Security has to be addressed through the whole of system development. Since every security solution has a cost, organization will want to adopt security solutions that probably have positive Return-On-Investment (ROI). In view of this, developing a secure information system in a cost effective way requires security risk analysis in the requirement engineering stage of the system development.
The aim of this research is to design a modelling language for information system security risk management by enhancing an established technique called UMLsec for secure software development. UMLsec is an extension of UML that allows expressing security relevant information within the diagrams in a system specification. UMLsec is defined in form of a UML profile using the standard UML extension mechanisms. The goal is to examine and identify concepts that should constitute a modelling technique for IS security risk analysis and build a conceptual model for achieving IS security risk assessment. A UMLsec based analysis approach for security threats identification and specification will be used and a qualitative risk measurement will be employed in the risk assessment process.