Security and Trust Requirements Engineering

  • Paolo Giorgini
  • Fabio Massacci
  • Nicola Zannone
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3655)


Integrating security concerns throughout the whole software development process is one of today’s challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet.

The major difficulty is that providing security does not only require to solve technical problems but also to reason on the organization as a whole. This makes the usage of traditional software engineering methologies difficult or unsatisfactory: most proposals focus on protection aspects of security and explicitly deal with low level protection mechanisms and only an handful of them show the ability of capturing the high-level organizational security requirements, without getting suddenly bogged down into security protocols or cryptography algorithms.

In this paper we critically review the state of the art in security requirements engineering and discuss the motivations that led us to propose the Secure Tropos methodology, a formal framework for modelling and analyzing security, that enhances the agent-oriented software development methodology i*/Tropos. We illustrate the Secure Tropos approach, a comprehensive case study, and discuss some later refinements of the Secure Tropos methodology to address some of its shortcomings. Finally, we introduce the ST-Tool, a CASE tool that supports our methodology.


Data Processor Security Requirement Actor Diagram Requirement Engineer Trust Relation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abiteboul, S., Hull, R., Vianu, V.: Foundations of Databases. Addison-Wesley, Reading (1995)zbMATHGoogle Scholar
  2. 2.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: Hippocratic Databases. In: Proc. of VLDB 2002, pp. 143–154. Morgan Kaufmann, San Francisco (2002)Google Scholar
  3. 3.
    Agrawal, R., Kiernan, J., Srikant, R., Xu, Y.: An Implementation of P3P Using Database Technology. In: Bertino, E., Christodoulakis, S., Plexousakis, D., Christophides, V., Koubarakis, M., Böhm, K., Ferrari, E. (eds.) EDBT 2004. LNCS, vol. 2992, pp. 845–847. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley Computer Publishing, Chichester (2001)Google Scholar
  5. 5.
    Antòn, A.I., Earp, J.B.: A requirements taxonomy for reducing Web site privacy vulnerabilities. Requirements Eng 9(3), 169–185 (2004)CrossRefGoogle Scholar
  6. 6.
    Antòn, A.I., Earp, J.B., Reese, A.: Analyzing Website privacy requirements using a privacy goal taxonomy. In: Proc. of RE 2002, pp. 23–31. IEEE Press, Los Alamitos (2002)Google Scholar
  7. 7.
    Aura, T.: On the Structure of Delegation Networks. In: Proc. of 1998 CSFW, pp. 14–26. IEEE Press, Los Alamitos (1998)Google Scholar
  8. 8.
    Backes, M., Karjoth, G., Bagga, W., Schunter, M.: Efficient comparison of enterprise privacy policies. In: Proc. of SAC 2004 (2004)Google Scholar
  9. 9.
    Backes, M., Pfitzmann, B., Schunter, M.: A Toolkit for Managing Enterprise Privacy Policies. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 162–180. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  10. 10.
    Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent-Oriented Software Development Methodology. JAAMAS 8(3), 203–236 (2004)Google Scholar
  11. 11.
    Castelfranchi, C., Falcone, R.: Principles of trust for MAS: Cognitive anatomy, social importance and quantification. In: Proc. of ICMAS 1998, pp. 72–79. IEEE Press, Los Alamitos (1998)Google Scholar
  12. 12.
    Chung, L.K., Nixon, B.A., Yu, E., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Kluwer Publishing, Dordrecht (2000)zbMATHGoogle Scholar
  13. 13.
    Cranor, L., Langheinrich, M., Marchiori, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation (April 2002)Google Scholar
  14. 14.
    Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security Requirements Engineering: When Anti-requirements Hit the Fan. In: Proc. of RE 2002, pp. 203–205. IEEE Press, Los Alamitos (2002)Google Scholar
  15. 15.
    DeTreville, J.: Binder, a logic-based security language. In: Proc. of 2002 IEEE Symp. on Sec. and Privacy, pp. 95–103. IEEE Press, Los Alamitos (2002)Google Scholar
  16. 16.
    Devanbu, P.T., Stubblebine, S.G.: Software engineering for security: a roadmap. In: Proc. of ICSE 2000, pp. 227–239 (2000)Google Scholar
