Abstract
In an earlier series of works, Boehm et al. discuss the nature of information system dependability and highlight the variability of system dependability according to stakeholders. In a recent paper, the dependency patterns of this model are analyzed. In our recent works, we presented a stakeholder dependent quantitative security model, where we quantify security for a given stakeholder by the mean of the loss incurred by the stakeholder as a result of security threats. We show how this mean can be derived from the security threat configuration (represented as a vector of probabilities that reflect the likelihood of occurrence of the various security threats). We refer to our security metric as MFC, for Mean Failure Cost. In this paper, we analyze Boehm's model from the standpoint of the proposed metric, and show whether, to what extent, and how our metric addresses the issues raised by Boehm's Stakeholder/Value definition of system dependability.