Software & Systems Modeling

, Volume 17, Issue 4, pp 1253–1285 | Cite as

Holistic security requirements analysis for socio-technical systems

  • Tong LiEmail author
  • Jennifer Horkoff
  • John Mylopoulos
Regular Paper


Security has been a growing concern for large organizations, especially financial and governmental institutions, as security breaches in the systems they depend on have repeatedly resulted in billions of dollars in losses per year, and this cost is on the rise. A primary reason for these breaches is that the systems in question are “socio-technical” a mix of people, processes, technology, and infrastructure. However, such systems are designed in a piecemeal rather than a holistic fashion, leaving parts of the system vulnerable. To tackle this problem, we propose a three-layer security analysis framework consisting of a social layer (business processes, social actors), a software layer (software applications that support the social layer), and an infrastructure layer (physical and technological infrastructure). In our proposal, global security requirements lead to local security requirements, cutting across conceptual layers, and upper-layer security analysis influences analysis at lower layers. Moreover, we propose a set of analytical methods and a systematic process that together drive security requirements analysis across the three layers. To support analysis, we have defined corresponding inference rules that (semi-)automate the analysis, helping to deal with system complexity. A prototype tool has been implemented to support analysts throughout the analysis process. Moreover, we have performed a case study on a real-world smart grid scenario to validate our approach.


Security requirements Goal model Enterprise architecture Socio-technical system Security pattern 



Trento authors are supported by the ERC advanced Grant 267856, titled “Lucretius: Foundations for Software Evolution”. Jennifer Horkoff is supported by an ERC Marie Sklodowska-Curie Intra-European Fellowship (PIEF-GA-2013-627489), and by a Natural Sciences and Engineering Research Council of Canada Postdoctoral Fellowship (Sept. 2014–Aug. 2016).


