| In industrial practice, security engineering is risk management: how to mitigate security risk given a finite budget? Today the IT of a business is connected to that of others in a value web of business partners, suppliers and customers, each of whom has its own confidentiality, integrity and availability requirements. This creates new security challenges, because there is no central decision-making authority in these networks. The question to be investigated in VRIEND is how to extend current risk management practices with methods and techniques to deal with security risks in decentralized networks. We will investigate this, firstly, by developing methods and techniques to build up a security baseline for a value web, which is a set of security patterns agreed upon by members of a value web, of which the risk-mitigating properties have been quantitavely specified, and which are related to business goals and external legislation that therse patterns help to achieve. Secondly, we will develop quantitative techniques for security architecture design in decentralized networks, by means of which in a business project can compose the security mechanisms in the baseline into a security architecture of the business project result. In a value web where each business has its own commercial interests, architecture design must use cost/benefit techniques to lead to agreement among different business partners. We will develop dynamic quantitative techniques, that allow businesses to incorporate the appearance of new security mechanisms, the occurrence of new threats or incidents, and of changes in security goals over time. |
