2010 CRC PhD Student Conference
Using Business Process Security Requirements for IT
Security Risk Assessment
Supervisors Bashar Nuseibeh
Probation viva After
Starting date October 2007
Companies and governmental organizations are suffering from information
technology (IT) risks caused by malicious or negligent events and by inappropriate
process designs related to authorization, access control or segregation of duties.
Examples of such events are the loss of two data discs of 25 million child benefit
records in the UK or the trading losses at Société Générale. Many quantitative and
qualitative methods and toolkits for IT security risk analysis have been developed
using e.g. Bayesian probability, Fuzzy theories, Courtney, the Livermore risk analysis
methodology (LRAM)… all of which are based on probabilities and events as risk is
defined e.g. in ISO 27002 as a “combination of the probability of an event and its
consequence” (, p. 2). But with these traditional risk analysis approaches, IT risks
often cannot be determined reliably and with precision. Because security events are
difficult to identify in a way that guarantees correctness and completeness of this
process, since the methods provide only general descriptions how to identify them .
Probabilities in practice are difficult to estimate with sufficient degree of precision and
reliability as statistical data is missing or outdated  and influenced by perception .
IT security risk assessment approaches using business process models and security
requirements provide a way which may overcome these limitations. The usage of
security requirements as well as business or critical assets for risk assessment is not
new and in general described in the ISO 27000 series as well as implemented in
approaches like Octave Allegro .
However, existing standards and approaches like the ISO 27000 series or Octave
Allegro referring to or utilizing security requirements are based on events/threats and
probabilities. Threat based approaches face limitations regarding precision and
reliability as they base on probabilities/impact estimates as well as on correct event
identification. Furthermore, these approaches do not determine the risk of non-
adherence or correct implementation of requirements. Other approaches using security
requirements without threats determine best security solutions for processes  or
analyse process security  but do not determine risks. Approaches that determine
security solutions or analyze process security are limited as they do not evaluate the
security risk of the current implementation. In addition, most risk assessment
approaches omit risks originating from the business process design and data flow as
well as do not consider any security dependencies as the all evaluate single
Page 98 of 125
2010 CRC PhD Student Conference
decomposed model elements. Additionally, the assessment results are dependent of a
point in time and do not consider the changing environment.
In contrast to existing approaches we suggest to base a IT security risk assessment
approach on business process security requirements and evaluating corresponding
security controls as well as security processes. We evaluate process security
requirements for a process business object including system, personnel, physical and
execution requirements, we consider security dependencies between processes and
evaluate IT standard security processes. An advantage of such an approach would be
that events and probabilities have not to be determined, business activities sequences
as well as security dependencies are considered and risk results more independent of a
point in time. Furthermore, such an approach would support the understanding and
definition of security requirements from a process and risk view.
The objective of our research is to provide insights and knowledge how to conduct a
risk assessment solely based on security requirements verification and implemented
security controls. The main focus of our research is the link between security
requirements and security controls and whether a risk assessment can be based
completely on security requirements rather than identifying risk with events and
probabilities. With our work we like to address the following research questions to
achieve our objective:
1) Can IT security risks be evaluated only with security requirements without
using threats and probabilities with the same quality/precision as in traditional
2) If we use a security requirements based risk assessment approach:
a) How can the evaluation of security requirements be better supported
helping to identify risks and evaluate risks?
b) How can we consider dependencies between security objectives or security
requirements influencing the risk assessment result?
c) Can we provide a more time-independent risk assessment results by
checking security process?
Problems with risk assessments
The issues of traditional risk assessments approaches are related to the definition of
risk consisting of events, probabilities and impact. To identify and to determine each
parameter in a risk assessment we must have comprehensive knowledge about the
direct environment of the risk - e.g. a company - as well as the outside environment -
all others. In reality comprehensive knowledge about the direct and outside
environment is not available, may be compromised and cannot be modelled as the real
world is too complex and unpredictable. Even if it would be possible to get
comprehensive knowledge we currently do not know how to achieve or how to verify
this knowledge. Another fallacy is that we attempt to determine risk exactly with
probabilities. This would require that all parameters, corresponding probabilities as
well as correlations are known, are immediately updated, base on enough statistic data
and could be modelled. In practice this is not the case rather we have to deal with
uncertainty which is not considered in current approaches, incomplete data and
unverified data. Furthermore, risk is about people. Their behaviour is not objective or
rational and may follow personal interests. Especially, in the risk estimation,
evaluation and mitigation phase behavioural biases influence the assessment and
decisions because of knowledge, perception, personal objectives as well as herd
Page 99 of 125
2010 CRC PhD Student Conference
instincts. Therefore, risk results are biased without any indication in what direction. In
addition, risk is taken by people and not by a company or institution. Therefore people
are at risk and not companies. Not the company is at risk rather than managers or
shareholders of that company. For all this various reasons developed methods can
only be attempts to determine risk that we believe are imprecise, biased and never be
The objective of our approach is to identify critical risks of a company based on
business process models and security requirements. We assume that business process
models are available as well as up-to-date and use standard methods/concepts of the
software engineering domain. Our approach probably won’t be able to identify all
possible risks as it concentrates on critical ones.
Figure 1. SR risk assessment approach.
Our approach follows in general the risk management and security requirements
elicitation process: to identify assets, to identify requirements and to assess them (fig.
1). The business process model assessment (left side of figure 1) has three stages, the
identification of critical business processes and business objects out of existing
business process models, the definition of the business process security requirements
and the assessment of the security requirements for each data process point. The
second stage of the assessment stage can be restarted and is therefore iterative. The IT
process assessment (right side of figure 1) consists also of three stages: the definition
of the used IT security standard process model, the selection of the assessed security
processes and the assessment of the process. There is a link between the requirements
and the process assessment. Because results of the IT security process assessment can
influence the requirements results as security objectives or requirements might be
Currently, we are completing the validation of our approach. We have chosen to
validate our approach by testing and applied our approach to several real world
examples within a reinsurance company. Our results support our assertion that risks
can be determined by evaluating security requirements. Further work will concentrate
on discussing validation issues as well as describing how our approach could be
integrated and utilized in traditional approaches.
Page 100 of 125
2010 CRC PhD Student Conference
 Richard Caralli, James Stevens, Lisa Young, and William Wilson. Introducing
OCTAVE Allegro: Improving the Information Security Risk Assessment Process. The
Software Engineering Institute, 2007.
 Peter Herrmann and Gaby Herrmann. Security requirement analysis of business
processes. Electron Commerce Research, 6:305– 335, 2006.
 International Organization of Standardization (ISO). ISO 27002 Information
technology - Security techniques - Code of practice for information security
management, International Organization of Standardization (ISO), 2005.
 Alexander W. Roehm, Guenther Pernul, and Gaby Hermann. Modelling secure
and fair electronic commerce. In Proceeding 14th Annual Computer Security
Applications Conference, Phoenix, Arizona, Dec. 7-11, 1998. IEEE Computer Society
 Andrew Stewart. On risk: perception and direction. Computers & Security,
 Lili Sun, Rajendra Srivastava, and Theodore Mock. An information systems
security risk assessment model under Dempster-Shafer theory of belief functions.
Journal of Management Information Systems, 22(4):109 –142, 2006.
 Stilianos Vidalis. A critical discussion of risk and threat analysis methods and
methodologies. Technical Report CS-04-03, University of Glamorgan, Pontypridd,
Page 101 of 125