Risk-Based Elicitation of Security Requirements According to the ISO 27005 Standard
Peer reviewed, Journal article
Accepted version

View/ Open
Date
2019Metadata
Show full item recordCollections
- Publikasjoner fra CRIStin - SINTEF AS [6144]
- SINTEF Digital [2620]
Original version
Communications in Computer and Information Science. 2019, 1023, 71-97. 10.1007/978-3-030-22559-9_4Abstract
Security is of great importance for software intensive systems. Security incidents become more and more frequent in the last few years. Such incidents can lead to substantial damage, not only financially, but also in term of reputation loss. The security of a software system can be compromised by threats, which may harm assets with a certain likelihood, thus constituting a risk. All such risks should be identified, and unacceptable risks should be reduced. The task of dealing with risks is called risk management and should be performed right from the beginning of the software development process. Security requirements can be used to address security aspects during requirements engineering. We propose a risk-based method to elicit security requirements based on functional requirements. Our method complies to the ISO 27005 standard for security risk management. We provide guidance for all steps of that process, and the results are collected in a model. We also define validation conditions to support the identification of errors when carrying out the process as early as possible.