Systematically combine security risk assessment and testing based on standards

Session: Security testing and validation, Wed., Sep. 16, 15:15 - 15:45

Managing cyber security has become increasingly important due to the growing interconnectivity of computerized systems and their use in society. A comprehensive assessment of cyber security can be challenging as its spans across different domains of knowledge and expertise. For instance, identifying cyber security vulnerabilities requires detailed technical expertise and knowledge, while the assessment of organizational impact and legal implications of cyber security incidents may require expertise and knowledge related to risk and compliance. Standards like ISO 31000 and ISO/IEEE 29119 detail the relevant aspects of risk management and testing and thus provide guidance in these areas. However, both standards do not cover the explicit integration between security risk assessment and security testing. We think however, that they provide a good basis for that. In this paper we show how ISO 31000 and ISO/IEEE 29119 can be integrated to provide a comprehensive approach to cyber security which covers both risk assessment and testing.

About Jürgen Großmann

As a member of the Competence Center "System Quality Center" (SQC) Jürgen Großmann is responsible for validation, verification and testing projects on next generation networks and software technologies for embedded systems. He is an expert on model-based development, model driven testing as well as in security engineering and security testing. Jürgen Großmann has experiences in numerous standardization activities for various standardization bodies, including OMG, ETSI, ASAM and AUTOSAR.