Title :
Security Risk Management by Qualitative Vulnerability Analysis
Author :
Elahi, Golnaz ; Yu, Eric ; Zannone, Nicola
Author_Institution :
Univ. of Toronto, Toronto, ON, Canada
Abstract :
Security risk assessment in the requirements phase is challenging because risk factors, such as probability and damage of attacks, are not always numerically measurable or available in the early phases of development. This makes the selection of proper security solutions problematic because mitigating impacts and side-effects of solutions are not often quantifiable. In the early development phases, analysts need to assess risks in the absence of numerical measures or deal with a mixture of quantitative and qualitative data. We propose a risk analysis process which intertwines security requirements engineering with a vulnerability-centric and qualitative risk analysis method. The proposed method is qualitative and vulnerability-centric, in the sense that by identifying and analyzing common vulnerabilities the probability and damage of risks are evaluated qualitatively. We also propose an algorithmic decision analysis method that considers risk factors and alternative security solutions, and helps analysts select the most cost-effective solution. The decision analysis method enables making a decision when some of the available data is qualitative.
Keywords :
decision making; probability; risk analysis; security of data; algorithmic decision analysis method; attack damage; probability; qualitative risk analysis method; qualitative vulnerability analysis; risk damage; security requirements engineering; security risk assessment; security risk management; vulnerability-centric risk analysis method; Analytical models; Authentication; Binary codes; Measurement; Risk management; Software;
Conference_Titel :
Security Measurements and Metrics (Metrisec), 2011 Third International Workshop on
Conference_Location :
Banff, AB
Print_ISBN :
978-1-4673-1245-5
DOI :
10.1109/Metrisec.2011.12
