Information Technology Reference
In-Depth Information
actions or components of the IS and its organisation that act to reduce risks.
Examples:
firewall; backup procedure; building guard
.
6 Conclusion
Today, support for security risk management cannot be overlooked anymore, espe-
cially during the early phases of IS development. A review of the state of the art
indicates that practitioner-oriented standards under-exploit modelling techniques.
On the other hand, RE modelling techniques tend to neglect RM, and thereby the
cost-effectiveness concerns that are important to practitioners. To improve on this
situation, we aim at extending RE languages with ISSRM concepts. In this chap-
ter, we reported on an important step towards this goal: the elaboration of a domain
model for ISSRM. This approach is in line with the practices advocated since long
time by pioneers of the IS modelling discipline [
50]
.
The proposed domain model extends an earlier version [
40]
. It consists of a
conceptual model (UML class diagram) that highlights the main ISSRM concepts
and their relationships, together with their corresponding definitions. Preliminary
validation [
19]
of this domain model has already been performed by practition-
ers, researchers and standardization experts. We also obtained feedback on usage
of the domain model as a teaching artefact for an ISO/IEC 27001 certification.
Additionally, encouraging results were also obtained with students involved in a
professional Information System Security Management Master programme.
Our on-going work includes enriching the domain model with various metrics
commonly used for risk estimation and evaluation [
38]
. Finally, our current work is
progressing according to the steps 3-4 of the research method presented in Sect.
2.
With respect to step 3, we started evaluating existing security-oriented RE languages
with the intent to later extend them for better supporting ISSRM. At this time, we
step 4, en extension of Secure Tropos is under way.
Acknowledgments
Thanks to Germain Saval for his help in editing this chapter. And finally, we
would like to express our immense gratitude to Colette Rolland for showing us the way.
References
1. Alberts CJ, Dorofee AJ (2001) OCTAVE method implementation guide version 2.0. Carnegie
Mellon University, Software Engineering Institute, Pittsburgh, PA
2. Asnar Y, Giorgini P (2006) Modelling risk and identifying countermeasure in organizations.
In: Proceedings of the 1st interational workshop on critical information intrastructures security
(CRITIS'06), Springer, Berlin, pp 55-66
3. AS/NZS 4360 (2004) Risk management. SAI Global
4. Bresciani P, Giorgini P, Giunchiglia F, Mylopoulos J, Perin, A (2004) TROPOS: an agent-
oriented software development methodology. Autonomous Agents Multi-Agent Systems
8:203-236
Search WWH ::
Custom Search