Open Access  Subscription or Fee Access

From the olden days to till date risk has always played a very important role and is therefore very much needed to be given importance. Risk refers to the protection of product from Interception, Fabrication, Modification and Interruption. Active attacks and passive attacks create awoke in final software product. The solution to this problem is to take care of risk from the initial stages of any product development. The first stage of any System development is the Requirement’s engineering process. In requirement engineering domain, Risk analysis, Risk management and Risk assessment is the most effective tool because it helps us to compare requirements and cost of risk measures. In this paper we have pointed out the need to introduce risk analysis issues in the requirement engineering process. The focus of this paper is to suggest some methods and tools which will understand risk from the early stages of information system development.

Risk, Threat, Requirement Engineering, Vulnerability

P. Gaunard, E. Dubois: Using Requirements Engineering Techniques for Bridging the Gap Between Risk Analysis and Security Policies, 18th IFIP International Information Security Conference, Athens, Greece, May 2003.

J. D. Moffett, B. A. Nuseibeih: A Framework for Security Requirements Engineering, Department of Computer Science, YCS368. University of York, UK, 2003.

BS7799-1:1999 Information Security Management - Part 1: Code of Practice for Information Security, British Standards Institution, London, 1999.

L. Chung: Dealing with Security Requirements During the Development of Information System, 5th International Conference on Advanced Information Systems Engineering, CAiSE’93, Paris, France, June 1993.

R. Fredriksen, M. Kristiansen, B. A. Gran, K. Stølen, T. A. Opperud, T. Dimitrakos: The CORAS framework for a model-based risk management process, Proceedings of the 21st International Conference on Computer Safety, Reliability and Security (Safecomp 2002), LNCS 2434, pp. 94-105, Springer, 2002

A. Dardenne, A. van Lamsweerde, S. Fickas: Goal- Directed Requirements Acquisition, Science of Computer Programming Vol. 20, North Holland, pp. 3-50, 1993.

Expression des Besoins et Identification des Objectifs de S´ecurit´e (EBIOS), Direction Centrale de la S´ecurit´e des Syst`emes d’Information (France), February 2004. http://www.ssi.gouv.fr/

M´ethode Harmonis´ee d’Analyse de Risques (MEHARI), CLUSIF, Version 3, October 2004. http://www.clusif.asso.fr/

Operationally Critical Threat, Asset and Vulnerability Evaluation (OCTAVE), Carnegie Mellon - Software Engineering Institute, June 1999. http://www.cert.org/octave/

IT Baseline Protection Manual, BSI - Germany, October 2003. http://www.bsi.bund.de/english/gshb/

CRAMM, CCTA3 Risk Analysis and Management Method. http://www.cramm.com/

I. Alexander: Misuse Cases Help to Elicit Non- FunctionalRequirements, Position paper for Policy Workshop 1999, Bristol, U.K., November 1999.

J. McDermott, C. Fox: Using Abuse Case Models for Security Requirements Analysis, 15th Annual Computer Security Applications Conference, Phoenix, Arizona, December 1999.

L. Lin, B. Nuseibeh, D. Ince, M. Jackson: Using Abuse Frames to Bound the Scope of Security Problems, RE’04, Kyoto, Japan, 2004.

L. Chung, B.A. Nixon, E.Yu, J. Mylopoulos: Non- Functional Requirements in Software Engineering, Kluwer Academic Publishers, Boston, 2000.

L. Liu, E. Yu, J. Mylopoulos: Analyzing Security Requirements As Relationships among Strategic Actors, 2nd Symposium on Requirements Engineering for Information Security (SREIS), Raleigh, North Carolina, 2002.

E. Yu: Towards Modeling and Reasoning Support for Early-Phase Requirements Engineering, Proceedings of the IEEE Int. Symp. Requirements Engineering, Annapolis, Maryland, pp. 226-235, January 1997.