Skip to main content
Springer Nature Link
Log in

Risk Treatment: An Iterative Method for Identifying Controls

  • Conference paper
  • First Online:
Evaluation of Novel Approaches to Software Engineering (ENASE 2020)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1375))

  • 858 Accesses

Abstract

Due to the increasing number of security incidents in the last years, the consideration of security during software development becomes more and more important. A certain level of security can be achieved by applying suitable countermeasures. The ISO 27001 standard demands a risk-based selection of countermeasures, i.e. controls, for information security. Risk serves as a prioritization criterion for selecting controls. To reduce the development effort, security should be addressed as early as possible in the software development lifecycle.

In this paper, we present an iterative and risk-based method to select controls during requirements engineering, following the principle of security-by-design. We select controls based on unacceptable risks and the related functional requirements. Each risk and control is described by attributes that allow an evaluation of the control’s effectiveness based on the Common Vulnerability Scoring System. The evaluation is supported by a web-based tool. A distinguishing feature of our method is that during iteration, we consider new incidents that may occur when applying a control. For documenting the results, we present a metamodel that ensures consistency and traceability between requirements and security aspects.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Google Material - https://material.io (last access: February 20, 2020).

  2. 2.

    https://nodejs.org/en/ (last access: August 8, 2020).

References

  1. Asnar, Y., Giorgini, P., Mylopoulos, J.: Goal-driven risk assessment in requirements engineering. Requir. Eng. 16(2), 101–116 (2011). https://doi.org/10.1007/s00766-010-0112-x

    Article  Google Scholar 

  2. Barnard, L., von Solms, R.: A formalized approach to the effective selection and evaluation of information security controls. Comput. Secur. 19(2), 185–194 (2000). https://doi.org/10.1016/S0167-4048(00)87829-3. http://www.sciencedirect.com/science/article/pii/S0167404800878293

    Article  Google Scholar 

  3. Bojanc, R., Jerman-Blažič, B.: A quantitative model for information-security risk management. Eng. Manage. J. 25(2), 25–37 (2013). https://doi.org/10.1080/10429247.2013.11431972

    Article  Google Scholar 

  4. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004). https://doi.org/10.1023/B:AGNT.0000018806.20944.ef

    Article  MATH  Google Scholar 

  5. BSI: IT-Grundschutz-Kompendium. Bundesamt für Sicherheit in der Informationstechnik (2019)

    Google Scholar 

  6. BSI: State of IT Security in Germany 2019 (2019). https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html

  7. Common Criteria: Common Criteria for Information Technology Security Evaluation v3.1. Release 5. Standard (2017). http://www.iso.org/iso/catalogue_detail?csnumber=65694

  8. Faßbender, S., Heisel, M., Meis, R.: Aspect-oriented requirements engineering with problem frames. In: Proceedings of the 9th International Conference on Software Paradigm Trends, ICSOFT-PT 2014. SciTePress (2014). https://doi.org/10.5220/0005001801450156

  9. FIRST.org: Common Vulnerability Scoring System v3.1: Specification Document (2019). https://www.first.org/cvss/v3-1/cvss-v31-specification_r1.pdf

  10. Gamma, E., Helm, R., Johnson, R., Vlissides, J.M.: Design Patterns: Elements of Reusable Object-Oriented Software, 1st edn. Addison-Wesley Professional, Boston (1994)

    MATH  Google Scholar 

  11. de Gramatica, M., Labunets, K., Massacci, F., Paci, F., Tedeschi, A.: The role of catalogues of threats and security controls in security risk assessment: an empirical study with ATM professionals. In: Fricker, S.A., Schneider, K. (eds.) REFSQ 2015. LNCS, vol. 9013, pp. 98–114. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16101-3_7

    Chapter  Google Scholar 

  12. Haskins, B., Stecklein, J., Dick, B., Moroney, G., Lovell, R., Dabney, J.: Error cost escalation through the project life cycle. INCOSE Int. Symp. 14, 1723–1737 (2004)

    Article  Google Scholar 

  13. Herrmann, A., Morali, A., Etalle, S., Wieringa, R.: RiskREP: risk-based security requirements elicitation and prioritization. In: 1st International Workshop on Alignment of Business Process and Security Modelling, ABPSM 2011. Lecture Notes in Business Information Processing. Springer, Verlag (2011)

    Google Scholar 

  14. ISO: ISO 27001:2018 Information technology - Security techniques - Information security risk management. International Organization for Standardization (2018)

    Google Scholar 

  15. ISO: ISO/IEC 27005:2018 Information security management. International Organization for Standardization (2018)

    Google Scholar 

  16. Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)

    Google Scholar 

  17. Kaspersky Lab: The Kaspersky Lab Global IT Risk Report (2019). https://media.kaspersky.com/documents/business/brfwn/en/The-Kaspersky-Lab-Global-IT-Risk-Report_Kaspersky-Endpoint-Security-report.pdf

  18. Kumar, P., Lin, Y., Bai, G., Paverd, A., Dong, J.S., Martin, A.P.: Smart grid metering networks: a survey on security, privacy and open research issues. IEEE Commun. Surv. Tutor. 21(3), 2886–2927 (2019). https://doi.org/10.1109/COMST.2019.2899354

