Home > Publications
Home University of Twente
Prospective Students
Intranet (internal)

EEMCS EPrints Service

18342 RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version)
Home Policy Brochure Browse Search User Area Contact Help

Herrmann, A. and Morali, A. (2010) RiskREP: Risk-Based Security Requirements Elicitation and Prioritization (extended version). Technical Report TR-CTIT-10-28, Centre for Telematics and Information Technology University of Twente, Enschede. ISSN 1381-3625

Full text available as:


595 Kb
Open Access

Exported to Metis


Today, companies are required to be in control of the security of their IT assets. This is especially challenging in the presence of limited budgets and conflicting requirements. Here, we present Risk-Based Requirements Elicitation and Prioritization (RiskREP), a method for managing IT security risks by combining the results of a top-down requirements analysis with a bottom-up threat analysis. Top-down, it prioritizes security goals and from there derives verifiable requirements. Bottom-up, it analyzes architectures in order to identify security risks in the form of critical components. Linking these critical components to security requirements helps to analyze the effects of these requirements on business goals, and to prioritize security requirements. The security requirements also are the basis for deriving test cases for security analysis and compliance monitoring.

Item Type:Internal Report (Technical Report)
Research Group:EWI-DIES: Distributed and Embedded Security
Research Program:CTIT-ISTRICE: Integrated Security and Privacy in a Networked World
Research Project:VRIEND: Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized
Uncontrolled Keywords:Security requirements engineering, Risk assessment
ID Code:18342
Deposited On:31 August 2010
More Information:statisticsmetis

Export this item as:

To correct this item please ask your editor

Repository Staff Only: edit this item