Model-based Management of Information System Security Risk

During the last twenty years, the impact of security concerns on the development and exploitation of information systems never ceased to grow. Security risk management methods are methodological tools, helping organisations to take rational decisions, regarding the security of their IS. Feedbacks on the use of such approaches show that they considerably reduce losses originating from security problems. Today, these methods are generally built around a well structured process. However, the product coming from the different risk management steps is still largely informal, and often not analytical enough. This lack of formality hinders the automation of the management of risk-related information. Another drawback of current methods is that they are generally designed for being used a posteriori, that is, to assess the way existing systems handle risks, and are with difficulty usable a priori, during information system development. Finally, with method using its own terminology, it is difficult to combine several methods, in the aim of taking advantage of each of them. For tackling the preceding problems, this thesis proposes a model-based approach for risk management, applicable from the early phases of information system development. This approach relies on a study of the domain's own concepts. This scientific approach is composed of three successive steps. The first step aims at defining a reference conceptual model for security risk management. The research method followed proposes to base the model on an extensive study of the literature. The different risk management and/or security standards, a set of methods representative of the current state of the practice, and the scientific works related to the domain, are analysed. The result is a semantic alignment table of the security risk management concepts, highlighting the key concepts taking place in such an approach. Based on this set of concepts, the security risk management domain model is built. This model is challenged by domain experts in standardisation, risk management practitioners and scientists. The second step of this research work enriches the domain model with the different metrics used in a risk management method. The proposed approach combines two methods to define this set of metrics. The first one is the Goal-Question-Metric (GQM) method applied on the domain model. This method allows to focus on reaching the best return on security investment. The second one enriches the metrics identified with the first approach, through a study of the literature based on standards and methods addressed during the first step. An experimentation on a real case of these metrics is performed, in the frame of supporting a SME towards the ISO/IEC 27001 certification. Finally, in a third step, a set of conceptual modelling languages dedicated to information security is noticed in the literature. These languages are mainly coming from the requirements engineering domain. They allow to tackle security during the early phases of information system development. The conceptual support proposed by each of them is evaluated, and thus the gap to bridge for being able to completely model the different steps of risk management too. This work ends in an extension proposal of the Secure Tropos language, and a process to follow for using this extension in the frame of risk management, illustrated by an example.(DOCSC06)--FUNDP, 200