Learn More
Copyright and Moral Rights for the articles on this site are retained by the individual authors and/or other copyright owners. For more information on Open Research Online's data policy on reuse of materials please consult the policies page. Abstract—When software systems are verified against security requirements, formal and informal arguments provide a(More)
(2011). Risk and argument: a risk-based argumentation method for practical security. Copyright and Moral Rights for the articles on this site are retained by the individual authors and/or other copyright owners. For more information on Open Research Online's data policy on reuse of materials please consult the policies page. Abstract—When showing that a(More)
 Risk management is a good tool for controlling risk but it has the inherent challenge of quantitatively estimating frequency and impact in an accurate and trustworthy way.  Quantifying the frequency and impact of potential security threats requires experience-based data which is limited and rarely reusable because it involves company confidential data. (More)
Security management is about calculated risk and requires continuous evaluation to ensure cost, time and resource effectiveness. Parts of which is to make future-oriented, cost-benefit investments in security. Security investments must adhere to healthy business principles where both security and financial aspects play an important role. Information on the(More)
Increasingly, organizations collaborate with other organizations in value webs with various arrangements, such as outsourcing, partnering, joint ventures, or subcontracting. As the Jericho Forum (an industry consortium of the Open Group) observed, in all these forms of collaboration, the boundaries between organizations become permeable and, as a(More)
Attackers take advantage of any security breach to penetrate an organisation perimeter and exploit hosts as stepping stones to reach valuable assets, deeper in the network. The exploitation of hosts is possible not only when vulnerabilities in commercial off-the-shelf (COTS) software components are present, but also, for example, when an attacker acquires a(More)
Making well-founded security investment decisions is hard: several alternatives may need to be considered, the alternatives' space is often diffuse, and many decision parameters that are traded-off are uncertain or incomplete. We cope with these challenges by proposing a method that supports decision makers in the process of making well-founded and balanced(More)
Large organizations need to align the security architecture across three different domains: access control, network layout and physical infrastructure. Security policy specification formalisms are usually dedicated to only one or two of these domains. Consequently, more than one policy has to be maintained, leading to alignment problems. Approaches from the(More)
Insider threat is becoming comparable to outsider threat in frequency of security events. This is a very worrying situation, as insider attacks have a high probability of success because insiders have authorized access and legitimate privileges. As a result, organizations can suffer financial losses and damage to assets and to reputation. Despite their(More)