A Risk-Based Approach to Formalise Information Security Requirements for Software Development

  • Lynn Futcher
  • Rossouw von Solms
Conference paper
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 406)


A primary source of information security problems is often an excessively complex software design that cannot be easily or correctly implemented, maintained nor audited. It is therefore important to establish risk-based information security requirements that can be converted into information security specifications that can be used by programmers to develop security-relevant code. This paper presents a risk-based approach to formalise information security requirements for software development. Based on a formal, structured risk management model, it focuses on how to establish information security requirements to ensure the protection of the information assets implicated. In this way it hopes to provide some educational guidelines on how risk assessment can be incorporated in the education of software developers.


Information security security requirements risk analysis risk assessment risk treatment risk-based approach 


  1. 1.
    Britton, C., Doake, J.: Software System Development. A Gentle Introduction, 4th edn., pp. 21–35. McGraw-Hill, Berkshire (2006)Google Scholar
  2. 2.
    Futcher, L., von Solms, R.: SecSDM: A Model for Integrating Security into the Software Development Life Cycle. In: Futcher, L., Dodge, R. (eds.) Fifth World Conference on Information Security Education. IFIP, vol. 237, pp. 41–48. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    von Solms, S.H., von Solms, R.: Information Security Governance, pp. 87–100. Springer, New York (2009)CrossRefGoogle Scholar
  4. 4.
    Landoll, D.J.: The security risk assessment handbook: A complete guide for performing security risk assessments. Auerbach Publications, New York (2006)Google Scholar
  5. 5.
    ISO. ISO/IEC TR 13335-3 : Information Technology – Guidelines for the Management of IT Security. Part 3 : Techniques for the management of IT security (1998) Google Scholar
  6. 6.
    Peltier, T.R.: Information security risk analysis. Auerbach Publications, New York (2005)CrossRefGoogle Scholar
  7. 7.
    Jurjens, J.: Using UMLSec and goal trees for secure systems development. Communications of the ACM 48(5), 1026–1030 (2002)zbMATHGoogle Scholar
  8. 8.
    Tirado, I.: Business Oriented Information Security Requirements Development, Ivan Tirado, CISSP-ISSAP, Kennesaw State University, 1000 Chastain Road, Kennesaw, GA 30144 (2006),
  9. 9.
    ISO. ISO 7498-2: Information Processing Systems - Open System Interconnection - Basic Reference Model - Part 2: Security Architecture (1989)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Lynn Futcher
    • 1
  • Rossouw von Solms
    • 1
  1. 1.Nelson Mandela Metropolitan UniversityPort ElizabethSouth Africa

Personalised recommendations