Skip to main content

Utilizing Security Risk Analysis and Security Testing in the Legal Domain

Part of the Lecture Notes in Computer Science book series (LNPSE,volume 8418)


In recent years, businesses have faced large regulatory fines as a result of information security breaches. This signifies the need for businesses to account for legal issues when addressing their information security risks and to ensure that their day-to-day business operations do not violate legal norms of relevance to information security, such as data privacy laws. This paper offers a twofold contribution to this issue. First, it purposes that organizations’ security risk analysis should be accompanied by an assessment of the legal implications of identified security risks. This enables organizations understand the associated legal risks they would face if the identified security risks were to materialize and prioritize the risks accordingly. Second, the paper underlines the need for security testing to support compliance checking. Particularly, the use of conformance testing would enhance organizations’ level of assurance regarding their compliance with legal norms of relevance to information security.


  • Legal risk analysis
  • Compliance checking
  • Testing
  • Security testing
  • Security risk analysis

This is a preview of subscription content, access via your institution.

Buying options

USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-319-07076-6_4
  • Chapter length: 17 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
USD   39.99
Price excludes VAT (USA)
  • ISBN: 978-3-319-07076-6
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   49.99
Price excludes VAT (USA)
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.


  1. 1.

    The Article 29 Working Party is an organ established under Article 20 of the European Data Protection Directive. It plays, mainly, an advisory role with regard to data protection issues.

  2. 2.

    I do not attempt to define which laws would fall under such a category, but for the purposes of this paper, legal norms of relevance to security could be defined as the rules that govern information and information systems.

  3. 3.

    The CORAS tool is a graphical language used in risk analysis with constructs, such as threats, vulnerabilities, risks, unwanted incidents, threat scenarios, and assets. It enables communication among experts from different disciplines as well as the documentation of risk assessment results.

  4. 4.

    Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to processing of personal data and the free movement of such data [1995] OJ L281.

  5. 5.

    The UK Privacy Act has a clause that obliges the consideration whether the breach would “likely cause damage or distress” to the data subjects [11]. Hence, in the legal context, these facts have received more weight than the number of records affected.

  6. 6.

    For e.g. the First-Tier Tribunal reversed a decision of the ICO on a regulatory fine on the ground that files containing personal information, which are disposed in a garbage bin does not fulfill the criteria ‘likely to cause damage or distress’ to the data subjects [11].

  7. 7.

    This is relevant because, the application of the legal norm to the facts does not always give rise to the unwanted incident because there might be exceptions that can exempt the client from legal liability or another third party could be held liable for the damage. In addition, there is the possibility that the victims might not bring a legal action against the company.

  8. 8.

    This might not always be the case. This is because, for example, the organization might put different value for personally identifiable information as an asset than the customer payment data.

  9. 9.

    COMMISSION REGULATION (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications.

  10. 10.

    Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

  11. 11.

    Proposal for a directive of the European Parliament and of the Council concerning measures to ensure a high common level of network and information security across the Union (COM(2013)0048 – C7-0035/2013 – 2013/0027(COD)).

  12. 12.

    A survey by ENISA [14] shows that a risk-based approach to information breach notifications as essential means to balance the interest of breach notification fatigue for data controllers and the interest survey by the breach.

  13. 13.

    For example, Article 2 of the REGULATION (EU) No 611/2013 states that organizations should notify any breach ‘no later than 24 hours after the detection of the personal data breach’.

  14. 14.

    An update to the proposal for General Data Protection Regulation has come out in October 22, 2013. Inofficial consolidated version after Libe Committee vote provided by the Rapporteur 22 October 2013, is available

  15. 15.

    This forms part of an ongoing research project in which we are evaluating the possibility of an integrated methodology for risk and compliance management. The integration between risk management and compliance in general opens for a potential integration where compliance (legal) requirements will be accounted in the risk analysis in general including security risk analysis. This is because regulations have their entire base on the necessity to protect different stakeholders from risks and need to be considered in the risk analysis.

  16. 16.

