Multi-Attribute Risk Assessment

Authors: Shawn A. Butler and Paul Fishbeck

Symposium on Requirements Engineering for Information Security, 2002.

Download the PDF version.    


Best practice dictates that security requirements be based on risk assessments; however, simplistic risk assessments that result in lists or sets of scenarios do not provide sufficient information to prioritize requirements when faced with resource constraints (e.g., time, money). Multi-attribute risk assessments provide a convenient framework for systematically developing quantitative risk assessments that the security manager can use to prioritize security requirements. This paper presents a multi-attribute risk assessment process and results from two industry case studies that used the process to identify and prioritize their risks. 


Brought to you by Composable Software Systems Research Group in the School of Computer Science at Carnegie Mellon University.

[Last modified 02-OCT-02. Mail suggestions to the Maintainer.]