  17. 17.
    Doan, T., Demurjian, S., Ting, T.C., Ketterl, A.: MAC and UML for secure software design. In: Proc. of FMSE 2004, pp. 75–85. ACM Press, New York (2004)CrossRefGoogle Scholar
  18. 18.
    Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed nist standard for role-based access control. TISSEC 4(3), 224–274 (2001)CrossRefGoogle Scholar
  19. 19.
    Fredriksen, R., Kristiansenand, M., Stølen, B.A.G.K., Opperud, T.A., Dimitrakos, T.: The CORAS framework for a model-based risk management process. In: Anderson, S., Bologna, S., Felici, M. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 94–105. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Fuxman, A., Liu, L., Pistore, M., Roveri, M., Mylopoulos, J.: Specifying and analyzing early requirements: Some experimental results. In: Proc. of RE 2003. IEEE Press, Los Alamitos (2003)Google Scholar
  21. 21.
    Gans, G., Jarke, M., Kethers, S., Lakemeyer, G.: Modeling the Impact of Trust and Distrust in Agent Networks. In: Proc. of AOIS 2001, pp. 45–58 (2001)Google Scholar
  22. 22.
    Gelfond, M., Lifschitz, V.: The stable model semantics for logic programming. In: Proc. of the 5th Int. Conf. on Log. Prog., pp. 1070–1080. MIT Press, Cambridge (1988)Google Scholar
  23. 23.
    Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement Engineering meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  24. 24.
    Giorgini, P., Massacci, F., Mylopoulos, J., Siena, A., Zannone, N.: ST-Tool: A CASE Tool for Modeling and Analyzing Trust Requirements. In: Herrmann, P., Issarny, V., Shiu, S.C.K. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 415–419. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures. In: Katsikas, S.K., Gritzalis, S., López, J. (eds.) EuroPKI 2004. LNCS, vol. 3093, pp. 98–111. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  26. 26.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements Engineering meets Trust Management: Model, Methodology, and Reasoning. In: Jensen, C., Poslad, S., Dimitrakos, T. (eds.) iTrust 2004. LNCS, vol. 2995, pp. 176–190. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  27. 27.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling Security Requirements Through Ownership, Permission and Delegation. In: Proc. of RE 2005 (2005) (to appear)Google Scholar
  28. 28.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modelling Social and Individual Trust in Requirements Engineering Methodologies. In: Herrmann, P., Issarny, V., Shiu, S.C.K. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 161–176. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  29. 29.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: ST-Tool: A CASE Tool for Security Requirements Engineering. In: Proc. of RE 2005 (2005) (to appear)Google Scholar
  30. 30.
    Guessoum, Z., Ziane, M., Faci, N.: Monitoring and Organizational-Level Adaptation of Multi-Agent Systems. In: Proc. of AAMAS 2004, pp. 514–521. ACM Press, New York (2004)Google Scholar
  31. 31.
    Hannoun, M., Sichman, J.S., Boissier, O., Sayettat, C.: Dependence Relations between Roles in a Multi-Agent System: Towards the Detection of Inconsistencies in Organization. In: Sichman, J.S., Conte, R., Gilbert, N. (eds.) MABS 1998. LNCS (LNAI), vol. 1534, pp. 169–182. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  32. 32.
    He, Q., Antón, A.I.: A Framework for Modeling Privacy Requirements in Role Engineering. In: Proc. of the 9th Int. Workshop on Requirements Eng.: Found. for Software Quality, pp. 137–146 (2003)Google Scholar
  33. 33.
    Jaeger, T., Prakash, A.: Requirements of role-based access control for collaborative systems. In: Proc. of 1st ACM Workshop on Role-Based Access Control, pp. 53–64. ACM Press, New York (1995)Google Scholar
  34. 34.
    Jones, A.J.I., Sergot, M.J.: A Formal Characterisation of Institutionalised Power. J. of the Interest Group in Pure and Appl. Log. 4(3), 429–445 (1996)MathSciNetGoogle Scholar
  35. 35.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)Google Scholar
  36. 36.
    Kaminka, G.A., Pynadath, D.V., Tambe, M.: Monitoring Teams by Overhearing: A Multi-Agent Plan-Recognition Approach. JAIR 17, 83–135 (2002)zbMATHGoogle Scholar
  37. 37.