    Article  Google Scholar 

  19. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis. The CORAS Approach. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12323-8

    Book  MATH  Google Scholar 

  20. NIST: Special Publication 800–53 Rev. 4. National Institute of Standards and Technology (2013)

    Google Scholar 

  21. Steinberg, D., Budinsky, F., Paternostro, M., Merks, E.: EMF: Eclipse Modeling Framework 2.0, 2nd edn. Addison-Wesley Professional, Boston (2009)

    Google Scholar 

  22. Tellbach, D., Li, Y.F.: Cyber-attacks on smart meters in household nanogrid: modeling, simulation and analysis. Energies 11(2), 316 (2018). https://doi.org/10.3390/en11020316

    Article  Google Scholar 

  23. Varela-Vaca, A.J., Gasca, R.M.: Towards the automatic and optimal selection of risk treatments for business processes using a constraint programming approach. Inf. Softw. Technol 55(11), 1948–1973 (2013). https://doi.org/10.1016/j.infsof.2013.05.007

    Article  Google Scholar 

  24. Varela-Vaca, A.J., Warschofsky, R., Gasca, R.M., Pozo, S., Meinel, C.: A security pattern-driven approach toward the automation of risk treatment in business processes. In: Herrero, Á., et al. (eds.) International Joint Conference CISIS’12-ICEUTE’12-SOCO’12 Special Sessions. Advances in Intelligent Systems and Computing, Ostrava, Czech Republic, 5–7 September 2012, vol. 189, pp. 13–23. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33018-6_2

  25. Wirtz, R., Heisel, M.: Managing security risks: template-based specification of controls. In: Sousa, T.B. (ed.) Proceedings of the 24th European Conference on Pattern Languages of Programs, EuroPLoP 2019, Irsee, Germany, 3–7 July 2019, pp. 10:1–10:13. ACM (2019). https://doi.org/10.1145/3361149.3361159

  26. Wirtz, R., Heisel, M.: Model-based risk analysis and evaluation using CORAS and CVSS. In: Damiani, E., Spanoudakis, G., Maciaszek, L.A. (eds.) ENASE 2019. CCIS, vol. 1172, pp. 108–134. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-40223-5_6

    Chapter  Google Scholar 

  27. Wirtz, R., Heisel, M.: RE4DIST: model-based elicitation of functional requirements for distributed systems. In: van Sinderen, M., Maciaszek, L.A. (eds.) Proceedings of the 14th International Conference on Software Technologies, ICSOFT 2019, Prague, Czech Republic, 26–28 July 2019, pp. 71–81. SciTePress (2019). https://doi.org/10.5220/0007919200710081

  28. Wirtz, R., Heisel, M.: A systematic method to describe and identify security threats based on functional requirements. In: Zemmari, A., Mosbah, M., Cuppens-Boulahia, N., Cuppens, F. (eds.) CRiSIS 2018. LNCS, vol. 11391, pp. 205–221. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-12143-3_17

    Chapter  Google Scholar 

  29. Wirtz, R., Heisel, M.: Risk identification: from requirements to threat models. In: Furnell, S., Mori, P., Weippl, E.R., Camp, O. (eds.) Proceedings of the 6th International Conference on Information Systems Security and Privacy, ICISSP 2020, Valletta, Malta, 25–27 February 2020, pp. 385–396. SCITEPRESS (2020). https://doi.org/10.5220/0008935803850396

  30. Wirtz, R., Heisel, M.: Systematic treatment of security risks during requirements engineering. In: Ali, R., Kaindl, H., Maciaszek, L.A. (eds.) Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering, ENASE 2020, Prague, Czech Republic, 5–6 May 2020, pp. 132–143. SCITEPRESS (2020). https://doi.org/10.5220/0009397001320143

  31. Wirtz, R., Heisel, M., Wagner, M.: Distributed frames: pattern-based characterization of functional requirements for distributed systems. In: van Sinderen, M., Maciaszek, L.A. (eds.) ICSOFT 2019. CCIS, vol. 1250, pp. 81–107. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-52991-8_5

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Duisburg-Essen, Duisburg, Germany

    Roman Wirtz & Maritta Heisel

Authors
  1. Roman Wirtz
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Roman Wirtz .

Editor information

Editors and Affiliations

  1. Hamad Bin Khalifa University, Doha, Qatar

    Raian Ali

  2. TU Wien, Vienna, Austria

    Hermann Kaindl

  3. Wrocław University of Economics Institute of Business Informatics, Wrocław, Poland

    Leszek A. Maciaszek

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Wirtz, R., Heisel, M. (2021). Risk Treatment: An Iterative Method for Identifying Controls. In: Ali, R., Kaindl, H., Maciaszek, L.A. (eds) Evaluation of Novel Approaches to Software Engineering. ENASE 2020. Communications in Computer and Information Science, vol 1375. Springer, Cham. https://doi.org/10.1007/978-3-030-70006-5_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-70006-5_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-70005-8

  • Online ISBN: 978-3-030-70006-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics