In security management, the concept of security requirements has replaced risk analysis when assessing appropriate measurements. However, it is not clear how elicited requirements can be prioritized? State of the art methods to prioritize the holistic nature of security requirements are applicable only after major revisions. This dilemma is the starting-point for proposing a qualitative decision matrix approach which is quick and where the results are reproducible and sufficiently accurate. This article describes how the parameters for a prioritization are derived and how the prioritization is carried through.

1 INTRODUCTION

In recent years the term security requirement has become more and more popular in the security management community. The purpose of a security requirement is to guide the implementation and ongoing administration in security management [ISO 13335-1, 1996]. In earlier years, a security requirement was mainly interpreted as a factor that had to be derived from a risk analysis process - see [ISO 13335-1,1996], [ISO 17799,2000]. The risk value then clearly indicated the importance of the requirement. The more severe the risk was, the higher was the incitement to realize the requirement. In that manner a priority order, dependent on the risk value, can be established and the resources can be dedicated to the most important requirements. This is necessary as we assume that only limited resources are available which are insufficient for realizing all security...