    Karjoth, G., Schunter, M., Waidner, M.: Platform for Enterprise Privacy Practices: Privacy-enabled Management of Customer Data. In: Dingledine, R., Syverson, P.F. (eds.) PET 2002. LNCS, vol. 2482, pp. 69–84. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  38. 38.
    Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. TISSEC 6(1), 128–171 (2003)CrossRefGoogle Scholar
  39. 39.
    Li, N., Mitchell, J.C., Winsborough, W.H.: Design of A Role-based Trust-management Framework. In: Proc. of 2002 IEEE Symp. on Sec. and Privacy, pp. 114–130. IEEE Press, Los Alamitos (2002)Google Scholar
  40. 40.
    Lin, L.-C., Nuseibeh, B., Ince, D., Jackson, M., Moffett, J.: Analysing Security Threats and Vulnerabilities Using Abuse Frames. Technical Report 2003/10, The Open University (2003)Google Scholar
  41. 41.
    Liu, L., Yu, E.S.K., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proc. of RE 2003, pp. 151–161. IEEE Press, Los Alamitos (2003)Google Scholar
  42. 42.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)Google Scholar
  43. 43.
    Massacci, F., Prest, M., Zannone, N.: Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation. Comp. Standards & Interfaces 27(5), 445–455 (2005); An extended version is available as Technical report DIT-04-103 at,
  44. 44.
    McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proc. of ACSAC 1999, pp. 55–66. IEEE Press, Los Alamitos (1999)Google Scholar
  45. 45.
    Mouratidis, H., Giorgini, P., Manson, G.: Modelling secure multiagent systems. In: Proc. of AAMAS 2003, pp. 859–866. ACM Press, New York (2003)CrossRefGoogle Scholar
  46. 46.
    Nwana, H.: Software agents: An overview. Knowledge Engineering Review J 11(3) (1996)Google Scholar
  47. 47.
    Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. TISSEC 3(2), 85–106 (2000)CrossRefGoogle Scholar
  48. 48.
    Ponemon, L.: What Keeps Security Professionals Up At Night? (April 2003),
  49. 49.
    Ray, I., Li, N., France, R., Kim, D.-K.: Using UML to visualize role-based access control constraints. In: Proc. of SACMAT 2004, pp. 115–124. ACM Press, New York (2004)CrossRefGoogle Scholar
  50. 50.
    Samarati, P., di Vimercati, S.D.C.: Access Control: Policies, Models, and Mechanisms. In: FOSAD 2001/2002. LNCS, vol. 2946, pp. 137–196. Springer, Heidelberg (2001)Google Scholar
  51. 51.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. IEEE Comp. 29(2), 38–47 (1996)Google Scholar
  52. 52.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  53. 53.
    Stallings, W.: Cryptography and Network Security: Principles and Practice. Prentice-Hall, Englewood Cliffs (1999)Google Scholar
  54. 54.
    Syrjänen, T.: Lparse 1.0: User’s Manual. Helsinki University of Technology (2000)Google Scholar
  55. 55.
    Toval, A., Olmos, A., Piattini, M.: Legal requirements reuse: a critical success factor for requirements quality and personal data protection. In: Proc. of RE 2002, pp. 95–103. IEEE Press, Los Alamitos (2002)Google Scholar
  56. 56.
    Tryfonas, T., Kiountouzis, E., Poulymenakou, A.: Embedding security practices in contemporary information systems development approaches. Inform. Management and Comp. Sec. 9, 183–197 (2001)CrossRefGoogle Scholar
  57. 57.
    van Gelder, A.: The alternating fixpoint of logic programs with negation. In: Proc. of PODS 1989, pp. 1–10. ACM Press, New York (1989)Google Scholar
  58. 58.
    van Lamsweerde, A., Brohez, S., De Landtsheer, R., Janssens, D.: From System Goals to Intruder Anti-Goals: Attack Generation and Resolution for Security Requirements Engineering. In: Proc. of RHAS 2003, pp. 49–56 (2003)Google Scholar
  59. 59.
    van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. TSE 26(10), 978–1005 (2000)Google Scholar
  60. 60.
    Viega, J., McGraw, G.: Building Secure Software. Addison-Wesley, Reading (2001)Google Scholar
  61. 61.
    Yu, E.S.K.: Agent-Oriented Modelling: Software versus the World. In: Wooldridge, M.J., Weiß, G., Ciancarini, P. (eds.) AOSE 2001. LNCS, vol. 2222, pp. 206–225. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  62. 62.
    Zave, P.: Classification of research efforts in requirements engineering. CSUR 29(4), 315–321 (1997)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Paolo Giorgini
    • 1
  • Fabio Massacci
    • 1
  • Nicola Zannone
    • 1
  1. 1.Department of Information and Communication TechnologyUniversity of TrentoItaly

Personalised recommendations