Rattikorn Hewett, Phongphun Kijsanayothin, Meinhard Peters


Web-based information systems play increasingly important roles in providing functions and business services for many organizations. Because of their ubiquitous natures dealing with a huge and diverse population of users, web applications must be tolerant to errors, adverse interactions and malicious attacks. The ability to quickly estimate security risks early in the system development life cycle can be beneficial in making various decisions. This is particularly crucial for large and complex web applications that are asset-critical and evolve rapidly through long life cycles. This paper presents a systematic approach for the automated assessment of security risks, at the design stage, of web-based information systems. The approach combines risk concepts in reliability engineering with heuristics using characteristics of software and hardware deployment design to estimate security risks of the system to be developed. It provides a simple early estimate of security risks that can help locate high-risk software components. We discuss limitations of the approach and give an illustration in an industrial engineering and business-to-business domain using a case study of a web-based material requirements planning system for a manufacturing enterprise.


  1. Barna, P., Frasincar, F., and Houben, G.-J. (2006). A workflow-driven design of web information systems. In ICWE 7806: Proceedings of the 6th international conference on Web engineering, pages 321-328, New York, NY, USA. ACM Press.
  2. Bugtrag (2006). Retrieved October 11, 2006, from
  3. Cortellessa, V., Appukkutty, K., Guedem, A. R., and Elnaggar, R. (2005). Model-based performance risk analysis. IEEE Trans. Softw. Eng., 31(1):3-20.
  4. Ginige, A. and Murugesan, S. (2001). Web engineering: an introduction. Multimedia, IEEE, 8(1):14-18.
  5. Haimes, Y. Y. (2004). Risk Modeling, Assessment, and Management. John Wiley & Son, 2nd edition.
  6. ISO (2002). Risk management vocabulary guidelines for use in standards. ISO Copyright Office, Geneva.
  7. Landoll, D. J., editor (2006). The Security Risk Assessment Handbook. Auerbach Publications.
  8. Nessus (2006). Nessus vulnerability scanner. Retrieved October 11, 2006, from
  9. Pearl, J. (1997). Graphical models for probabilistic and causal reasoning. In The Computer Science and Engineering Handbook, pages 697-714.
  10. Qiang, L., Khong, T. C., San, W. Y., Jianguo, W., and Choy, C. (2001). A web-based material requirements planning integrated application. In EDOC 7801: Proceedings of the 5th IEEE International Conference on Enterprise Distributed Object Computing, page 14, Washington, DC, USA. IEEE Computer Society.
  11. Shahrokhi, M. and Bernard, A. (2004). Risk assessment/prevention in industrial design processes. In 2004 IEEE International Conference on Systems, Man and Cybernetics, pages 2592-2598.
  12. Stoneburner, G., Goguen, A., and Feringa, A. (2002). Risk management guide for information technology systems. Technical Report 800-30, Computer Security Division, Information Technology Laboratory, NIST.
  13. Verdon, D. and McGraw, G. (2004). Risk analysis in software design. IEEE Security and Privacy, 2(4):79-84.
  14. Walt, C. v. d. (2002). Assessing internet security risk, part four: Custom web applications. Retrieved from
  15. Yacoub, S. M., Cukic, B., and Ammar, H. H. (1999). Scenario-based reliability analysis of componentbased software. In ISSRE 7899: Proceedings of the 10th International Symposium on Software Reliability Engineering, page 22, Washington, DC, USA. IEEE Computer Society.
  16. Zhang, Y., Zhu, H., Greenwood, S., and Huo, Q. (2001). Quality modelling for web-based information systems. In FTDCS 7801: Proceedings of the 8th IEEE Workshop on Future Trends of Distributed Computing Systems, page 41, Washington, DC, USA. IEEE Computer Society.

Paper Citation

in Harvard Style

Hewett R., Kijsanayothin P. and Peters M. (2007). SECURITY RISK ANALYSIS IN WEB APPLICATION DESIGN . In Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST, ISBN 978-972-8865-77-1, pages 28-35. DOI: 10.5220/0001266700280035

in Bibtex Style

author={Rattikorn Hewett and Phongphun Kijsanayothin and Meinhard Peters},
booktitle={Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,},

in EndNote Style

JO - Proceedings of the Third International Conference on Web Information Systems and Technologies - Volume 1: WEBIST,
SN - 978-972-8865-77-1
AU - Hewett R.
AU - Kijsanayothin P.
AU - Peters M.
PY - 2007
SP - 28
EP - 35
DO - 10.5220/0001266700280035