Abstract: | The BT Security Research Centre has defined and continues to develop a modelling language and method for representing and
analysing ICT security requirements. The language is used to create a model that serves as a medium for communication between
consultant and customer, a guide in making decisions, and the basis of a specification for implementing a solution. Three
sub-models deal with business and technical requirements of the ICT system; threats, vulnerability and risks; and security
measures and processes. The modelling process is iterative, with decisions being driven by optimisation of business value,
trading off risk against cost. This paper focuses on aspects of the method dealing with assessment of risk and analysis of
requirements for operational risk management. |