Abstract
Information systems manage assets that are critical for the business processes of organizations. Therefore, it is imperative that information systems be guaranteed and secured from the beginning of their development life cycle. Several approaches such as misuse cases, attack tree, and threat modeling have been proposed by way of security requirements. However, these approaches do not prioritize security requirements, though it is necessary in many cases. For example, when the security budget is insufficient, security requirements need to be prioritized to decide what will be developed and what will not. In this paper, we propose an extension to threat modeling by creating a process that allows the prioritization of security requirements via the valuation of assets, threats, and countermeasures modeled in a tree-like structured graph that we refer to as a “valuation graph.”
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Walton, J.P.: Developing an Enterprise Information Security Policy. In: Proc. 30th Annual ACM SIGUCCS Conference on User Services, pp. 153–156. ACM, New York (2002)
Lipner, S.: The Trustworthy Computing Security Development Lifecycle. In: Proc. Computer Security Applications Conference, pp. 2–13. IEEE Press, Tucson (2004)
Sindre, G., Opdahl, A.: Capturing Security Requirements through Misuse Case. In: Proc. 14th Norwegian Informatics Conference (NIK 2001), Tromso, pp. 26–28 (2001)
Diallo, M.H., et al.: A Comparative Evaluation of Three Approaches to Specifying Security Requirements. In: Proc. International Working Conference on Requirement Engineering: Foundation for Software Quality(REFSQ 2006), Luxembourg (2006)
Myagmar, S., Lee, A., Yurcik, W.: Threat Modeling as a Basis for Security Requirements. In: Proc. Symposium on Requirements Engineering for Information Security SREIS, Chteseer, Paris, pp. 94–102 (2005)
Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004)
Firesmith, D.: Specifying Reusable Security Requirements. Journal of Object Technology 3, 61–75 (2004)
Smith, J., Schuff, R., Louis, R.: Managing your IT Total Cost of Ownership. Communications of the ACM 45, 101–106 (2002)
MacCormack, A.: Evaluating Total Cost of Software Platforms: Comparing Apples, Oranges and Cucumbers, http://ideas.repec.org/p/reg/wpaper/168.html
Threats and countermeasures, http://msdn.microsoft.com/en-us/library/aa302418.aspx
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Park, KY., Yoo, SG., Kim, J. (2011). Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In: Lee, G., Howard, D., Ślęzak, D. (eds) Convergence and Hybrid Information Technology. ICHIT 2011. Communications in Computer and Information Science, vol 206. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24106-2_19
Download citation
DOI: https://doi.org/10.1007/978-3-642-24106-2_19
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24105-5
Online ISBN: 978-3-642-24106-2
eBook Packages: Computer ScienceComputer Science (R0)