Dealing with Security Requirements for Socio-Technical Systems: A Holistic Approach

  • Tong Li
  • Jennifer Horkoff
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8484)


Security has been a growing concern for most large organizations, especially financial and government institutions, as security breaches in the socio-technical systems they depend on are costing billions. A major reason for these breaches is that socio-technical systems are designed in a piecemeal rather than a holistic fashion that leaves parts of a system vulnerable. To tackle this problem, we propose a three-layer security analysis framework for socio-technical systems involving business processes, applications and physical infrastructure. In our proposal, global security requirements lead to local security requirements that cut across layers and upper-layer security analysis influences analysis at lower layers. Moreover, we propose a set of analytical methods and a systematic process that together drive security requirements analysis throughout the three-layer framework. Our proposal supports analysts who are not security experts by defining transformation rules that guide the corresponding analysis. We use a smart grid example to illustrate our approach.


Security Requirements Goal Model Multilayer Socio-Technical System Security Pattern 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Carpenter, M., Goodspeed, T., Singletary, B., Skoudis, E., Wright, J.: Advanced metering infrastructure attack methodology. InGuardians White Paper (2009)Google Scholar
  2. 2.
    Chung, L.: Dealing with security requirements during the development of information systems. In: Rolland, C., Cauvet, C., Bodart, F. (eds.) CAiSE 1993. LNCS, vol. 685, pp. 234–251. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  3. 3.
    Chung, L., Supakkul, S.: Representing nfrs and frs: A goal-oriented and use case driven approach. In: Dosch, W., Lee, R.Y., Wu, C. (eds.) SERA 2004. LNCS, vol. 3647, pp. 29–41. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Firesmith, D.: Specifying reusable security requirements. Journal of Object Technology 3(1), 61–75 (2004)CrossRefGoogle Scholar
  5. 5.
    Flick, T., Morehouse, J.: Securing the smart grid: next generation power grid security. Elsevier (2010)Google Scholar
  6. 6.
    Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Gross, D., Yu, E.: From non-functional requirements to design through patterns. Requirements Engineering 6(1), 18–36 (2001)CrossRefzbMATHMathSciNetGoogle Scholar
  8. 8.
    Hafiz, M., Adamczyk, P., Johnson, R.E.: Organizing security patterns. IEEE Software 24(4), 52–60 (2007)CrossRefGoogle Scholar
  9. 9.
    Herrmann, P., Herrmann, G.: Security requirement analysis of business processes. Electronic Commerce Research 6(3-4), 305–335 (2006)CrossRefGoogle Scholar
  10. 10.
    Jureta, I., Borgida, A., Ernst, N., Mylopoulos, J.: Techne: Towards a new generation of requirements modeling languages with goals, preferences, and inconsistency handling. In: Proc. of RE 2010, pp. 115–124 (2010)Google Scholar
  11. 11.
    Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, Monterey, California, pp. 151–161 (2003)Google Scholar
  12. 12.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of International Conference on Availability, Reliability and Security, ARES 2009, pp. 41–48. IEEE (2009)Google Scholar
  13. 13.
    Mouratidis, H., Giorgini, P.: A natural extension of tropos methodology for modelling security. In: Proc. of the Agent Oriented Methodologies Workshop (OOPSLA 2002). Citeseer, Seattle (2002)Google Scholar
  14. 14.
    Mouratidis, H., Jurjens, J.: From goal-driven security requirements engineering to secure design. International Journal of Intelligent System 25(8), 813–840 (2010)CrossRefGoogle Scholar
  15. 15.
    Rodríguez, A., Fernández-Medina, E., Trujillo, J., Piattini, M.: Secure business process model specification through a uml 2.0 activity diagram profile. Decision Support Systems 51(3), 446–465 (2011)CrossRefGoogle Scholar
  16. 16.
    de Rodríguez, G.I.G.R., Fernández-Medina, E., Piattini, M.: Semi-formal transformation of secure business processes into analysis class and use case models: An mda approach. Information and Software Technology 52(9), 945–971 (2010)CrossRefGoogle Scholar
  17. 17.
    Scandariato, R., Yskout, K., Heyman, T., Joosen, W.: Architecting software with security patterns. Tech. rep., KU Leuven (2008)Google Scholar
  18. 18.
    Schneier, B.: Attack trees. Dr. Dobb’s Journal 24(12), 21–29 (1999)Google Scholar
  19. 19.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating security and systems engineering. John Wiley & Sons (2013)Google Scholar
  20. 20.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Engineering 10(1), 34–44 (2005)CrossRefGoogle Scholar
  21. 21.
    Van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Transactions on Software Engineering 26(10), 978–1005 (2000)CrossRefGoogle Scholar
  22. 22.
    Yu, E.: Towards modelling and reasoning support for early-phase requirements Engineering, pp. 226–235. IEEE Computer Soc. Press (1997)Google Scholar
  23. 23.
    Zave, P., Jackson, M.: Four dark corners of requirements engineering. ACM Trans. Softw. Eng. Methodol. 6(1), 1–30 (1997)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Tong Li
    • 1
  • Jennifer Horkoff
    • 1
  1. 1.University of TrentoTrentoItaly

Personalised recommendations