Abstract
Nowadays, security has become one of the most demanded characteristics of information systems. However, the ways to address information systems security still lack consensus and integration. On the one hand, researchers have extended
various modelling languages and methods with security-oriented constructs in order to take security concerns into account throughout the development lifecycle. On the other hand, practitioners have developed risk management methods to help
estimate the relative importance of security risks and the cost-effectiveness of solutions to tackle them. They are mainly driven by security standards that help practitioners assess and improve the security level of their organisations. Obviously, those two families of approaches should be unified so as to maximise the
return on investment of implementing security requirements, and thereby align business and information technology concerns related to security. This is the challenge that our research aims to address. This paper presents a research agenda and describes the first steps that were undertaken to achieve it: an alignment of the terminology in the risk management literature and the elaboration of a conceptual model of the risk management domain. Those results will then be inputs for the next phases, which aim to integrate security and risk management concepts in information system development methods.
| Original language | English |
|---|---|
| Title of host publication | First IEEE International Conference on Research Challenges in Information Science (RCIS'07) |
| Editors | Colette Roll, Oscar Pastor, Abdelfdil Bennani, André Flory |
| Place of Publication | Ouarzazate |
| Publisher | IEEE Computer Society Press |
| Publication status | Published - 2007 |
Keywords
- Conceptual modelling
- Standards
- Security
- Requirements Engineering
- Risk Management