Managing Risk in Secure System: Antecedents to System Engineers´ Trust Assumptions Decisions

Operating within a system context, security requirement engineers or analysts face enormous, diverse, and timely security requirement decisions today more than ever, primarily because of the complexities, rapidity, and evolving continuum of security threats that exist today, in part because of advances in technological capabilities and limited available resources. Although literature has shown that requirement engineers use trust assumption in limiting the scope of information systems security requirement analysis in their risk management strategy, examination of precursors to trust assumption decision is very limited. Therefore, the objective of this paper is to conceptualize, examine, and analyze the antecedents to requirement engineers trust assumption decisions. First, the study used problem frame approach to analyze the context and design decisions and to show the physical model of the system under investigation. Second, the paper used hypothesis testing to examine causality between the constructs and the phenomenon. Hence, this study argues that an analyst´s trust assumption decisions of whether to include or exclude software, system, or subsystem from security requirement analysis is not made in a vacuity, but on the predisposition of the trust or and the characteristics of the trustee. The result indicates that the predisposition of the trust or and the characteristics of trustee are precursors to requirement engineers´ trust assumption decisions.