  1. 1.
    Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) Advanced Information Systems Engineering Workshops, pp. 1–15. Springer, Berlin (2012)Google Scholar
  2. 2.
    Araujo, I., Weiss, M.: Linking patterns and non-functional requirements. In: Proceedings of the Ninth Conference on Pattern Language of Programs (PLOP 2002) (2002)Google Scholar
  3. 3.
    Asnar, Y., Massacci, F., Saidane, A., Riccucci, C., Felici, M., Tedeschi, A., El-Khoury, P., Li, K., Séguran, M., Zannone, N.: Organizational patterns for security and dependability: from design to application. Int. J. Secur. Softw. Eng. 2(3), 1–22 (2011)CrossRefGoogle Scholar
  4. 4.
    Asnar, Y., Li, T., Massacci, F., Paci, F.: Computer aided threat identification. In: 2011 IEEE 13th Conference on Commerce and Enterprise Computing (CEC), pp. 145–152. IEEE (2011)Google Scholar
  5. 5.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)CrossRefzbMATHGoogle Scholar
  6. 6.
    Brown, B., Singletary, B., Willke, B., Bennett, C., Highfill, D., Houseman, D., Cleveland, F., Lipson, H., Ivers, J., Gooding, J., et al.: Ami System Security Requirements. UCA Int. Users Group, US Dept. Energy, Washington, DC, USA, Tech. Rep. UCAIUG: AMI-SEC-ASAP (2008)Google Scholar
  7. 7.
    Carpenter, M., Goodspeed, T., Singletary, B., Skoudis, E., Wright, J.: Advanced Metering Infrastructure Attack Methodology. InGuardians white paper (2009)Google Scholar
  8. 8.
    Chung, L.: Dealing with security requirements during the development of information systems. In: Rolland, C., Bodart, F., Cauvet C. (eds.) Advanced Information Systems Engineering. LNCS, vol. 685, pp. 234–251. Springer, Berlin (1993)Google Scholar
  9. 9.
    Chung, L., Supakkul, S.: Representing nfrs and frs: a goal-oriented and use case driven approach. In: Dosch, W., Lee, R., Wu, C. (eds.) Software Engineering Research and Applications, LNCS, vol. 3647, pp. 29–41. Springer, Berlin (2006)CrossRefGoogle Scholar
  10. 10.
    Cuellar, J., Suppan, S.: A smart metering scenario. In: Network of Excellence on Engineering Secure Future Internet Software Services and Systems, eRISE, vol. 2013, (2013)Google Scholar
  11. 11.
    Cui, X., Paige, R.: An integrated framework for system/software requirements development aligning with business motivations. In: 2012 IEEE/ACIS 11th International Conference on Computer and Information Science (ICIS), pp. 547–552 (2012)Google Scholar
  12. 12.
    De Gea, J.M.C., Nicolás, J., Alemán, J.L.F., Toval, A., Ebert, C., Vizcaíno, A.: Requirements engineering tools: capabilities, survey and assessment. Inf. Softw. Technol. 54(10), 1142–1157 (2012)CrossRefGoogle Scholar
  13. 13.
    Eiter, T., Gottlob, G., Mannila, H.: Disjunctive datalog. ACM Trans. Database Syst. (TODS) 22(3), 364–418 (1997)CrossRefGoogle Scholar
  14. 14.
    Estrada, H., Rebollar, A.M., Pastor, O., Mylopoulos, J.: An empirical evaluation of the i* framework in a model-based software generation environment. In: Dubois, E., Pohl, K. (eds.) Advanced Information Systems Engineering, pp. 513–527. Springer, Berlin (2006)Google Scholar
  15. 15.
    Fernandez, E.B.: Two patterns for web services security. In: International Conference on Internet Computing, pp. 801–807 (2004)Google Scholar
  16. 16.
    Fernandez, E.B., Ballesteros, J., Desouza-Doucet, A.C., Larrondo-Petrie, M.M.: Security patterns for physical access control systems. In: Barker, S., Ahn G.J. (eds.) Data and Applications Security XXI, pp. 259–274. Springer, Berlin (2007)Google Scholar
  17. 17.
    Fernandez, E.B., Fonoage, M., VanHilst, M., Marta, M.: The secure three-tier architecture pattern. In: CISIS, pp. 555–560 (2008)Google Scholar
  18. 18.
    Fernandez-Buglioni, E.: Security Patterns in Practice: Designing Secure Architectures Using Software Patterns. Wiley, New York (2013)Google Scholar
  19. 19.
    Firesmith, D.: Specifying Reusable Security Requirements. J. Object Technol. 3(1), 61–75 (2004)CrossRefGoogle Scholar
  20. 20.
    Flick, T., Morehouse, J.: Securing the Smart Grid: Next Generation Power Grid Security. Elsevier, Amsterdam (2010)Google Scholar
  21. 21.
    Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) Foundations of Security Analysis and Design III. LNCS, vol. 3655, pp. 237–272. Springer, Berlin (2005)Google Scholar
  22. 22.
    Gross, D., Yu, E.: From non-functional requirements to design through patterns. Requir. Eng. 6(1), 18–36 (2001)CrossRefzbMATHGoogle Scholar
  23. 23.
    Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing security patterns. IEEE Softw. 24(4), 52–60 (2007)CrossRefGoogle Scholar
  24. 24.
    Haley, C.B., Laney, R.C., Nuseibeh, B.: Deriving security requirements from crosscutting threat descriptions. In: Proceedings of the 3rd International Conference on Aspect-Oriented Software Development, pp. 112–121. ACM, New York (2004)Google Scholar
  25. 25.
    Halleux, P., Mathieu, L., Andersson, B.: A method to support the alignment of business models and goal models. Proc. BUSITAL 8, 121 (2008)Google Scholar
  26. 26.
    Haren, V.: TOGAF Version 9.1. Van Haren Publishing, Berlin (2011)Google Scholar
  27. 27.
    Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Threat modeling-uncover security design flaws using the stride approach. In: MSDN Magazine-Louisville, pp. 68–75 (2006)Google Scholar
  28. 28.
    Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electron. Commer. Res. 6(3–4), 305–335 (2006)CrossRefGoogle Scholar
  29. 29.
    Heyman, T., Yskout, K., Scandariato, R., Joosen, W.: An analysis of the security patterns landscape. In: Proceedings of the Third International Workshop on Software Engineering for Secure Systems (SESS), pp. 3–10. IEEE Computer Society (2007)Google Scholar
  30. 30.
    Horkoff, J., Aydemir, F.B., Li, F.L., Li, T., Mylopoulos, J.: Evaluating modeling languages: an example from the requirements domain. In: Conceptual Modeling (ER 2014), pp. 260–274. Springer, Berlin (2014)Google Scholar
  31. 31.
    Horkoff, J., Li, T., Li, F.L., Salnitri, M., Cardoso, E., Giorgini, P., Mylopoulos, J.: Using goal models downstream: a systematic roadmap and literature review. Int. J. Inf. Syst. Model. Des. 6(2), 1–42 (2015)CrossRefGoogle Scholar
  32. 32.
    Horkoff, J., Li, T., Li, F.L., Salnitri, M., Cardoso, E., Giorgini, P., Mylopoulos, J., Pimentel, J.: Taking goal models downstream: a systematic roadmap. In: 2014 IEEE Eighth International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE (2014)Google Scholar
  33. 33.
    Horkoff, J., Yu, E.: Finding solutions in goal models: an interactive backward reasoning approach. In: Parsons, J., Saeki, M., Shoval, P., Woo, C., Wand, Y. (eds.) Conceptual Modeling-ER 2010, pp. 59–75. Springer, Berlin (2010)Google Scholar
  34. 34.
    Horkoff, J., Yu, E.: Analyzing goal models: different approaches and how to choose among them. In: Proceedings of the 2011 ACM Symposium on Applied Computing, pp. 675–682. ACM, New York (2011)Google Scholar
  35. 35.
    Horkoff, J., Yu, E.: Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requir. Eng. 18(3), 199–222 (2013)CrossRefGoogle Scholar
  36. 36.
    ISO/IEC 27002: Information Technology—Security Techniques—Code of Practice for Information Security Management (2005)Google Scholar
  37. 37.
    ISO/IEC 27000: 2012 Information Technology—Security Techniques—Information Security Management Systems—Overview and Vocabulary. (2012)
  38. 38.
    Jureta, I., Borgida, A., Ernst, N., Mylopoulos, J.: Techne: Towards a new generation of requirements modeling languages with goals, preferences, and inconsistency handling. In: Proceedings of the RE’10, pp. 115–124 (2010)Google Scholar
  39. 39.
    Knuth, D.E.: The Art of Computer Programming: Sorting and Searching, vol. 3. Pearson Education, New York (1998)zbMATHGoogle Scholar
  40. 40.
    Lankhorst, M.M., Proper, H.A., Jonkers, H.: The architecture of the archimate language. In: Halpin, T., Krogstie, J., Nurcan, S., Proper, E., Schmidt, R., Soffer, P., Ukor, R. (eds.) Enterprise, Business-Process and Information Systems Modeling, pp. 367–380. Springer, Berlin (2009)Google Scholar
  41. 41.
    Lethbridge, T.C., Sim, S.E., Singer, J.: Studying software engineers: data collection techniques for software field studies. Empir. Softw. Eng. 10(3), 311–341 (2005)CrossRefGoogle Scholar
  42. 42.
    Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Advanced Information Systems Engineering (CAiSE 2014), pp. 185–200. Springer, Berlin (2014)Google Scholar
  43. 43.
    Li, T., Horkoff, J., Mylopoulos, J.: Integrating security patterns with security requirements analysis using contextual goal models. In: The Practice of Enterprise Modeling (PoEM 2014), pp. 208–223. Springer, Berlin (2014)Google Scholar
  44. 44.
    Li, T., Horkoff, J., Mylopoulos, J.: A prototype tool for modeling and analyzing security requirements from a holistic viewpoint. In: The CAiSE’14 Forum at the 26th International Conference on Advanced Information Systems Engineering, pp. 185–192 (2014)Google Scholar
  45. 45.
    Li, T., Horkoff, J., Mylopoulos, J.: Analyzing and enforcing security mechanisms on requirements specification. In: Requirements Engineering: Foundation for Software Quality (REFSQ 2015). Springer, Berlin (2015)Google Scholar
