A Systematic Approach to Define the Domain of Information System Security Risk Management

  • Éric Dubois
  • Patrick Heymans
  • Nicolas Mayer
  • Raimundas Matulevičius
Chapter

Abstract

Today, security concerns are at the heart of information systems, both at technological and organizational levels. With over 200 practitioner-oriented risk management methods and several academic security modelling frameworks available, a major challenge is to select the most suitable approach. Choice is made even more difficult by the absence of a real understanding of the security risk management domain and its ontology of related concepts. This chapter contributes to the emergence of such an ontology. It proposes and applies a rigorous approach to build an ontology, or domain model, of information system security risk management. The proposed domain model can then be used to compare, select or otherwise improve security risk management methods.

Notes

Acknowledgments

Thanks to Germain Saval for his help in editing this chapter. And finally, we would like to express our immense gratitude to Colette Rolland for showing us the way.

References

  1. 1.
    Alberts CJ, Dorofee AJ (2001) OCTAVE method implementation guide version 2.0. Carnegie Mellon University, Software Engineering Institute, Pittsburgh, PAGoogle Scholar
  2. 2.
    Asnar Y, Giorgini P (2006) Modelling risk and identifying countermeasure in organizations. In: Proceedings of the 1st interational workshop on critical information intrastructures security (CRITIS’06), Springer, Berlin, pp 55–66Google Scholar
  3. 3.
    AS/NZS 4360 (2004) Risk management. SAI GlobalGoogle Scholar
  4. 4.
    Bresciani P, Giorgini P, Giunchiglia F, Mylopoulos J, Perin, A (2004) TROPOS: an agent-oriented software development methodology. Autonomous Agents Multi-Agent Systems 8:203–236CrossRefGoogle Scholar
  5. 5.
    CLUSIF (1998) MARION (Méthodologie d’Analyse des Risques Informatique et d’Optimation par Niveau) available at http://www.clusif.asso.fr
  6. 6.
    CLUSIF (2007) MEHARI 2007: concepts and mechanisms. http://www.clusif.asso.fr/fr/production/ouvrages/pdf/CLUSIF-risk-management.pdf. Last Accessed 21 Feb 2010
  7. 7.
    Cockburn A (2001) Writing effective use cases. Addison-Wesley Longman Publishing Co., Boston, MA, USAGoogle Scholar
  8. 8.
    Common Criteria version 2.3 (2005) Common criteria for information technology security evaluation, CCMB-2005-08-002. http://www.tse.org.tr/turkish/belgelendirme/ortakkriter/ccpart2v2.3.pdf. Last Accessed 21 Feb 2010
  9. 9.
    DCSSI (2004) EBIOS – expression of needs and identification of security objectives. http://www.ssi.gouv.fr/archive/en/confidence/ebiospresentation.html. Last Accessed 21 Feb 2010
  10. 10.
    Direction des Constructions Navales (1989) MELISA (Méthode d’Evaluation de la Vulnérabilité Résiduelle des Systèmes d’Information). Paris, FranceGoogle Scholar
  11. 11.
    Dubois E, Mayer N, Rifaut A, Rosener V (2006) Contributions méthologiques pour l’amélioration de l’analyse des risques. In: Enjeux de la sécurité multimédia (Traité IC2, série Informatique et systèmes d’information). Hermes Science Publications, Paris, pp 79–131Google Scholar
  12. 12.
    Elahi G, Yu E, Zannone N (2010) A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Reqs Eng Journal 15(1):41–62CrossRefGoogle Scholar
  13. 13.
    ENISA (European Network and Information Security Agency) (2006) Inventory of risk assessment and risk management methods. http://www.enisa.europa.eu/act/rm/files/deliverables/inventory-of-risk-assessment-and-risk-management-methods. Last Accessed 21 Feb 2010
  14. 14.
    Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Reqs Eng Journal 15(1):7–40CrossRefGoogle Scholar
  15. 15.
    Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. CMU/SEI-2003-TN-033 Carnegie Mellon University, Software Engineering Institute, Pittsburgh, PAGoogle Scholar
  16. 16.
    Firesmith DG (2007) Engineering safety and security related requirements for software intensive systems. In: Companion to the proceedings of the 29th international conference on software engineering (COMPANION’07). IEEE Computer Society, p 169Google Scholar
  17. 17.
