be identified, and unacceptable risks should be reduced. The task of dealing with risks is called risk management and should be performed right from the beginning of the software development process. Security requirements can be used to address security aspects during requirements engineering. We propose a risk-based method to elicit security requirements based on functional requirements. Our method complies to the ISO 27005 standard for security risk management. We provide guidance for all steps of that process, and the results are collected in a model. We also define validation conditions to support the identification of errors when carrying out the process as early as possible.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8
Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley Longman Publishing Co., Inc., Boston (2001)
International Organization for Standardization: ISO 27005:2011 Information technology - Security techniques - Information security risk management. Standard (2011)
International Organization for Standardization: ISO 31000:2018 Risk management - Principles and guidelines. Standard (2018)
Common Criteria: Common Criteria for Information Technology Security Evaluation v3.1. Release 5. Standard (2017)
Wirtz, R., Heisel, M., Meis, R., Omerovic, A., Stølen, K.: Problem-based elicitation of security requirements - the ProCOR method. In: Proceedings of the 13th International Conference on Evaluation of Novel Approaches to Software Engineering. ENASE, INSTICC, vol. 1, pp. 26–38. SciTePress (2018)
Heisel, M.: Agendas - a concept to guide software development activities. In: Proceedings of the IFIP TC2 WG2.4 Working Conference on Systems Implementation: Languages, Methods and Tools, pp. 19–32. Chapman and Hall London (1998)
Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security presSuRE. In: ICSOFT-PT 2014 - Proceedings of the 9th International Conference on Software Paradigm Trends, Vienna, Austria, 29–31 August 2014. SciTePress (2014)
OPEN meter Consortium: Report on the identification and specification of functional, technical, economical and general requirements of advanced multi-metering infrasturcture, including security requirements (2009)
Scandariato, R., Wuyts, K., Joosen, W.: A descriptive study of Microsoft’s threat modeling technique. Requir. Eng. 20, 163–180 (2015)
Ministerio de Administraciones Publicas: MAGERIT - version 3.0. Methodology for Information Systems Risk Analysis and Management. Book I - The Method. Ministry of Finance and Public Administration (2014)
Mayer, N., Rifaut, A., Dubois, E.: Towards a risk-based security requirements engineering framework. In: Proceeding of REFSQ 2005 (2005)
Herrmann, A., Morali, A., Etalle, S., Wieringa, R.: Risk and business goal based security requirement and countermeasure prioritization. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR 2011. LNBIP, vol. 106, pp. 64–76. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29231-6_6
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Wirtz, R., Heisel, M., Borchert, A., Meis, R., Omerovic, A., Stølen, K. (2019). Risk-Based Elicitation of Security Requirements According to the ISO 27005 Standard. In: Damiani, E., Spanoudakis, G., Maciaszek, L. (eds) Evaluation of Novel Approaches to Software Engineering. ENASE 2018. Communications in Computer and Information Science, vol 1023. Springer, Cham. https://doi.org/10.1007/978-3-030-22559-9_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-22559-9_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-22558-2
Online ISBN: 978-3-030-22559-9
eBook Packages: Computer ScienceComputer Science (R0)