Probabilistic Risk Assessment for Security Requirements: A Preliminary Study

Risk assessment is a critical decision making process during the Security Certification and Accreditation (C&A) process. However, existing infrastructure-wide C&A processes in real world are challenged by the ever increasing complexity of information systems and their diverse socio-technical operational environments. The lack of an explicit model and the associated uncertainties of software behavior are two main reasons that directly impact the effectiveness of risk assessment as well as the subjective decisions made based on the different level of domain expertise. In this paper, we propose a method for a probabilistic model driven risk assessment on security requirements. The security requirements and their causal relationships are represented using MEBN (Multi-Entities Bayesian Networks) logic that constructs an explicit formal risk assessment model that supports evidence-driven arguments. The proposed approach is described by using real-world C&A scenarios to show not only its feasibility for security requirements risk assessment but also its effectiveness for the sensitivity analysis to identify critical influences among information entities in a complex and uncertain operational environment.