  46. 46.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the RE’03, vol. 3, pp. 151–161. Monterey, CA (2003)Google Scholar
  47. 47.
    Massacci, F., Paci, F.: How to select a security requirements method? A comparative study with students and practitioners. In: Jøsang, A., Carlsson, B. (eds.) Secure IT Systems, pp. 89–104. Springer, Berlin (2012)Google Scholar
  48. 48.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of International Conference on Availability, Reliability and Security, 2009 (ARES’09), pp. 41–48. IEEE (2009)Google Scholar
  49. 49.
    Mouratidis, H.: Secure software systems engineering: the secure tropos approach. J. Softw. 6(3), 331–339 (2011)CrossRefGoogle Scholar
  50. 50.
    Mouratidis, H., Giorgini, P.: A natural extension of tropos methodology for modelling security. In: Proceedings of the Agent Oriented Methodologies Workshop (OOPSLA 2002), Citeseer (2002)Google Scholar
  51. 51.
    Mouratidis, H., Jurjens, J.: From goal-driven security requirements engineering to secure design. Int. J. Intell. Syst. 25(8), 813–840 (2010)CrossRefGoogle Scholar
  52. 52.
    NIST: Roadmap for Smart Grid Interoperability Standards, Release 2.0. NIST Special Publication 1108R2 (2012)Google Scholar
  53. 53.
    Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) Conceptual Modeling, pp. 270–283. Springer, Berlin (2013)Google Scholar
  54. 54.
    Pimentel, J., Lucena, M., Castro, J., Silva, C., Santos, E., Alencar, F.: Deriving software architectural models from requirements models for adaptive systems: the stream-a approach. Requir. Eng. 17(4), 259–281 (2012)CrossRefGoogle Scholar
  55. 55.
    Ranjan, P., Misra, A.K.: Agent based system development: a domain-specific goal approach. ACM SIGSOFT Softw. Eng. Notes 31(6), 1–6 (2006)CrossRefGoogle Scholar
  56. 56.
    Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure business process model specification through a UML 2.0 activity diagram profile. Decis. Support Syst. 51(3):446–465 (2011)Google Scholar
  57. 57.
    Rodríguez, A., de Guzmán, I.G.R., Fernández-Medina, E., Piattini, M.: Semi-formal transformation of secure business processes into analysis class and use case models: an mda approach. Inf. Softw. Technol. 52(9), 945–971 (2010)Google Scholar
  58. 58.
    Runeson, P., Höst, M.: Guidelines for conducting and reporting case study research in software engineering. Empir. Softw. Eng. 14(2), 131–164 (2009)CrossRefGoogle Scholar
  59. 59.
    Scandariato, R., Yskout, K., Heyman, T., Joosen, W.: Architecting Software with Security Patterns. Tech. rep, KU Leuven (2008)Google Scholar
  60. 60.
    Schneier, B.: Attack trees. Dr. Dobb’s J. 24(12), 21–29 (1999)Google Scholar
  61. 61.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley, New York (2013)Google Scholar
  62. 62.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  63. 63.
    Souag, A., Mazo, R., Salinesi, C., Comyn-Wattiau, I.: Reusable knowledge in security requirements engineering: a systematic mapping study. Requir. Eng. 21(2), 251–283 (2016)Google Scholar
  64. 64.
    Suleiman, H., Svetinovic, D.: Evaluating the effectiveness of the security quality requirements engineering (square) method: a case study using smart grid advanced metering infrastructure. Requir. Eng. 18(3), 251–279 (2013)CrossRefGoogle Scholar
  65. 65.
  66. 66.
    Uzunov, A.V., Fernandez, E.B., Falkner, K.: Engineering security into distributed systems: a survey of methodologies. J. UCS 18(20), 2920–3006 (2012)Google Scholar
  67. 67.
    Uzunov, A.V., Fernandez, E.B., Falkner, K.: Ase: a comprehensive pattern-driven security methodology for distributed systems. Comput. Stand. Interfaces 41, 112–137 (2015)CrossRefGoogle Scholar
  68. 68.
    Van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. 26(10), 978–1005 (2000)CrossRefGoogle Scholar
  69. 69.
    Yoder, J., Barcalow, J.: Architectural patterns for enabling application security. In: Fourth Conference on Patterns Languages of Programs (PLoP’97) (1997)Google Scholar
  70. 70.
    Yu, E.: Towards modelling and reasoning support for early-phase requirements engineering. In: Proceedings of the Third IEEE International Symposium on Requirement Engineering, pp. 226–235. IEEE Computer Society Press (1997)Google Scholar
  71. 71.
    Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26(3), 276–292 (1987)CrossRefGoogle Scholar
  72. 72.
    Zave, P., Jackson, M.: Four dark corners of requirements engineering. ACM Trans. Softw. Eng. Methodol. 6(1), 1–30 (1997)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.University of TrentoTrentoItaly
  2. 2.City UniversityLondonUK

Personalised recommendations