My main supervisor was Eric Dubois (Director of the SSI department in the CRP Henri Tudor) and my co-supervisor was Patrick Heymans (Professor at the University of Namur). The work was supported by the FNR (Research National Fund of Luxembourg) and the CRP Henri Tudor. The research work was performed within the context of the LIASIT (Luxembourg International Advanced Studies in Information Technologies) Institute.
During the last twenty years, the impact of security concerns on the development and exploitation of information systems never ceased to grow. Security risk management methods are methodological tools, helping organisations to take rational decisions, regarding the security of their IS. Feedbacks on the use of such approaches show that they considerably reduce losses originating from security problems. Today, these methods are generally built around a well structured process. However, the product coming from the different risk management steps is still largely informal, and often not analytical enough. This lack of formality hinders the automation of the management of risk-related information. Another drawback of current methods is that they are generally designed for being used a posteriori, that is, to assess the way existing systems handle risks, and are with difficulty usable a priori, during information system development. Finally, each method using its own terminology, it is difficult to combine several methods, in the aim of taking advantage of each of them. For tackling the preceding problems, our contribution proposes a model-based approach for risk management, applicable since the early phases of information system development. This approach relies on a study of the domain own concepts.
Our scientific approach is composed of three successive steps. The first step aims at defining a reference conceptual model for security risk management. The research method followed proposes to base our model on an extensive study of the literature. The different risk management and/or security standards, a set of methods representative of the current state of the practice, and the scientific works related to the domain, are analysed. The result is a semantic alignment table of the security risk management concepts, highlighting the key concepts taking place in such an approach. Based on this set of concepts, the security risk management domain model is built. This model is challenged by domain experts in standardisation, risk management practitioners and scientists.
The second step of our research work enriches the domain model with the different metrics used in a risk management method. The proposed approach combines two methods to define this set of metrics. The first one is the Goal-Question-Metric (GQM) method applied on our domain model. This method allows to focus on reaching the best return on security investment. The second one enriches the metrics identified with the first approach, through a study of the literature based on standards and methods addressed during the first step. An experimentation on a real case of these metrics is performed, in the frame of supporting a SME towards the ISO/IEC 27001 certification.
Finally, in a third step, we notice in the literature a set of conceptual modelling languages dedicated to information security. These languages are mainly coming from the requirements engineering domain. They allow to tackle security during the early phases of information system development. We evaluate the conceptual support proposed by each of them, and thus the gap to bridge for being able to completely model the different steps of risk management. This work ends in an extension proposal of the Secure Tropos language, and a process to follow for using this extension in the frame of risk management, illustrated by an example.