{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,11,1]],"date-time":"2025-11-01T13:42:00Z","timestamp":1762004520746,"version":"3.41.2"},"reference-count":51,"publisher":"Emerald","issue":"3","license":[{"start":{"date-parts":[[2013,7,12]],"date-time":"2013-07-12T00:00:00Z","timestamp":1373587200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.emerald.com\/insight\/site-policies"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,7,12]]},"abstract":"<jats:sec><jats:title content-type=\"abstract-heading\">Purpose<\/jats:title><jats:p>In any information security risk assessment, vulnerabilities are usually identified by information\u2010gathering techniques. However, vulnerability identification errors \u2013 wrongly identified or unidentified vulnerabilities \u2013 can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost\u2010effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Design\/methodology\/approach<\/jats:title><jats:p>Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Findings<\/jats:title><jats:p>Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.<\/jats:p><\/jats:sec><jats:sec><jats:title content-type=\"abstract-heading\">Originality\/value<\/jats:title><jats:p>It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.<\/jats:p><\/jats:sec>","DOI":"10.1108\/imcs-09-2012-0054","type":"journal-article","created":{"date-parts":[[2013,7,25]],"date-time":"2013-07-25T14:13:42Z","timestamp":1374761622000},"page":"202-223","source":"Crossref","is-referenced-by-count":13,"title":["Resolving vulnerability identification errors using security requirements on business process models"],"prefix":"10.1108","volume":"21","author":[{"given":"Stefan","family":"Taubenberger","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jan","family":"J\u00fcrjens","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yijun","family":"Yu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Bashar","family":"Nuseibeh","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"140","reference":[{"key":"key2022031320065832700_b1","doi-asserted-by":"crossref","unstructured":"Alberts, C., Dorofee, A., Stevens, J. and Woody, C. (2003), Introduction to the OCTAVE Approach, Software Engineering Institute (SEI), Carnegie Mellon University, Pittsburgh, PA.","DOI":"10.21236\/ADA634134"},{"key":"key2022031320065832700_b2","unstructured":"ANSSI (2010), \u201cEBIOS 2010 \u2013 Expression of needs and identification of security objectives\u201d, Agence nationale de la s\u00e9curit\u00e9 des syst\u00e8mes d'information, available at: www.ssi.gouv.fr\/en\/the\u2010anssi\/publications\u2010109\/methods\u2010to\u2010achieve\u2010iss\/."},{"key":"key2022031320065832700_b3","doi-asserted-by":"crossref","unstructured":"Asnar, Y. and Zannone, N. (2008), \u201cPerceived risk assessment\u201d, 4th Workshop on Quality of Protection, ACM, pp. 59\u201063, available at: http:\/\/qop\u2010workshop.org\/.","DOI":"10.1145\/1456362.1456375"},{"key":"key2022031320065832700_b4","unstructured":"ASNZ (1999), Australian\/New Zealand Standard Risk Management ASNZ 4360:1999."},{"key":"key2022031320065832700_b5","unstructured":"ASNZ (2009), Australian\/New Zealand Standard Risk Management AS\/NZS ISO 31000:2009 \u2013 Risk Management \u2013 Principles and Guideline."},{"key":"key2022031320065832700_b6","unstructured":"BSI (2008), \u201cBSI\u2010standard 100\u201002: IT\u2010Grundschutz methodology\u201d, Federal Office of Information Security (BSI), available at: www.bsi.bund.de\/."},{"key":"key2022031320065832700_b7","doi-asserted-by":"crossref","unstructured":"Buyens, K., De Win, B. and Joosen, W. (2007), \u201cEmpirical and statistical analysis of risk analysis\u2010driven techniques for threat management\u201d, Proceedings of the Second International Conference on Availability, Reliability and Security, ARES'07, IEEE Computer Society, Washington, DC, pp. 1034\u20101041, available at: http:\/\/dx.doi.org\/10.1109\/ARES.2007.78.","DOI":"10.1109\/ARES.2007.78"},{"key":"key2022031320065832700_b8","doi-asserted-by":"crossref","unstructured":"Caralli, R., Stevens, J., Young, L. and Wilson, W. (2007), \u201cIntroducing OCTAVE allegro: improving the information security risk assessment process\u201d, Technical Report CMU\/SEI\u20102007\u2010TR\u2010012; ESC\u2010TR\u20102007\u2010012, Software Engineering Institute (SEI). Carnegie Mellon University, Pittsburgh, PA.","DOI":"10.21236\/ADA470450"},{"key":"key2022031320065832700_b9","unstructured":"CC (2006), \u201cCommon criteria for information technology security evaluation, September 2006, version 3.1\u201d, available at: www.commoncriteriaportal.org\/cc\/."