Anmerkungen:
Diese Datenquelle enthält auch Bestandsnachweise, die nicht zu einem Volltext führen.
Beschreibung:
Due to the ongoing digitalization of our everyday life, the consideration of security for software-intensive systems is of great importance. The number of reported security incidents highly increased in the last years. Each may lead to substantial damage for companies, not only financially, but also in terms of reputation loss. In order to avoid such incidents, security should be addressed as early as possible during software development, i.e. during requirements engineering by following the principle of security-by-design. To spend the available resources during software development effectively, it is necessary to prioritize the analysis of incidents. As a criterion for this prioritization, it is possible to take their risk level into account. It is defined as the likelihood of occurrence of an incident and its consequences for an asset, i.e. something of value. In the context of information security, an asset is a piece of information that shall be protected regarding confidentiality, integrity, or availability. The ISO 27005 standard defines guidelines for security risk management processes which consist of a set of coordinated activities to identify, evaluate, and treat risks. Although risk management is a well-known concept in the area of security, current research in this field has several open issues, especially in the context of requirements engineering. We identified the following challenges requirements engineers and security engineers are confronted with when managing security risks. (1) Having a common understanding of what shall be analyzed: Software under development can be described in terms of its functional requirements. Since these requirements can serve as one of the initial inputs for security analysis, they have to be documented precisely. (2) Finding the right level of abstraction: Technical details, e.g. which database systems will be used, are not available in the earliest stages of software development. Therefore, it is necessary to abstract knowledge about incidents and suitable ...