An Approach to Select Cost-Effective Risk Countermeasures Exemplified in CORAS

Security risk analysis should be conducted regularly for organizationsto maintain an acceptable level of security. In principle, all risks thatare unacceptable according to the predefined criteria should be mitigated.However, risk mitigation comes at a cost, and only the countermeasuresthat cost-efficiently mitigate risks should be implemented. This reportpresents an approach to integrate the countermeasure cost-benefit assess-ment into the risk analysis, and to provide decision makers with the nec-essary decision support. The approach comes with the necessary model-ing support, a calculus for reasoning about the countermeasure cost andeffect, as well as means for visualization of the results to aid decision mak-ers. The approach is generic in the sense that the modeling and analysistechniques can be instantiated in several established approaches to riskassessment. In this report we demonstrate the instantiation in CORASand exemplify the approach using an eHealth scenario.