论文信息 - Combining Privacy and Security Risk Assessment in Security Quality Requirements Engineering

Combining Privacy and Security Risk Assessment in Security Quality Requirements Engineering

Security risk assessment identifies the threats to sys- tems, while privacy risk assessment identifies data sen- sitivities in systems. The Security Quality Require- ments Engineering (SQUARE) method is used to iden- tify software security issues in the early stages of the development lifecycle. We propose combining the ex- isting security risk assessment techniques in SQAURE with the Privacy Impact Assessment (PIA) technique and the Health Insurance Portability and Accountability Act (HIPAA) to address the full spectrum of security and privacy risks. Our ultimate goal is to introduce a privacy requirements engineering method that uses steps of SQUARE for privacy instead of or in addition to security.

Nancy R. Mead | Saeed Abu-Nimeh

[1] Gary Stoneburner,et al. SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[2] Nancy R. Mead,et al. Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[3] Seiya Miyazaki,et al. Integrating Privacy Requirements into Security Requirements Engineering , 2009, SEKE.

[4] Shin Ta Liu,et al. Risk Modeling, Assessment, and Management , 1999, Technometrics.

[5] Fabio Casati,et al. Engineering Privacy Requirements in Business Intelligence Applications , 2008, Secure Data Management.

[6] Seiya Miyazaki,et al. Computer-Aided Privacy Requirements Elicitation Technique , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[7] Jason Edwin Stamp,et al. A classification scheme for risk assessment methods. , 2004 .

[8] Shari Lawrence Pfleeger,et al. Harmonizing privacy with security principles and practices , 2009, IBM J. Res. Dev..

[9] Nancy R. Mead,et al. Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[10] Nancy R. Mead,et al. Privacy Risk Assessment in Privacy Requirements Engineering , 2009, 2009 Second International Workshop on Requirements Engineering and Law.