Skip to main content
SpringerLink
Log in

Selecting Security Mechanisms in Secure Tropos

  • Conference paper
  • First Online:
Trust, Privacy and Security in Digital Business (TrustBus 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10442))

Included in the following conference series:

Abstract

As security is a growing concern for modern information systems, Security Requirements Engineering has been developed as a very active area of research. A large body of work deals with elicitation, modelling, analysis, and reasoning about security requirements. However, there is little evidence of efforts to align security requirements with security mechanisms. This paper extends the Secure Tropos methodology to enable a clear alignment, between security requirements and security mechanisms, and a reasoning technique to optimise the selection of security mechanisms based on these security requirements and a set of other factors. The extending Secure Tropos supports modelling and analysis of security mechanisms; defines mathematically relevant modelling concepts to support a formal analysis; and defines and solves an optimisation problem to derive optimal sets of security mechanisms. We demonstrate the applicability of our work with the aid of a case study from the health care domain.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

References

  1. McDermott, J., Fox, C.: Using abuse case models for security requirements analysis. In: 15th Annual Computer Security Applications Conference, (ACSAC 1999) Proceedings, pp. 55–64. IEEE (1999)

    Google Scholar 

  2. Basin, D., Doser, J., Lodderstedt, T.: Model driven security for process-oriented systems. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, pp. 100–109. ACM (2003)

    Google Scholar 

  3. Mouratidis, H.: Integrating Security and Software Engineering: Advances and Future Visions: Advances and Future Visions. IGI Global, Hershey (2006)

    Google Scholar 

  4. Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Arguing satisfaction of security requirements. Integr. Secur. Softw. Eng. Adv. Future Vis. 16–43 (2006)

    Google Scholar 

  5. Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15(1), 7–40 (2010)

    Article  Google Scholar 

  6. Dubois, E., Mouratidis, H.: Guest editorial: security requirements engineering: past, present and future. Requir. Eng. 15(1), 1–5 (2010)

    Article  Google Scholar 

  7. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Article  Google Scholar 

  8. Chung, L., Nixon, B., Yu, E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. International Series in Software Engineering. Springer, Heidelberg (2000). doi:10.1007/978-1-4615-5269-7

    Book  MATH  Google Scholar 

  9. Hatebur, D., Heisel, M.: Problem frames and architectures for security problems. In: Winther, R., Gran, B.A., Dahll, G. (eds.) SAFECOMP 2005. LNCS, vol. 3688, pp. 390–404. Springer, Heidelberg (2005). doi:10.1007/11563228_30

    Chapter  Google Scholar 

  10. Hatebur, D., Heisel, M., Schmidt, H.: Security Engineering Using Problem Frames. In: Müller, G. (ed.) ETRICS 2006. LNCS, vol. 3995, pp. 238–253. Springer, Heidelberg (2006). doi:10.1007/11766155_17

    Chapter  Google Scholar 

  11. Gupta, M., Rees, J., Chaturvedi, A., Chi, J.: Matching information security vulnerabilities to organizational security profiles: a genetic algorithm approach. Decis. Support Syst. 41(3), 592–603 (2006)

    Article  Google Scholar 

  12. Neubauer, T., Pehn, M.: Workshop-based risk assessment for the definition of secure business processes. In: Second International Conference on Information, Process, and Knowledge Management, eKNOW 2010, pp. 74–79. IEEE (2010)

    Google Scholar 

  13. Viduto, V., Maple, C., Huang, W., López-Peréz, D.: A novel risk assessment and optimisation model for a multi-objective network security countermeasure selection problem. Decis. Support Syst. 53(3), 599–610 (2012)

    Article  Google Scholar 

  14. Sawik, T.: Selection of optimal countermeasure portfolio in it security planning. Decis. Support Syst. 55(1), 156–164 (2013)

    Article  Google Scholar 

  15. Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Formal Reasoning Techniques for Goal Models. In: Spaccapietra, S., March, S., Aberer, K. (eds.) Journal on Data Semantics I. LNCS, vol. 2800, pp. 1–20. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39733-5_1

    Chapter  Google Scholar 

  16. Amyot, D., Ghanavati, S., Horkoff, J., Mussbacher, G., Peyton, L., Yu, E.: Evaluating goal models within the goal-oriented requirement language. Int. J. Intell. Syst. 25(8), 841–877 (2010)

    Article  Google Scholar 

  17. Letier, E., Van Lamsweerde, A.: Reasoning about partial goal satisfaction for requirements and design engineering. In: ACM SIGSOFT Software Engineering Notes, vol. 29, pp. 53–62. ACM (2004)

    Google Scholar 

  18. Bryl, V., Giorgini, P., Mylopoulos, J.: Designing cooperative is: exploring and evaluating alternatives. In: On the Move to Meaningful Internet Systems 2006: CoopIS, DOA, GADA, and ODBASE, pp. 533–550. Springer, Heidelberg (2006)

    Google Scholar 

  19. Kaiya, H., Horai, H., Saeki, M.: Agora: attributed goal-oriented requirements analysis method. In: IEEE Joint International Conference on Requirements Engineering, Proceedings, pp. 13–22. IEEE (2002)

