Requirements Engineering

, Volume 21, Issue 4, pp 481–504 | Cite as

Automating trade-off analysis of security requirements

  • Liliana Pasquale
  • Paola SpoletiniEmail author
  • Mazeiar Salehie
  • Luca Cavallaro
  • Bashar Nuseibeh
Original Article


A key aspect of engineering secure systems is identifying adequate security requirements to protect critical assets from harm. However, security requirements may compete with other requirements such as cost and usability. For this reason, they may only be satisfied partially and must be traded off against other requirements to achieve “good-enough security”. This paper proposes a novel approach to automate security requirements analysis in order to determine maximum achievable satisfaction level for security requirements and identify trade-offs between security and other requirements. We also propose a pruning algorithm to reduce the search space size in the analysis. We represent security concerns and requirements using asset, threat, and goal models, initially proposed in our previous work. To deal with uncertainty and partial requirements, satisfaction security concerns are quantified by leveraging the notion of composite indicators, which are computed through metric functions based on range normalisation. An SMT solver (Z3) interprets the models and automates the execution of our analyses. We illustrate and evaluate our approach by applying it to a substantive example of a service-based application for exchanging emails.


Security requirements Trade-off analysis Goals 


  1. 1.
    Amyot D, Ghanavati S, Horkoff J, Mussbacher G, Peyton L, Yu ESK (2010) Evaluating goal models within the goal-oriented requirement language. Int J Intell Syst 25(8):841–877CrossRefGoogle Scholar
  2. 2.
    Asnar Y, Giorgini P, Mylopoulos J (2011) Goal-driven risk assessment in requirements engineering. Requir Eng 16(2):101–116CrossRefGoogle Scholar
  3. 3.
    Barone D, Jiang L, Amyot D, Mylopoulos J (2011) Reasoning with key performance indicators. In: Proceedings of the 4th IFIP WG 8.1 working conference on the practice of enterprise modeling, Springer, Berlin, pp 82–96Google Scholar
  4. 4.
    Boehm B, Bose P, Horowitz E, Lee MJ (1994) Software requirements as negotiated win conditions. In: Proceeding of the 1st international requirements engineering conference, pp 74–83Google Scholar
  5. 5.
    Cailliau A, van Lamsweerde A (2013) Assessing requirements-related risks through probabilistic goals and obstacles. Requir Eng 18(2):129–146CrossRefGoogle Scholar
  6. 6.
    De Moura L, Bjørner N (2008) Z3: an efficient SMT solver. In: Proceedings of the 14th international conference on tools and algorithms for the construction and analysis of systems, pp 337–340Google Scholar
  7. 7.
    Elahi G, Yu ESK (2007) A goal oriented approach for modeling and analyzing security trade-offs. In: Proceedings of the 26th international conference on conceptual modeling. Springer, Berlin, pp 375–390Google Scholar
  8. 8.
    Feather MS, Cornford SL, Hicks KA, Kiper JD, Menzies T (2008) A broad, quantitative model for making early requirements decisions. IEEE Softw 25(2):49–56CrossRefGoogle Scholar
  9. 9.
    Firesmith D (2004) Specifying reusable security requirements. J Object Technol 3(1):61–75CrossRefGoogle Scholar
  10. 10.
    Franqueira VNL, Tun TT, Yu Y, Wieringa R, Nuseibeh B (2011) Risk and argument: a risk-based argumentation method for practical security. In: Proceedings of the 19th international requirements engineering conference, pp 239–248Google Scholar
  11. 11.
    Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th international requirements engineering conference. IEEE Computer Society, pp 167–176Google Scholar
  12. 12.
    Giorgini P, Mylopoulos J, Nicchiarelli E, Sebastiani R (2003) Formal reasoning techniques for goal models. In: Spaccapietra S, March S, Aberer K (eds) Journal on data semantics I. Lecture notes in computer science. Springer, Heidelberg, pp 1–20CrossRefGoogle Scholar
  13. 13.
    Glinz M (2007) On non-functional requirements. In: Proceedings of the 15th international requirements engineering conference. IEEE Computer Society, pp 21–26Google Scholar
  14. 14.
    Haley CB, Laney RC, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153CrossRefGoogle Scholar
  15. 15.
    Heaven W, Letier E (2011) Simulating and optimising design decisions in quantitative goal models. In: Proceedings of the 19th international requirements engineering conference, pp 79–88Google Scholar
  16. 16.
    Hoffman S (2012) Kaspersky: malware attachments up 50 percent.
  17. 17.
    Horkoff J, Yu ESK (2013) Comparison and evaluation of goal-oriented satisfaction analysis techniques. Requir Eng 18(3):199–222CrossRefGoogle Scholar
  18. 18.
    Houmb S, Georg G, Jürjens J, France R (2007) An integrated security verification and security solution design trade-off analysis approach. In: Integrating security and software engineering: advances and future visions, pp 190–219Google Scholar