},{"key":"key2022031320065832700_b10","unstructured":"CCTA (1987), CCTA Risk Analysis and Management Method, Central Computing and Telecommunications Agency (CCTA), Norwich."},{"key":"key2022031320065832700_b11","unstructured":"CLUSIF (2010), Mehari 2010 \u2013 Risk Assessment and Treatment Guide, CLUSIF, Club de la S\u00e9curit\u00e9 de l'Information Fran\u00e7ais, available at: www.clusif.asso.fr\/en\/clusif\/present\/."},{"key":"key2022031320065832700_b12","doi-asserted-by":"crossref","unstructured":"Cohen, J. (1960), \u201cA coefficient of agreement for nominal scales\u201d, Educational and Psychological Measurement, Vol. 20, pp. 37\u201046.","DOI":"10.1177\/001316446002000104"},{"key":"key2022031320065832700_b13","unstructured":"CSI (2009), 14th Annual CSI Computer Crime and Security Survey, Computer Security Institute, available at: http:\/\/gocsi.com\/."},{"key":"key2022031320065832700_b14","doi-asserted-by":"crossref","unstructured":"Dubois, E., Heymans, P., Mayer, N. and Matulevius, R. (2010), \u201cA systematic approach to define the domain of information security risk management\u201d, International Perspectives on Information Systems Engineering, pp. 286\u2010306.","DOI":"10.1007\/978-3-642-12544-7_16"},{"key":"key2022031320065832700_b15","doi-asserted-by":"crossref","unstructured":"Fenz, S. and Ekelhart, A. (2011), \u201cVerification, validation, and evaluation in information security risk management\u201d, Security Privacy, IEEE, Vol. 9 No. 2, pp. 58\u201065.","DOI":"10.1109\/MSP.2010.117"},{"key":"key2022031320065832700_b16","doi-asserted-by":"crossref","unstructured":"Franqueira, V.N.L., Tun, T.T., Yu, Y., Wieringa, R. and Nuseibeh, B. (2011), \u201cRisk and argumentation: a risk\u2010based argumentation method for practical security\u201d, 19th IEEE International Conference on Requirements Engineering, pp. 239\u2010248, available at: http:\/\/oro.open.ac.uk\/28980\/.","DOI":"10.1109\/RE.2011.6051659"},{"key":"key2022031320065832700_b17","doi-asserted-by":"crossref","unstructured":"Gerber, M. and von Solms, R. (2005), \u201cManagement of risk in the information age\u201d, Computers & Security, Vol. 24, pp. 16\u201030.","DOI":"10.1016\/j.cose.2004.11.002"},{"key":"key2022031320065832700_b18","doi-asserted-by":"crossref","unstructured":"Gerber, M., von Solms, R. and Overbeek, P. (2001), \u201cFormalizing information security requirements\u201d, Information Management & Computer Security, Vol. 9 No. 1, pp. 32\u201037.","DOI":"10.1108\/09685220110366768"},{"key":"key2022031320065832700_b19","doi-asserted-by":"crossref","unstructured":"Guarro, S. (1987), \u201cPrinciples and procedures of the LRAM approach to information systems risk analysis and management\u201d, Computers & Security, Vol. 6, pp. 493\u2010504.","DOI":"10.1016\/0167-4048(87)90030-7"},{"key":"key2022031320065832700_b21","doi-asserted-by":"crossref","unstructured":"Haley, C., Laney, R. and Moffett, J. (2008), \u201cSecurity requirements engineering: a framework for representation and analysis\u201d, IEEE Transactions on Software Engineering, Vol. 34 No. 1, pp. 133\u2010153.","DOI":"10.1109\/TSE.2007.70754"},{"key":"key2022031320065832700_b20","doi-asserted-by":"crossref","unstructured":"Haley, C.B., Laney, R.C. and Nuseibeh, B. (2004), \u201cDeriving security requirements from crosscutting threat descriptions\u201d, Proceedings of the 3rd International Conference on Aspect\u2010Oriented Software Development, AOSD'04, ACM, New York, NY, USA, pp. 112\u2010121, available at: http:\/\/doi.acm.org\/10.1145\/976270.976285.","DOI":"10.1145\/976270.976285"},{"key":"key2022031320065832700_b22","doi-asserted-by":"crossref","unstructured":"Halliday, S., Badenhorst, K. and von Solms, R. (1996), \u201cA business approach to effective information technology risk analysis and management\u201d, Information Management &Computer Security, Vol. 4 No. 1, pp. 