    Google Scholar 

  20. Bencomo, N., Belaggoun, A.: Supporting decision-making for self-adaptive systems: from goal models to dynamic decision networks. In: Doerr, J., Opdahl, A.L. (eds.) REFSQ 2013. LNCS, vol. 7830, pp. 221–236. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37422-7_16

    Chapter  Google Scholar 

  21. Feather, M.S., Cornford, S.L., Hicks, K., Kiper, J.D., Menzies, T., et al.: A broad, quantitative model for making early requirements decisions. Software 25(2), 49–56 (2008). IEEE

    Article  Google Scholar 

  22. Heaven, W., Letier, E.: Simulating and optimising design decisions in quantitative goal models. In: 2011 19th IEEE International Requirements Engineering Conference (RE), pp. 79–88. IEEE (2011)

    Google Scholar 

  23. Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stan. Interfaces 29(2), 244–253 (2007)

    Article  Google Scholar 

  24. Mead, N.R., Stehney, T.: Security quality requirements engineering (square) methodology. SIGSOFT Softw. Eng. Notes 30(4), 1–7 (2005)

    Article  Google Scholar 

  25. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005). http://dx.doi.org/10.1007/s00766-004-0194-4

    Article  Google Scholar 

  26. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th IEEE International Requirements Engineering Conference, Proceedings, pp. 151–161 (2003)

    Google Scholar 

  27. Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 270–283. Springer, Heidelberg (2013). doi:10.1007/978-3-642-41924-9_23

    Chapter  Google Scholar 

  28. Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157. IEEE Computer Society (2004)

    Google Scholar 

  29. Franqueira, V.N., Tun, T.T., Yu, Y., Wieringa, R., Nuseibeh, B.: Risk and argument: a risk-based argumentation method for practical security. In: 2011 19th IEEE International Requirements Engineering Conference (RE), pp. 239–248. IEEE (2011)

    Google Scholar 

  30. Asnar, Y., Giorgini, P., Mylopoulos, J.: Goal-driven risk assessment in requirements engineering. Requir. Eng. 16(2), 101–116 (2011)

    Article  Google Scholar 

  31. Lee, S.W.: Probabilistic risk assessment for security requirements: a preliminary study. In: 2011 Fifth International Conference on Secure Software Integration and Reliability Improvement (SSIRI), pp. 11–20. IEEE (2011)

    Google Scholar 

  32. Houmb, S.H., Georg, G., Jürjens, J., France, R.: An integrated security verification and security solution design trade-off analysis approach. Integrating Security and Software Engineering: Advances and Future Visions/Mouratidis, Haralambos pp. 190–219 (2007)

    Google Scholar 

  33. Tsigkanos, C., Pasquale, L., Menghi, C., Ghezzi, C., Nuseibeh, B.: Engineering topology aware adaptive security: Preventing requirements violations at runtime. In: 2014 IEEE 22nd International Requirements Engineering Conference (RE), pp. 203–212. IEEE (2014)

    Google Scholar 

  34. Van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Fifth IEEE International Symposium on Requirements Engineering, Proceedings, pp. 249–262. IEEE (2001)

    Google Scholar 

  35. Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Auton. Agent. Multi-Agent Syst. 8(3), 203–236 (2004)

    Article  MATH  Google Scholar 

  36. Sommerville, I., Kotonya, G.: Requirements Engineering: Processes and Techniques. Wiley, Hoboken (1998)

    Google Scholar 

  37. Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)

    Article  Google Scholar 

  38. Cysneiros, L.M., Sampaio do Prado Leite, J.C.: Nonfunctional requirements: from elicitation to conceptual models. IEEE Trans. Softw. Eng. 30(5), 328–350 (2004)

    Article  Google Scholar 

  39. Sebastiani, R., Trentin, P.: Optimathsat: a tool for optimization modulo theories

    Google Scholar 

  40. Greek-Parliament: Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals. FEK 189(1), 4225–4232 (2010)

    Google Scholar 

  41. Sfyroeras, V.: The electronic prescription system. Pharmacy management and communications, pp. 68–69, September 2012. http://www.idika.gr/files/synenteyxeis/arthro_pharmacy_management_09.12.pdf

  42. Adoxx Meta-modeling platform. http://www.adoxx.org

  43. Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: Proceedings of the 33rd IEEE Symposium on Security and Privacy. San Francisco, CA, USA, May 2012

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Brighton, Brighton, England

    Michalis Pavlidis, Haralambos Mouratidis, Emmanouil Panaousis & Nikolaos Argyropoulos

Authors
  1. Michalis Pavlidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Haralambos Mouratidis
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Emmanouil Panaousis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Nikolaos Argyropoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michalis Pavlidis .

Editor information

Editors and Affiliations

  1. University of Malaga, Malaga, Spain

    Javier Lopez

  2. Karlstad University, Karlstad, Sweden

    Simone Fischer-Hübner

  3. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Pavlidis, M., Mouratidis, H., Panaousis, E., Argyropoulos, N. (2017). Selecting Security Mechanisms in Secure Tropos. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds) Trust, Privacy and Security in Digital Business. TrustBus 2017. Lecture Notes in Computer Science(), vol 10442. Springer, Cham. https://doi.org/10.1007/978-3-319-64483-7_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-64483-7_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64482-0

  • Online ISBN: 978-3-319-64483-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation