Risk is unavoidable in business and risk management is needed amongst others
to set up good security policies. Once the risks are evaluated, the next step
is to decide how they should be treated. This involves managers making
decisions on proper countermeasures to be implemented to mitigate the risks.
The countermeasure expenditure, together with its ability to mitigate risks, is
factors that affect the selection. While many approaches have been proposed to
perform risk analysis, there has been less focus on delivering the prescriptive
and specific information that managers require to select cost-effective
countermeasures. This paper proposes a generic approach to integrate the cost
assessment into risk analysis to aid such decision making. The approach makes
use of a risk model which has been annotated with potential countermeasures,
estimates for their cost and effect. A calculus is then employed to reason
about this model in order to support decision in terms of decision diagrams. We
exemplify the instantiation of the generic approach in the CORAS method for
security risk analysis.Comment: 33 page