    Although it may not reflect the conventional usage within the technical sphere to refer such tasks as testing, it is not uncommon to encounter such reference. For example, the Organizations of the Treadway Commission (COSO) refers to compliance measures as ‘‘controls’’ and to inspecting a policy as ‘‘testing’’ the controls [16]. Similarly, privacy regulations refer to compliance measures as ‘‘access control measures’’ and to inspections as ‘‘testing’’ the controls [16].

  17. 17.

    RASEN (316853) is an EC funded project with the main objective of strengthening European organizations’ ability to conduct security assessments of  large scale networked systems through the combination of security risk assessment and security testing, taking into account the context in which the system is used, such as liability, legal and organizational issues as well as technical issues. See further


  1. Lessing, L.: CODE 2.0. Basic Books, New York (2006)

    Google Scholar 

  2. Reidenberg, J.: Lex informatica: the formulation of information policy rules through technology. Texas Law Rev. 76, 553–593 (1998)

    Google Scholar 

  3. Mahler, T., Bing, J.: Contractual risk management in an ICT context – searching for a possible interface between legal methods and risk analysis. Scand. Stud. Law 49, 340–357 (2006)

    Google Scholar 

  4. Haapio, H.: Introduction to proactive law: a business lawyer’s view. Scand. Stud. Law 49, 21–34 (2006)

    Google Scholar 

  5. A Report by Harvard Business Review Analytic Services: Meeting the cyber risk challenge (2012).

  6. Article 29 Data Protection Working Party: Opinion 05/2012 on Cloud Computing (WP196) (2012)

    Google Scholar 

  7. Mahler, T.: Legal risk management: developing and evaluating elements of a method for proactive legal analyses, with a particular focus on contracts. Ph.D. thesis, University of Oslo (2010)

    Google Scholar 

  8. Practical Law Company: Benchmarking survey: legal risk and compliance (2009).

  9. Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K.: Specifying legal risk scenarios using the CORAS threat modelling language. In: Herrmann, P., Issarny, V., Shiu, S.C.K. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 45–60. Springer, Heidelberg (2005)

    CrossRef  Google Scholar 

  10. Mahler, T.: Defining legal risk. Paper Presented at the Conference “Commercial Contracting for Strategic Advantage – Potentials and Prospects”, Turku University of Applied Sciences 2007, Conference Proceedings, pp. 10–31 (2007)

    Google Scholar 

  11. Breach Watch website.

  12. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2011)

    CrossRef  Google Scholar 

  13. European Network and Information Security Agency (ENISA). Data protection notification in the EU. (2011),d.Yms

  14. National Conference of State Legislatures.

  15. Governatori, G., Hoffmann, J., Sadiq, S., Weber, I.: Detecting regulatory compliance for business process models through semantic annotations. In: Ardagna, D., Mecella, M., Yang, J. (eds.) Business Process Management Workshops. LNBIP, vol. 17, pp. 5–17. Springer, Heidelberg (2009)

    CrossRef  Google Scholar 

  16. Müller, S., Supatgiat, C.: A quantitative optimization model for dynamic risk-based compliance management. IBM J. Res. Dev. 51(3/4), 295–308 (2007)

    CrossRef  Google Scholar 

  17. van der Werf, J.M.E., Verbeek, H.M.W., van der Aalst, W.M.: Context-aware compliance checking. In: Barros, A., Gal, A., Kindler, E. (eds.) BPM 2012. LNCS, vol. 7481, pp. 98–113. Springer, Heidelberg (2012)

    CrossRef  Google Scholar 

  18. Common Criteria: Common Criteria for Information Technology Security Evaluation: Part 3: Security Assurance Components. Version 3.1, Revision 4, September 2012. CCMB-2012-09-003 (2012)

    Google Scholar 

Download references


This work has been funded by the European Commission via the RASEN (316853) project. Thanks are also due to Tobias Mahler for his continuous guidance and support.

Author information

Authors and Affiliations


Corresponding author

Correspondence to Samson Yoseph Esayas .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Esayas, S.Y. (2014). Utilizing Security Risk Analysis and Security Testing in the Legal Domain. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2013. Lecture Notes in Computer Science(), vol 8418. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-07075-9

  • Online ISBN: 978-3-319-07076-6

  • eBook Packages: Computer ScienceComputer Science (R0)