Skip to main content
SpringerLink
Log in

Requirements Engineering Meets Trust Management

Model, Methodology, and Reasoning

  • Conference paper
Book cover Trust Management (iTrust 2004)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2995))

Included in the following conference series:

Abstract

The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering. However, capturing trust and security requirements at an organizational level (as opposed to a design level) is still an open problem.This paper presents a formal framework for modeling and analyzing security and trust requirements. It extends the Tropos methodology, an agent-oriented software engineering methodology. The key intuition is that in modeling security and trust, we need to distinguish between the actors that manipulate resources, accomplish goals or execute tasks, and actors that own the resources or the goals. To analyze an organization and its information systems, we proceed in two steps. First, we built a trust model, determining the trust relationships among actors, and then we give a functional model, where we analyze the actual delegations against the trust model, checking whether an actor that offers a service is authorized to have it.

The formal framework allows for the automatic verification of security and trust requirements by using a suitable delegation logic that can be mechanized within Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.

This work has been partially funded by the IST programme of the EU Commission, FET under the IST-2001-37004 WASP project and by the FIRB programme of MIUR under the RBNE0195K5 ASTRO Project. We would like to thank the anonymous reviewers for useful comments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley, Reading (1995)

    MATH  Google Scholar 

  2. Anderson, R.: A security policy model for clinical information systems. In: Proc. of the 15th IEEE Symp. on Security and Privacy, IEEE Comp. Society Press, Los Alamitos (1996)

    Google Scholar 

  3. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley Computer Publishing, Chichester (2001)

    Google Scholar 

  4. Bresciani, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent- Oriented Software Development Methodology. JAAMAS (to appear)

    Google Scholar 

  5. Castro, J., Kolp, M., Mylopoulos, J.: Towards Requirements-Driven Information Systems Engineering: The Tropos Project. Inform. Sys. 27(6), 365–389 (2002)

    Article  MATH  Google Scholar 

  6. Chung, L., Nixon, B.: Dealing with non-functional requirements: Three experimental studies of a process-oriented approach. In: Proc. of ICSE 1995 (1995)

    Google Scholar 

  7. Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security requirements engineering: When anti-requirements hit the fan. In: Proc. of RE 2002, IEEE Computer Society, Los Alamitos (2002)

    Google Scholar 

  8. Dardenne, A., Lamsweerde, A.V., Fickas, S.: Goal-directed requirements acquisition. Science of Computer Programming (1991)

    Google Scholar 

  9. Dell’Armi, T., Faber, W., Ielpa, G., Leone, N., Pfeifer, G.: Aggregate functions in disjunctive logic programming: Semantics, complexity, and implementation in dlv. In: Proc. of IJCAI 2003, Morgan Kaufmann Publishers, San Francisco (2003)

    Google Scholar 

  10. Devanbu, P.T., Stubblebine, S.G.: Software engineering for security: a roadmap. In: ICSE - Future of SE Track, pp. 227–239 (2000)

    Google Scholar 

  11. Fuxman, A., Liu, L., Pistore, M., Roveri, M., Mylopoulos, J.: Specifying and analyzing early requirements: Some experimental results. In: Proc. of ICRE 2003, p. 105. IEEE Computer Society, Los Alamitos (2003)

    Google Scholar 

  12. Fuxman, A., Pistore, M., Mylopoulos, J., Traverso, P.: Model checking early requirements specifications in tropos. In: Proc. of RE 2001, Toronto, August 2001, pp. 174–181. IEEE Computer Society, Los Alamitos (2001)

    Google Scholar 

  13. Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement Engineering meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Giorgini, P., Nicchiarelli, E., Mylopoulous, J., Sebastiani, R.: Formal reasoning techniques for goal models. J. of Data Semantics 1 (2003)

    Google Scholar 

  15. Guttorm, S.: Eliciting security requirements by misuse cases. In: Proceedings of TOOLS Pacific 2000 (2000)

    Google Scholar 

  16. Jürjens, J.: Towards Secure Systems Development with UMLsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, p. 187. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  17. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. In: ACM TISSEC 2003, vol. 6(1), pp. 128–171 (2003)

    Google Scholar 

  18. Li, N., Winsborough, W.H., Mitchell, J.C.: Beyond proof-of-compliance: Safety and availability analysis in trust management. In: Proc. of Symposium on Security and Privacy (2003)

    Google Scholar 

  19. Liu, L., Yu, E., Mylopoulos, J.: Analyzing security requirements as relationships among strategic actors. In: Proc. of SREIS 2002, North Carolina, Raleigh (2002)

    Google Scholar 

  20. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, pp. 151–161 (2003)

    Google Scholar 

  21. Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)

    Google Scholar 

  22. McDermott, J., Fox, C.: Using abuse care models for security requirements analysis. In: Proc. of ACSAC 1999 (December 1999)

    Google Scholar 

  23. Mouratidis, H., Giorgini, P., Manson, G.: Modelling secure multiagent systems. In: Proc. of AAMAS 2003, pp. 859–866. ACM Press, New York (2003)

    Chapter  Google Scholar 

  24. Sommerville, I.: Software Engineering. Addison-Wesley, Reading (2001)

    Google Scholar 

  25. Tryfonas, T., Kiountouzis, E., Poulymenakou, A.: Embedding security practices in contemporary information systems development approaches. Information Management and Computer Security 9, 183–197 (2001)

    Article  Google Scholar 

  26. Yu, E., Cysneiros, L.: Designing for privacy and other competing requirements. In: Proc. of SREIS 2002, North Carolina, Raleigh (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communication Technology, University of Trento, Italy

    Paolo Giorgini, Fabio Massacci, John Mylopoulos & Nicola Zannone

  2. Department of Computer Science, University of Toronto, Canada

    John Mylopoulos

Authors
  1. Paolo Giorgini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Mylopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nicola Zannone
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Informatics and Mathematical Modelling, Technical University of Denmark, 2800, Lyngby, Denmark

    Christian Jensen

  2. Department of Electronic Engineering, Queen Mary, University of London, Mile End Road, E1 4NS, London, UK

    Stefan Poslad

  3. BT Group Chief Technology Office, IP5 3RE, Ipswich, UK

    Theo Dimitrakos

Rights and permissions

Reprints and permissions

Copyright information

© 2004 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N. (2004). Requirements Engineering Meets Trust Management. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds) Trust Management. iTrust 2004. Lecture Notes in Computer Science, vol 2995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-24747-0_14

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-24747-0_14

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-21312-3

  • Online ISBN: 978-3-540-24747-0

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation