Security and Risk Assessment: Black box modeling, Taxonomy and Systematic Literature Review

Licentiate thesis, 2016

In order to successfully perform and manage any type of project, there is a need to identify and assess the key factors that have an effect on the project's performance and its deliverables. Security and risk are two important concepts in contemporary information system industry that need to be assessed and addressed. Unfortunately, there exists no clear overall view of the key factors that are involved in the security and risk assessment processes. This thesis attempts to highlight the effect of system attributes and operation on security and risk assessment. Moreover, due to criticality of risk assessment in both information system and software development projects, the thesis attempts to clarify the assessment process by identifying and categorizing existing approaches and investigating their difference. To that end, the thesis proposes a structured approach for assessment and metrication of operational security that is based on black box modeling for categorizing security metrics as being protective or behavioral, and integrity metrics as being system-related or threat-related. The thesis also proposes a novel factor for improving reliability of security risk calculation and analysis by taking system operational factors into account. Another contribution of the thesis is taxonomy for the risk assessment process in which key players and phases in the risk assessment process are identified. Finally, different risk management strategies among various software development processes are investigated to identify potential advantages of one to the other.