Abstract
Managing cyber security has become increasingly important due to the growing interconnectivity of computerized systems and their use in society. A comprehensive assessment of cyber security can be challenging as its spans across different domains of knowledge and expertise. For instance, identifying cyber security vulnerabilities requires detailed technical expertise and knowledge, while the assessment of organizational impact and legal implications of cyber security incidents may require expertise and knowledge related to risk and compliance. Standards like ISO 31000 and ISO/IEC/IEEE 29119 detail the relevant aspects of risk management and testing and thus provide guidance in these areas. However, both standards are not exclusively dedicated to the subject of security and do not cover the explicit integration between security risk assessment and security testing. We think however, that they provide a good basis for that. In this paper we show how ISO 31000 and ISO/IEC/IEEE 29119 can be integrated to provide a comprehensive approach to cyber security that covers both security risk assessment and security testing.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
References
Alam, M., Khan, A.I.: Risk-based testing techniques: a perspective study. Int. J. Comput. Appl. 65, 33–41 (2013)
Amland, S.: Risk-based testing: Risk analysis fundamentals and metrics for software testing including a financial application case study. J. Syst. Softw. 53(3), 287–295 (2000)
Erdogan, G., Li, Y., Runde, R., Seehusen, F., Stølen, K.: Approaches for the combined use of risk analysis and testing: A systematic literature review. Int. J. Softw. Tools Technol. Transfer 16, 627–642 (2014)
Felderer, M., Haisjackl, C., Breu, R., Motz, J.: Integrating manual and automatic risk assessment for risk-based testing. In: Biffl, S., Winkler, D., Bergsmann, J. (eds.) SWQD 2012. LNBIP, vol. 94, pp. 159–180. Springer, Heidelberg (2012)
Felderer, M., Ramler, R.: Experiences and challenges of introducing risk-based testing in an industrial project. In: Winkler, D., Biffl, S., Bergsmann, J. (eds.) SWQD 2013. LNBIP, vol. 133, pp. 10–29. Springer, Heidelberg (2013)
Felderer, M., Schieferdecker, I.: A taxonomy of risk-based testing. Int. J. Softw. Tools Technol. Transfer 16(5), 559–568 (2014)
Herzog, P.: OSSTMM 2.1. Open-Source Security Testing Methodology Manual; Institute for Security and Open Methodologies (2003)
International Standards Organization. ISO 31000:2009(E), Risk management – Principles and guidelines (2009)
International Standards Organization. ISO/IEC/IEEE 29119 Software and system engineering - Software Testing-Part 1-4 (2012)
Michael, C.C., Radosevich, W.: Risk-Based and Functional Security Testing. Cigital, Inc. (2005)
Murthy, K.K., Thakkar, K.R., Laxminarayan, S.: Leveraging risk based testing in enterprise systems security validation. In: Proceedings of the First Int Emerging Network Intelligence Conference, pp. 111–116 (2009)
Redmill, F.: Exploring risk-based testing and its implications: research articles. Softw. Test. Verif. Reliab. 14(1), 3–15 (2004)
Redmill, F.: Theory and practice of risk-based testing: Research Articles. Softw. Test. Verif. Reliab. 15(1), 3–20 (2005)
Acknowledgements
This work has been conducted as a part of EU project RASEN (316853) funded by the European Commission within the 7th Framework Program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Großmann, J., Seehusen, F. (2015). Combining Security Risk Assessment and Security Testing Based on Standards. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, MF. (eds) Risk Assessment and Risk-Driven Testing. RISK 2015. Lecture Notes in Computer Science(), vol 9488. Springer, Cham. https://doi.org/10.1007/978-3-319-26416-5_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-26416-5_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26415-8
Online ISBN: 978-3-319-26416-5
eBook Packages: Computer ScienceComputer Science (R0)