19\u201031.","DOI":"10.1108\/09685229610114178"},{"key":"key2022031320065832700_b23","doi-asserted-by":"crossref","unstructured":"Herrmann, P. and Herrmann, G. (2006), \u201cSecurity requirement analysis of business processes\u201d, Electron Commerce Research, Vol. 6, pp. 305\u2010335.","DOI":"10.1007\/s10660-006-8677-7"},{"key":"key2022031320065832700_b24","doi-asserted-by":"crossref","unstructured":"Houmb, S.H., Islam, S., Knauss, E., J\u00fcrjens, J. and Schneider, K. (2010), \u201cEliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec\u201d, Requirements Engineering, Vol. 15, pp. 63\u201093, available at: http:\/\/dx.doi.org\/10.1007\/s00766\u2010009\u20100093\u20109.","DOI":"10.1007\/s00766-009-0093-9"},{"key":"key2022031320065832700_b25","unstructured":"Innerhofer\u2010Oberperfler, F. and Breu, R. (2006), \u201cUsing an enterprise architecture for IT risk management\u201d, ISSA'06: Proc. Information Security South Africa Conference, South Africa."},{"key":"key2022031320065832700_b26","unstructured":"ISF (2005), The Standard of Good Practice for Information Security, V4.1, Information Security Forum (ISF), available at: www.securityforum.org\/."},{"key":"key2022031320065832700_b27","unstructured":"ISO (2002), ISO Guide 73:2002 Risk Management, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b28","unstructured":"ISO (2004), ISO\/IEC 13335\u20101:2004 Information Technology \u2013 Security Techniques \u2013 Management of Information and Communications Technology Security \u2013 Part 1: Concepts and Models for Information and Communications Technology Security Management, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b29","unstructured":"ISO (2005a), ISO 27001:2005 Information Technology \u2013 Security Techniques \u2013 Information Security Management Systems \u2013 Requirements, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b30","unstructured":"ISO (2005b), ISO 27002 Information Technology \u2013 Security Techniques \u2013 Code of Practice for Information Security Management, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b31","unstructured":"ISO (2009), ISO\/IEC 31000:2009 Risk Management \u2013 Principles and Guidelines, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b32","unstructured":"ISO (2011), ISO 27005:2011 Information Technology \u2013 Security Techniques \u2013 Information Security Risk Management, International Organization of Standardization, Geneva."},{"key":"key2022031320065832700_b33","unstructured":"ISSA (2004), \u201cGenerally accepted information security principles (GAISP)\u201d, Information Systems Security Association, available at: www.issa.org\/."},{"key":"key2022031320065832700_b34","unstructured":"ITGI (2007), Control Objectives for Information and related Technology (COBIT) Version 4.1, IT Governance Institute, available at: www.isaca.org\/."},{"key":"key2022031320065832700_b35","doi-asserted-by":"crossref","unstructured":"Khanmohammadi, K. and Houmb, S.H. (2010), \u201cBusiness process\u2010based information security risk assessment\u201d, Fourth International Conference on Network and System Security, pp. 199\u2010206.","DOI":"10.1109\/NSS.2010.37"},{"key":"key2022031320065832700_b36","doi-asserted-by":"crossref","unstructured":"Landis, J.R. and Koch, G.G. (1977), \u201cThe measurement of observer agreement for categorical data\u201d, Biometrics, Vol. 33 No. 1, pp. 159\u2010174.","DOI":"10.2307\/2529310"},{"key":"key2022031320065832700_b37","doi-asserted-by":"crossref","unstructured":"Mead, N., Hough, E. and Stehney, T. (2005), \u201cSecurity quality requirements engineering (SQUARE) methodology\u201d, Technical Report CMU\/SEI\u20102005\u2010TR\u2010009, Software Engineering Institute (SEI), Carnegie Mellon University, Pittsburgh, PA.","DOI":"10.21236\/ADA443493"},{"key":"key2022031320065832700_b38","doi-asserted-by":"crossref","unstructured":"Neubauer, T., Klemen, M. and Biffl, S. (2005), \u201cBusiness process\u2010based valuation of IT\u2010security\u201d, paper presented at the EDSER'05, ACM, St Louis, MO, USA.","DOI":"10.1145\/1083091.1083099"},{"key":"key2022031320065832700_b39","unstructured":"OMG (2009), Business Process Model and Notation (BPMN) FTF Beta 1 for Version 2.0, Object Management Group, August, available at: http:\/\/www.omg.org\/."},{"key":"key2022031320065832700_b40","doi-asserted-by":"crossref","unstructured":"Rainer, R.