CTIT University of Twente
Research Business & Innovation About CTIT Research Calls Looking for a job? Intranet


Value-Based Security Risk Mitigation in Enterprise Networks that are Decentralized

(funded by STW/Sentinels)


Project Manager: Prof. dr. Roel Wieringa / Pieter Hartel

Faculty of Electrical Engineering, Mathematics and Computer Science - EEMCS

Tel.: +31 53 489 4189 / +31 53 489 2411

Email: r.j.wieringa@utwente.nl / pieter.hartel@utwente.nl


In industrial practice, security engineering is risk management: how to mitigate security risk given a finite budget? Today the IT of a business is connected to that of others in a value web of business partners, suppliers and customers, each of whom has its own confidentiality, integrity and availability requirements. This creates new security challenges, because there is no central decision-making authority in these networks. The question to be investigated in VRIEND is how to extend current risk management practices with methods and techniques to deal with security risks in decentralized networks. We will investigate this, firstly, by developing methods and techniques to build up a security baseline for a value web, which is a set of security patterns agreed upon by members of a value web, of which the risk-mitigating properties have been quantitavely specified, and which are related to business goals and external legislation that therse patterns help to achieve. Secondly, we will develop quantitative techniques for security architecture design in decentralized networks, by means of which in a business project can compose the security mechanisms in the baseline into a security architecture of the business project result. In a value web where each business has its own commercial interests, architecture design must use cost/benefit techniques to lead to agreement among different business partners. We will develop dynamic quantitative techniques, that allow businesses to incorporate the appearance of new security mechanisms, the occurrence of new threats or incidents, and of changes in security goals over time.


Project duration: January 2007 until January 2011

Project budget: 440 k-€

Number of person/years: 2.1 fte

Project Coordinator: University of Twente

Participants: AkzoNobel, Corus Strip Products, DSM, Hoffmann, Philips

Involved groups: Information Systems (IS), Distributed and Embedded Systems (DIES)