    Giorgini P, Massacci F, Zannone N (2005) Security and trust requirements engineering. In: Foundations of security analysis and design III. LNCS, vol 3655. Springer, pp 237–272Google Scholar
  18. 18.
    Haley CB, Laney RC, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34:133–153CrossRefGoogle Scholar
  19. 19.
    Haley CB, Moffett JD, Laney RC, Nuseibeh B (2006) A framework for security requirements engineering. In: Proceedings of the 2nd international workshop on software engineering for secure systems (SESS’06), ACM, pp 35–42Google Scholar
  20. 20.
    Harel D, Rumpe B (2004) Meaningful modeling: what’s the semantics of “semantics”? Computer 37:64–72Google Scholar
  21. 21.
    Insight Consulting (2003) CRAMM (CCTA Risk Analysis and Management Method) User Guide version 5.0. SIEMENSGoogle Scholar
  22. 22.
    ISO/IEC Guide 73 (2002) Risk management – vocabulary – guidelines for use in standards. International Organization for Standardization, GenevaGoogle Scholar
  23. 23.
    ISO/IEC 13335-1 (2004) Information technology – security techniques – management of information and communications technology security – part 1: concepts and models for information and communications technology security management. International Organization for Standardization, GenevaGoogle Scholar
  24. 24.
    ISO 14001 (2004) Environmental management systems – requirements with guidance for use. International Organization for Standardization, GenevaGoogle Scholar
  25. 25.
    ISO/IEC 27001 (2005) Information technology – security techniques – information security management systems – requirements. International Organization for Standardization, GenevaGoogle Scholar
  26. 26.
    Jackson M (1995) Software requirements & specifications: a lexicon of practice, principles and prejudices. ACM/Addison-Wesley, New YorkGoogle Scholar
  27. 27.
    Jackson M (2001) Problem frames: analyzing and structuring software development problems. Addison-Wesley, New YorkGoogle Scholar
  28. 28.
    Jürjens J (2002) UMLsec: extending uml for secure systems development. In: Proceedings of the 5th international conference on the unified modeling language (UML’02). LNCS, vol 2460. Springer, pp 412–425Google Scholar
  29. 29.
    van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering (ICSE’04), IEEE Computer Society, pp 148–157Google Scholar
  30. 30.
    van Lamsweerde A, Letier E (2000) Handling obstacles in goal-oriented requirements engineering. IEEE Trans Softw Eng 26:978–1005Google Scholar
  31. 31.
    Lin L, Nuseibeh B, Ince D, Jackson M (2004) Using abuse frames to bound the scope of security problems. In: Proceedings of the 12th IEEE international conference on requirements engineering (RE’04), IEEE Computer Society, pp 354–355Google Scholar
  32. 32.
    Lin L, Nuseibeh B, Ince D, Jackson M, Moffett JD (2003) Analysing security threats and vulnerabilities using abuse frames. Technical report No: 2003/10, Open UniversityGoogle Scholar
  33. 33.
    Lin L, Nuseibeh B, Ince D, Jackson M, Moffett JD (2003) Introducing abuse frames for analysing security requirements. In: Proceedings of the 11th IEEE international conference on requirements engineering (RE’03), IEEE Computer Society, pp 371–372Google Scholar
  34. 34.
    Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international conference on requirements engineering (RE’03), IEEE Computer Society, p 151Google Scholar
  35. 35.
    Lodderstedt T, Basin D, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language (UML’02), Springer, pp 426–441Google Scholar
  36. 36.
    Matulevičius R, Mayer N, Heymans P (2008) Alignment of misuse cases with security risk management. In: Proceedings of the 3rd international conference on availability, reliability and security (ARES’08), IEEE Computer Society, pp 1397–1404Google Scholar
  37. 37.
    Matulevičius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management during early phases of the information systems development. In: Proceedings of the 20th international conference on advanced information systems engineering (CAiSE’08). LNCS, vol 5074. Springer, pp 541–555Google Scholar
  38. 38.
    Mayer N (2009) Model-based management of information system security risk. PhD thesis, University of NamurGoogle Scholar
  39. 39.
    Mayer N, Genon N (2006) Design of a modelling language for information system security risk management –elicitation of relationships between concepts and meta-model of each source. Technical report. University of NamurGoogle Scholar
  40. 40.
    Mayer N, Heymans P, Matulevičius R (2007) Design of a modelling language for information system security risk management. In: Proceedings of the 1st international conference on research challenges in information science (RCIS’07), IEEE Xplore Digital Library, pp 121–132Google Scholar
  41. 41.
    Mayer N, Rifaut, A, Dubois E (2005) Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th international workshop on requirements engineering: foundation for software quality (REFSQ’05), Springer, pp 83–97Google Scholar
  42. 42.
    McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference (ACSAC’99), IEEE Computer Society, pp 55–65Google Scholar
  43. 43.
    Mead NR, Hough ED, Stehney TR (2005) Security quality requirements engineering (SQUARE) methodology. Technical report CMU/SEI-2005-TR-009, ESC-TR-2005-009Carnegie Mellon University – Software Engineering Institute, Pittsburgh, PAGoogle Scholar
  44. 44.
    Moffett JD, Nuseibeh B (2003) A framework for security requirements engineering. Report YCS 368 Department of Computer Science, University of York, UKGoogle Scholar
  45. 45.
    Moody DL (2009) Evidence-based notation design: towards a scientific basis for constructing visual notations in software engineering. IEEE Trans Softw Eng 35(6):756–779Google Scholar
  46. 46.
    Mouratidis H, Giorgini P (2010) Extending i* and tropos to model security. In: Yu E, Giorgini P, Maiden N, Mylopoulos J (eds) Social modeling for requirements engineering. MIT (in press), Cambridge, Massachusetts (USA)Google Scholar
  47. 47.
    Mouratidis H, Giorgini P, Manson GA, Philp I (2002) A natural extension of tropos methodology for modelling security. In: Proceedings of the agent oriented methodologies workshop (OOPSLA’02)Google Scholar
  48. 48.
    Oladimeji EA, Supakkul S, Chung L (2006) Security threat modeling and analysis: a goal-oriented approach. In: Proceedings of the 10th international conference on software engineering and applications (SEA’06), pp 178–185Google Scholar
  49. 49.
    Olle TW, Hagelstein J, Macdonald IG., Rolland C, Sol HG, Van Assche FJM, Verrijn-Stuart AA (1992) Information systems methodology: a framework for understanding, 2nd edn. Addison-Wesley Longman Publishing Co., Inc. Boston, MA, USAGoogle Scholar
  50. 50.
    Rolland C (1998) An information system methodology supported by an expert design tool. Elsevier Science, University of ParisGoogle Scholar
  51. 51.
    Sindre G, Opdahl AL (2004) Eliciting security requirements with misuse cases. Reqs Eng J 10(1):34–44CrossRefGoogle Scholar
  52. 52.
    Stoneburner G, Goguen A, Feringa A (2002) NIST special publication 800-30: risk management guide for information technology systems. National Institute of Standards and Technology, GaithersburgGoogle Scholar
  53. 53.
    Stoneburner G, Hayden C, Feringa A (2004) NIST special publication 800-27 rev. A: engineering principles for information technology security (a baseline for achieving security). National Institute of Standards and Technology, GaithersburgGoogle Scholar
  54. 54.
    The Project Management Institute (2001) Project management body of knowledge http://www.pmi.org/
  55. 55.
    Vraalsen F, Mahler T, Lund MS, Hogganvik I, den Braber F, Stølen K (2007) Assessing enterprise risk level: the CORAS approach. In: Khadraoui D, Herrmann F (eds) Advances in enterprise information technology security. Idea Group, IGI Global, Hershey, Pennsylvania pp 311–333Google Scholar
  56. 56.
    Wikipedia (2008) Information system definition. http://en.wikipedia.org/wiki/Information_system
  57. 57.
    Yu E (1996) Modelling strategic relationships for process reengineering. PhD Thesis, University of Toronto, Toronto, ON, CanadaGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Éric Dubois
    • 1
  • Patrick Heymans
    • 2
  • Nicolas Mayer
    • 1
  • Raimundas Matulevičius
    • 3
  1. 1.Centre de Recherche Public Henri TudorLuxembourg-KirchbergLuxembourg
  2. 2.University of Namur (FUNDP), PReCISE Research CenterNamurBelgium
  3. 3.Institute of Computer ScienceUniversity of TartuTartuEstonia

Personalised recommendations