\u2010K., Snyder, C. and Carr, H. (1991), \u201cRisk analysis for information technology\u201d, Journal of Management Information Systems, Vol. 8 No. 1, pp. 129\u2010147.","DOI":"10.1080\/07421222.1991.11517914"},{"key":"key2022031320065832700_b41","doi-asserted-by":"crossref","unstructured":"Roehrig, S. and Knorr, K. (2004), \u201cSecurity analysis of electronic business processes\u201d, Electronic Commerce Research, Vol. 4, pp. 59\u201081.","DOI":"10.1023\/B:ELEC.0000009282.06809.c5"},{"key":"key2022031320065832700_b42","doi-asserted-by":"crossref","unstructured":"Siponen, M. and Willison, R. (2009), \u201cInformation security management standards: problems and solutions\u201d, Information & Management, Vol. 46, pp. 267\u2010270.","DOI":"10.1016\/j.im.2008.12.007"},{"key":"key2022031320065832700_b43","unstructured":"Stevens, J.F. (2005), \u201cInformation asset profiling\u201d, Technical Report CMU\/SEI\u20102005\u2010TN\u2010021, Carnegie Mellon University, Pittsburgh, PA."},{"key":"key2022031320065832700_b44","unstructured":"St\u00f8len, K., den Braber, F., Dimitrakos, T., Fredriksen, R., Gran, B.A., Houmb, S.\u2010H., Lund, M.S., Stamatiou, Y.C. and \u00d8yvind Aagedal, J. (2002), \u201cModel\u2010based risk assessment \u2013 the CORAS approach\u201d, paper presented at NIK (2002) Informatics Conference, Kongsberg."},{"key":"key2022031320065832700_b45","doi-asserted-by":"crossref","unstructured":"Stoneburner, G., Goguen, A. and Feringa, A. (2002), NIST Special Publication 800\u201030: Risk Management Guide for Information Technology Systems, National Institute of Standards and Technology, Fort Collins, CO, available at: www.nist.gov.","DOI":"10.6028\/NIST.SP.800-30"},{"key":"key2022031320065832700_b46","doi-asserted-by":"crossref","unstructured":"Suh, B. and Han, I. (2003), \u201cThe IS risk analysis based on a business model\u201d, Information & Management, Vol. 41, pp. 149\u2010158.","DOI":"10.1016\/S0378-7206(03)00044-2"},{"key":"key2022031320065832700_b47","unstructured":"Verizon (2010), 2010 Data Breach Investigations Report, Verizon, Washington, DC, available at: www.verizonbusiness.com\/."},{"key":"key2022031320065832700_b48","unstructured":"Viera, A.J. and Garrett, J.M. (2005), \u201cUnderstanding interobserver agreement: the Kappa statistic\u201d, Family Medicine, Vol. 37 No. 5, pp. 360\u2010363."},{"key":"key2022031320065832700_b49","doi-asserted-by":"crossref","unstructured":"von Solms, R. and von Solms, B. (2005), \u201cFrom information security to business security?\u201d, Computers & Security, No. 24, pp. 271\u2010273.","DOI":"10.1016\/j.cose.2005.04.004"},{"key":"key2022031320065832700_b50","doi-asserted-by":"crossref","unstructured":"Wang, A.J.A. (2005), \u201cInformation security models and metrics\u201d, 43rd ACM Southeast Conference, Kennesaw, GA, Vol. 2 of ACM\u2010SE 43, March 18\u201020, pp. 178\u2010184.","DOI":"10.1145\/1167253.1167295"},{"key":"key2022031320065832700_b51","unstructured":"zur Muehlen, M. (2005), \u201cIntegrating risks in business process models\u201d, 16th Australasian Conference on Information Systems, ACIS 2005 Proceedings, Paper 50, Sydney, available at: http:\/\/aisel.aisnet.org\/acis2005\/50."}],"container-title":["Information Management &amp; Computer Security"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/www.emeraldinsight.com\/doi\/full-xml\/10.1108\/IMCS-09-2012-0054","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-09-2012-0054\/full\/xml","content-type":"application\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/www.emerald.com\/insight\/content\/doi\/10.1108\/IMCS-09-2012-0054\/full\/html","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,24]],"date-time":"2025-07-24T21:50:48Z","timestamp":1753393848000},"score":1,"resource":{"primary":{"URL":"http:\/\/www.emerald.com\/ics\/article\/21\/3\/202-223\/181056"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2013,7,12]]},"references-count":51,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2013,7,12]]}},"alternative-id":["10.1108\/IMCS-09-2012-0054"],"URL":"https:\/\/doi.org\/10.1108\/imcs-09-2012-0054","relation":{},"ISSN":["0968-5227"],"issn-type":[{"type":"print","value":"0968-5227"}],"subject":[],"published":{"date-parts":[[2013,7,12]]}}}