A Comparison of Security Modelling Languages used for Security Risk
Name
Andrei Proskurin
Abstract
Nowadays, every company that has valuable assets has an urge to protect them. Unfortunately, it is impossible to act on every single security threat. To mitigate these threats Security Modelling Languages were extended to use for Security Risk Management. However, choosing suitable language can be a difficult decision, because it can be a problem to compare those languages and decide which one would bring the most cost-effective solution.
Every security solution has its cost and companies have limited resources. The chosen language that will be used for Security Risk Management must suit the company’s needs, as it is important in terms of getting positive ROI (Risk on investment). In addition, Security Risk Management takes place on early stages of IS development and choosing security modelling language that does not suit the company’s needs will result in a loss of time as well as possible system vulnerabilities.
Our technical contribution to the solution to this problem is a comparison of these Security Modelling Languages: BPMN, Secure Tropos, Misuse cases and Mal-activity diagrams. It is important to determine how these languages act with Information System Security Risk Management (ISSRM) domain model. The comparison is made based on the case study and empirical research in order to understand the semiotic clarity of these languages used to express the security concerns. The empirical research within the case study will allow us to point out in which ways one language acts better than another regarding ISSRM.
The chosen security modelling languages contain limitations regarding the semiotic clarity, as they were not designed to deal with the security risk management at the first place, but used in terms of ISSRM, they help to mitigate risks starting from early stages of IS development.
Graduation Thesis language
English
Graduation Thesis type
Bachelor - Computer Science
Supervisor(s)
Raimundas Matulevičius; Sven Laur
Defence year
2014