Advertisement

Dealing with Security Requirements for Socio-Technical Systems: A Holistic Approach

  • Tong Li
  • Jennifer Horkoff
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8484)

Abstract

Security has been a growing concern for most large organizations, especially financial and government institutions, as security breaches in the socio-technical systems they depend on are costing billions. A major reason for these breaches is that socio-technical systems are designed in a piecemeal rather than a holistic fashion that leaves parts of a system vulnerable. To tackle this problem, we propose a three-layer security analysis framework for socio-technical systems involving business processes, applications and physical infrastructure. In our proposal, global security requirements lead to local security requirements that cut across layers and upper-layer security analysis influences analysis at lower layers. Moreover, we propose a set of analytical methods and a systematic process that together drive security requirements analysis throughout the three-layer framework. Our proposal supports analysts who are not security experts by defining transformation rules that guide the corresponding analysis. We use a smart grid example to illustrate our approach.

Keywords

Security Requirements Goal Model Multilayer Socio-Technical System Security Pattern 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Carpenter, M., Goodspeed, T., Singletary, B., Skoudis, E., Wright, J.: Advanced metering infrastructure attack methodology. InGuardians White Paper (2009)Google Scholar
  2. 2.
    Chung, L.: Dealing with security requirements during the development of information systems. In: Rolland, C., Cauvet, C., Bodart, F. (eds.) CAiSE 1993. LNCS, vol. 685, pp. 234–251. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  3. 3.
    Chung, L., Supakkul, S.: Representing nfrs and frs: A goal-oriented and use case driven approach. In: Dosch, W., Lee, R.Y., Wu, C. (eds.) SERA 2004. LNCS, vol. 3647, pp. 29–41. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Firesmith, D.: Specifying reusable security requirements. Journal of Object Technology 3(1), 61–75 (2004)CrossRefGoogle Scholar
  5. 5.
    Flick, T., Morehouse, J.: Securing the smart grid: next generation power grid security. Elsevier (2010)Google Scholar
  6. 6.
    Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Gross, D., Yu, E.: From non-functional requirements to design through patterns. Requirements Engineering 6(1), 18–36 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing security patterns. IEEE Software 24(4), 52–60 (2007)CrossRefGoogle Scholar
  9. 9.
    Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electronic Commerce Research 6(3-4), 305–335 (2006)CrossRefGoogle Scholar
  10. 10.
    Jureta, I., Borgida, A., Ernst, N., Mylopoulos, J.: Techne: Towards a new generation of requirements modeling languages with goals, preferences, and inconsistency handling. In: Proc. of RE 2010, pp. 115–124 (2010)Google Scholar
  11. 11.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, Monterey, California, pp. 151–161 (2003)Google Scholar
  12. 12.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of International Conference on Availability, Reliability and Security, ARES 2009, pp. 41–48. IEEE (2009)Google Scholar
  13. 13.
    Mouratidis, H., Giorgini, P.: A natural extension of tropos methodology for modelling security. In: Proc. of the Agent Oriented Methodologies Workshop (OOPSLA 2002). Citeseer, Seattle (2002)Google Scholar
  14. 14.
    Mouratidis, H., Jurjens, J.: From goal-driven security requirements engineering to secure design. International Journal of Intelligent System 25(8), 813–840 (2010)CrossRefGoogle Scholar
  15. 15.
    Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure business process model specification through a uml 2.0 activity diagram profile. Decision Support Systems 51(3), 446–465 (2011)CrossRefGoogle Scholar
  16. 16.
    de Rodríguez, G.I.G.R., Fernández-Medina, E., Piattini, M.: Semi-formal transformation of secure business processes into analysis class and use case models: An mda approach. Information and Software Technology 52(9), 945–971 (2010)CrossRefGoogle Scholar
  17. 17.
    Scandariato, R., Yskout, K., Heyman, T., Joosen, W.: Architecting software with security patterns. Tech. rep., KU Leuven (2008)Google Scholar
  18. 18.
    Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)Google Scholar
  19. 19.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating security and systems engineering. John Wiley & Sons (2013)Google Scholar
  20. 20.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)CrossRefGoogle Scholar
  21. 21.
    Van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Transactions on Software Engineering 26(10), 978–1005 (2000)CrossRefGoogle Scholar
  22. 22.
    Yu, E.: Towards modelling and reasoning support for early-phase requirements Engineering, pp. 226–235. IEEE Computer Soc. Press (1997)Google Scholar
  23. 23.
    Zave, P., Jackson, M.: Four dark corners of requirements engineering. ACM Trans. Softw. Eng. Methodol. 6(1), 1–30 (1997)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Tong Li
    • 1
  • Jennifer Horkoff
    • 1
  1. 1.University of TrentoTrentoItaly

Personalised recommendations