Abstract
Security risk analysis should be conducted regularly to maintain an acceptable level of security. In principle, all risks that are unacceptable according to the predefined criteria should be mitigated. However, risk mitigation comes at a cost, and only the countermeasures that cost-efficiently mitigate risks should be implemented. This paper presents an approach to integrate the countermeasure cost-benefit assessment into the risk analysis and to provide decision makers with the necessary decision support. The approach comes with the necessary modeling support, a calculus for reasoning about the countermeasure cost and effect, as well as means for visualization of the results to aid decision makers.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Beresnevichiene, Y., Pym, D., Shiu, S.: Decision support for systems security investment. In: Network Operations and Management Symposium Workshops (NOMS 2010), pp. 118–125. IEEE/IFIP (2010)
Birch, D.G., McEvoy, N.A.: Risk analysis for information systems. Journal of Information Technology 7, 44–53 (1992)
Brændeland, G., Refsdal, A., Stølen, K.: Modular analysis and modelling of risk scenarios with dependencies. J. Syst. Softw. 83(10), 1995–2013 (2010)
Butler, S.A.: Security attribute evaluation method: a cost-benefit approach. In: Proceedings of the 24th International Conference on Software Engineering (ICSE 2002), pp. 232–240. ACM (2002)
Chapman, R.E., Leng, C.J.: Cost-effective responses to terrorist risks in constructed facilities. Technical report, U.S. Department of Commerce, Technology Administration, National Institute of Standards and Technology (2004)
Risk Characterization of Microbiological Hazards in Food: Guidelines. Microbiological Risk Assessment Series No. 17. Food and Agriculture Organization of the United Nations (FAO)/World Health Organization (WHO) (2009)
Houmb, S.H., Ray, I., Ray, I.: SecInvest: Balancing security needs with financial and business constraints. In: Dependability and Computer Engineering, pp. 306–328. IGI Global (2012)
International Organization for Standardization. ISO 31000 Risk management – Principles and guidelines (2009)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer (2011)
Norman, T.L.: Risk Analysis and Security Countermeasure Selection. CRC Press (2010)
Stoneburner, G., Goguen, A., Feringa, A.: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, pp. 800–830. NIST Special Publication 800-30 (2002)
Tran, L.M.S., Solhaug, B., Stølen, K.: An approach to select cost-effective risk countermeasures exemplified in CORAS. Technical Report A24343, SINTEF ICT (2013)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Tran, L.M.S., Solhaug, B., Stølen, K. (2013). An Approach to Select Cost-Effective Risk Countermeasures. In: Wang, L., Shafiq, B. (eds) Data and Applications Security and Privacy XXVII. DBSec 2013. Lecture Notes in Computer Science, vol 7964. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39256-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-39256-6_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39255-9
Online ISBN: 978-3-642-39256-6
eBook Packages: Computer ScienceComputer Science (R0)