  19. 19.
    In HP, Olson D (2004) Requirements negotiation using multi-criteria preference analysis. J Univ Comput Sci 10(4):306–325Google Scholar
  20. 20.
    ISO/IEC 13335–1:2004: Information Technology (2008) Security techniques—management of information and communications technology security—part 1: concepts and models for information and communications technology security management.
  21. 21.
    Jürjens J (2002) UMLsec: extending UML for secure systems development. In: Proceedings of the 5th international conference on the unified modeling language, pp 412–425Google Scholar
  22. 22.
    Kaiya H, Horai H, Saeki M (2002) AGORA: attributed goal-oriented requirements analysis method. In: Proceedings of the 20th international requirements engineering conferenceGoogle Scholar
  23. 23.
    Karlsson J, Ryan K (1997) A cost-value approach for prioritizing requirements. IEEE Softw 14(5):67–74CrossRefGoogle Scholar
  24. 24.
    Lawrence C, Nixon BA, Mylopoulos J (1999) Non-functional requirements in software engineering. Kluwer, DordrechtzbMATHGoogle Scholar
  25. 25.
    Lee S (2011) Probabilistic risk assessment for security requirements: a preliminary study. In: Proceedings of the 5th international conference on secure software integration and reliability improvement. IEEE Computer Society, pp 11–20Google Scholar
  26. 26.
    Letier E, van Lamsweerde A (2004) Reasoning about partial goal satisfaction for requirements and design engineering. In: Proceedings of the international symposium on foundation of software engineering, pp 53–62Google Scholar
  27. 27.
    Liu L, Yu ESK, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th international requirements engineering conference. IEEE Computer Society, pp 151–161Google Scholar
  28. 28.
    Lodderstedt T, Basin DA, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language, pp 426–441Google Scholar
  29. 29.
    Łukasiewicz J (1970) Selected works by Jan Łukasiewicz, chap. on three-valued logic. North-Holland, AmsterdamGoogle Scholar
  30. 30.
    McDermott JP, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference. IEEE Computer Society, pp 55–64Google Scholar
  31. 31.
    Messaging Anti-Abuse Working Group (MAAWG): Email Metrics Program: The Network Operators’ Perspective, Report 15—first, second and third quarter 2011 (2012).
  32. 32.
    Mills E (2010) The unvarnished truth about unsecured Wi-Fi.
  33. 33.
    Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309CrossRefGoogle Scholar
  34. 34.
    Nieuwenhuis R, Oliveras A (2006) On SAT modulo theories and optimization problems. In: Proceedings of the 9th international conference on theory and applications of satisfiability testing, pp 156–169Google Scholar
  35. 35.
    Pfleeger CP, Pfleeger SL (2003) Security in computing. Prentice Hall Professional, Englewood CliffszbMATHGoogle Scholar
  36. 36.
    Salehie M, Pasquale L, Inah O, Ali R, Nuseibeh B (2012) Requirements-driven adaptive security: protecting variable assets at runtime. In: Proceedings of the 20th international requirements engineering conference. IEEE Computer Society, pp 111–120Google Scholar
  37. 37.
    Stoneburner G, Goguen A, Feringa A (2002) Risk management guide for information technology systems. Nist Spec Publ 800(30):800–830Google Scholar
  38. 38.
    Tracy M, Jansen W, Bisker S (2002) Guidelines on electronic mail security. NIST Special Publication, Gaithersburg, pp 45–800CrossRefGoogle Scholar
  39. 39.
    US General Services Administration: Email as a Service (EaaS) Blanket Purchase Agreement (BPA) Requirements Document. (2013).
  40. 40.
    van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering. IEEE Computer Society, pp 148–157Google Scholar
  41. 41.
    van Lamsweerde A (2009) Requirements engineering—from system goals to UML models to software specifications. Wiley, LondonGoogle Scholar
  42. 42.
    Wunder J, Halbardier A, Waltermire D (2011) Specification for asset identification 1.1. Tech. Rep. 7693, NISTGoogle Scholar
  43. 43.
    Yen J, Tiao W (1997) A systematic tradeoff analysis for conflicting imprecise requirements. In: Proceedings of the 3rd international symposium on requirements engineering, pp 87–96Google Scholar
  44. 44.
    Zadeh LA (1965) Fuzzy sets. Inf Control 8(3):338–353MathSciNetCrossRefzbMATHGoogle Scholar

Copyright information

© Springer-Verlag London 2015

Authors and Affiliations

  • Liliana Pasquale
    • 1
  • Paola Spoletini
    • 2
    Email author
  • Mazeiar Salehie
    • 1
  • Luca Cavallaro
    • 1
  • Bashar Nuseibeh
    • 1
    • 3
  1. 1.Lero - the Irish Software Engineering Research CentreUniversity of LimerickLimerickIreland
  2. 2.Department of Software Engineering and Game DevelopmentKennesaw State UniversityMariettaUSA
  3. 3.Department of ComputingThe Open UniversityMilton KeynesUK

Personalised recommendations