Skip to main content
SpringerLink
Log in

Security Requirements Prioritization Based on Threat Modeling and Valuation Graph

  • Conference paper
Convergence and Hybrid Information Technology (ICHIT 2011)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 206))

Included in the following conference series:

Abstract

Information systems manage assets that are critical for the business processes of organizations. Therefore, it is imperative that information systems be guaranteed and secured from the beginning of their development life cycle. Several approaches such as misuse cases, attack tree, and threat modeling have been proposed by way of security requirements. However, these approaches do not prioritize security requirements, though it is necessary in many cases. For example, when the security budget is insufficient, security requirements need to be prioritized to decide what will be developed and what will not. In this paper, we propose an extension to threat modeling by creating a process that allows the prioritization of security requirements via the valuation of assets, threats, and countermeasures modeled in a tree-like structured graph that we refer to as a “valuation graph.”

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Walton, J.P.: Developing an Enterprise Information Security Policy. In: Proc. 30th Annual ACM SIGUCCS Conference on User Services, pp. 153–156. ACM, New York (2002)

    Chapter  Google Scholar 

  2. Lipner, S.: The Trustworthy Computing Security Development Lifecycle. In: Proc. Computer Security Applications Conference, pp. 2–13. IEEE Press, Tucson (2004)

    Chapter  Google Scholar 

  3. Sindre, G., Opdahl, A.: Capturing Security Requirements through Misuse Case. In: Proc. 14th Norwegian Informatics Conference (NIK 2001), Tromso, pp. 26–28 (2001)

    Google Scholar 

  4. Diallo, M.H., et al.: A Comparative Evaluation of Three Approaches to Specifying Security Requirements. In: Proc. International Working Conference on Requirement Engineering: Foundation for Software Quality(REFSQ 2006), Luxembourg (2006)

    Google Scholar 

  5. Myagmar, S., Lee, A., Yurcik, W.: Threat Modeling as a Basis for Security Requirements. In: Proc. Symposium on Requirements Engineering for Information Security SREIS, Chteseer, Paris, pp. 94–102 (2005)

    Google Scholar 

  6. Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press (2004)

    Google Scholar 

  7. Firesmith, D.: Specifying Reusable Security Requirements. Journal of Object Technology 3, 61–75 (2004)

    Article  Google Scholar 

  8. Smith, J., Schuff, R., Louis, R.: Managing your IT Total Cost of Ownership. Communications of the ACM 45, 101–106 (2002)

    Article  Google Scholar 

  9. MacCormack, A.: Evaluating Total Cost of Software Platforms: Comparing Apples, Oranges and Cucumbers, http://ideas.repec.org/p/reg/wpaper/168.html

  10. Threats and countermeasures, http://msdn.microsoft.com/en-us/library/aa302418.aspx

Download references

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Sogang University, Seoul, Korea

    Keun-Young Park, Sang-Guun Yoo & Juho Kim

Authors
  1. Keun-Young Park
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sang-Guun Yoo
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juho Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. 90301, 3F, Computer Engineering Department, Hannam University, 70 Hannamro, Daedeuk-gu, Daejeon, Korea

    Geuk Lee

  2. QinetiQ Company Fellow, Howard Science Limited, 24 Sunrise, WR14 2NJ, Malvern, United Kingdom

    Daniel Howard

  3. Institute of Mathematics, University of Warsaw, ul. Banacha 2, 02-097, Warsaw, Poland

    Dominik Ślęzak

Rights and permissions

Reprints and permissions

Copyright information

© 2011 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Park, KY., Yoo, SG., Kim, J. (2011). Security Requirements Prioritization Based on Threat Modeling and Valuation Graph. In: Lee, G., Howard, D., Ślęzak, D. (eds) Convergence and Hybrid Information Technology. ICHIT 2011. Communications in Computer and Information Science, vol 206. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24106-2_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-24106-2_19

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-24105-5

  • Online ISBN: 978-3-642-24106-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation