Skip to main content
SpringerLink
Log in

Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard

  • Conference paper
Conceptual Modeling - ER 2003 (ER 2003)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2813))

Included in the following conference series:

Abstract

Computer Security is one of today’s hot topic and the need for conceptual models of security features have brought up a number of proposals ranging from UML extensions to novel conceptual models. What is still missing, however, are models that focus on high-level security requirements, without forcing the modeler to immediately get down to security mechanisms. The modeling process itself should make it clear why encryption, authentication or access control are necessary, and what are the tradeoffs, if they are selected. In this paper we show that the i*/Tropos framework lacks the ability to capture these essential features and needs to be augmented. To motivate our proposal, we build upon a substantial case study – the modeling of the Secure Electronic Transactions e-commerce suites by VISA and MasterCard – to identify missing modeling features. In a nutshell, the key missing concept is the separation of the notion of offering a service (of a handling data, performing a task or fulfilling a goal) and ownership of the very same service. This separation is what makes security essential. The ability of the methodology to model a clear dependency relation between those offering a service (the merchant processing a credit card number), those requesting the service (the bank debiting the payment), and those owning the very same data (the cardholder), make security solutions emerge as a natural consequence of the modeling process.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, R.: Security Engineering – a Guide to Building Dependable Distributed Systems. Wiley and Sons, Chichester (2003)

    Google Scholar 

  2. Bella, G., Massacci, F., Paulson, L.C.: The verification of an industrial payment protocol: The SET purchase phase. In: Atluri, V. (ed.) 9th ACM Conference on Computer and Communications Security, pp. 12–20. ACM Press, New York (2002)

    Chapter  Google Scholar 

  3. Bella, G., Massacci, F., Paulson, L.C.: Verifying the SET registration protocols. IEEE Journal on Selected Areas on Communications 21(1) (2003) (in press)

    Google Scholar 

  4. Castro, J., Kolp, M., Mylopoulos, J.: Towards Requirements-Driven Information Systems Engineering: The Tropos Project. In: Information Systems. Elsevier, Amsterdam (2003) (to appear)

    Google Scholar 

  5. Devambu, P.T., Stubbelbine, S.: Software engineering for security: a roadmap. In: Future of Software Engineering. The proceedings of the 22nd International Conference on Software Engineering (ICSE 2000), pp. 227–239 (2000)

    Google Scholar 

  6. Jézéquel, J.-M., Hußmann, H., Cook, S. (eds.): UML 2002. LNCS, vol. 2460. Springer, Heidelberg (2002)

    MATH  Google Scholar 

  7. Jézéquel, J.-M., Hußmann, H., Cook, S. (eds.): SecureUML: A UML-Based Modeling Language for Model-Driven Security. LNCS, vol. 2460. Springer, Heidelberg (2002)

    Google Scholar 

  8. Jürjens, J.: Modelling audit security for smart-card payment schemes with UMLsec. In: 16th International Conference on Information Security (IFIP/SEC 2001). Kluwer, AP (2001)

    Google Scholar 

  9. Jürjens, J.: Towards secure systems development with umlsec. In: Hussmann, H. (ed.) FASE 2001. LNCS, vol. 2029, p. 187. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  10. Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Jézéquel et al. [6]

    Google Scholar 

  11. Jürjens, J.: Using UMLsec and Goal-Trees for secure systems development. In: Symposium of Applied Computing (SAC 2002). ACM Press, New York (2002)

    Google Scholar 

  12. Liu, L., Yu, E., Mylopoulos, J.: Analyzing Security Requirements as Relationships Among Strategic Actors. In: Proceedings of the 2nd Symposium on Requirements Engineering for Information Security (SREIS 2002), Raleigh, North Carolina (2002)

    Google Scholar 

  13. Lodderstedt, T., Basin, D.A., Doser, J.: Model driven security for processoriented systems. In: 8th ACM Symposium on Access Control Models and Technologies (2003)

    Google Scholar 

  14. Mastercard & VISA. SET Secure Electronic Transaction Specification: Business Description (May 1997), Available electronically at http://www.setco.org/set_specifications.html

  15. Mastercard & VISA. SET Secure Electronic Transaction Specification: Programmer’s Guide (May 1997), Available electronically at http://www.setco.org/set_specifications.html

  16. McGraw, G., Viega, J.: Building Secure Software. Addison Wesley Professional computing (2001)

    Google Scholar 

  17. Mouratidis, H., Giorgini, P., Manson, G.: Integrating security and systems engineering: Towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  18. Mouratidis, H., Giorgini, P., Manson, G.: Modelling secure multiagent systems. In: Proceedings of the 2nd International Joint Conference on Autonomous Agents and Multiagent Systems, AAMAS (2003)

    Google Scholar 

  19. O’Mahony, D., Peirce, M., Tewari, H.: Electronic payment systems. The Artech House computer science library. Artech House (1997)

    Google Scholar 

  20. Paller, A.: Alert: Large criminal hacker attack on Windows NTE-banking and Ecommerce sites. SANS Institute (March 2001), On the Internet at http://www.sans.org/newlook/alerts/NTE-bank.htm

  21. Perini, A., Bresciani, P., Giunchiglia, F., Giorgini, P., Mylopoulos, J.: A Knowledge Level Software Engineering Methodology for Agent Oriented Programming. In: Proc. of the 5th Int. Conference on Autonomous Agents, Montreal CA, May 2001. ACM, New York (2001)

    Google Scholar 

  22. Yu, E., Cysneiros, L.: Designing for Privacy and Other Competing Requirements. In: Proceedings of the 2nd Symposium on Requirements Engineering for Information Security (SREIS 2002), Raleigh, North Carolina (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Information and Communication Technology, University of Trento, Italy

    Paolo Giorgini, Fabio Massacci & John Mylopoulos

  2. Deptartment of Computer Science, University of Toronto, Canada

    John Mylopoulos

Authors
  1. Paolo Giorgini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. John Mylopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. College of Information Science and Technology, Drexel University, USA

    Il-Yeol Song

  2. Information Systems Department, Brigham Young Univeristy, 84602, Provo, Utah, USA

    Stephen W. Liddle

  3. School of Computing, National University of Singapore,  

    Tok-Wang Ling

  4. Dept. of EECS, Northwestern Univ.,  

    Peter Scheuermann

Rights and permissions

Reprints and permissions

Copyright information

© 2003 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Giorgini, P., Massacci, F., Mylopoulos, J. (2003). Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In: Song, IY., Liddle, S.W., Ling, TW., Scheuermann, P. (eds) Conceptual Modeling - ER 2003. ER 2003. Lecture Notes in Computer Science, vol 2813. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-39648-2_22

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-39648-2_22

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-20299-8

  • Online ISBN: 978-3-540-39648-2

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation