Abstract
The level of compliance with security certification requirements is the primary driver of the decision to accredit a software system into operation with an acceptable level of risk. However, given the complexity of current software systems, numerous natural language Certification and Accreditation (C&A) requirements, and ad-hoc processes to assess compliance, this decision is often based on the subjective judgment of the designated officials rather than well-designed metrics and measures. This chapter presents our ongoing research on ontology guided process of building “formal metrics” for understanding risk from the informal specification of security requirements and related evidence collected from the C&A process. The transformation of informal sources (in the problem space) into a representation that supports well-defined metrics (in the solution space) is realized through a combination of knowledge engineering and requirements engineering techniques. Our research outlines a methodological approach for metrics development and understanding using the structured representation of regulatory security requirements in a problem domain ontology. The metrics derived from the domain ontology create a traceable chain of analytical thoughts with software artifacts (e.g. requirements, design, and code). We provide concrete examples for the feasibility of our research findings through its application to a security C&A process and the resulting tool suite.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aagedal, J.O., den Braber, F., Dimitrakos, T., Gran, B.A., Raptis, D., Stolen, K.: Model-based risk assessment to improve enterprise security. In: Proceedings of the 6th International Enterprise Distributed Object Computing Conference, pp. 51–62 (2002)
Basili, V.R., Rombach, H.D.: The TAME project: Towards improvement-oriented software environments. IEEE Transactions on Software Engineering 14(6), 758–773 (1988)
Breaux, T.D., Vail, M.W., Antón, A.I.: Towards Regulatory Compliance: Extracting Rights & Obligations to Align Requirements with Regulations. In: Proc. 14th Int’l Conf. on RE 2006, pp. 49–58 (2006)
Butler, S.A.: Security Attribute Evaluation Method: A Cost Benefit Approach. In: Proceedings of the 24th International Conference on Software Engineering, May 2002, pp. 232–240 (2002)
Butler, S.A., Shaw, M.: Incorporating Nontechnical Attributes in Multi-Attribute Analysis for Security. In: Proceedings of the Workshop on Economics-Driven Software Engineering Research (2002), http://www-2.cs.cmu.edu/~shawnb/EDSERIV.pdf
Carr, M.J., et al.: Taxonomy-Based Risk Identification. Tech. Report CMU/SEI-93-TR-6 ESC-TR-93-183 (1993)
Chaudhri, V.K., Farquhar, A., Fikes, R., Karp, P.D., Rice, J.P.: OKBC: a programmatic foundation for knowledge base interoperability. In: Proceedings of the 15th National/10th Conference on Artificial intelligence/innovative Applications of Artificial intelligence, pp. 600–607. AAAI, Menlo Park (1998)
Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE(SM) Approach. Addison-Wesley Professional, Reading (2002)
Common Criteria, Part 1: Introduction and General Model, v2.3, ISO/IEC 15408 (August 2005)
Common Weakness Enumeration, http://cve.mitre.org/cwe/
Davis, T.: Federal Computer Security Report Card Grades. Press Release (2004)
DoD 8510.1-M: DITSCAP Application Manual (2000)
DoD Instruction 5200.40: DITSCAP (1997)
DoDI 8500.2: IA Implementation (February 2003)
Feather, M.S., Cornford, S.L.: Quantitative risk-based requirements reasoning. Requirements Engineering Journal 8(4), 248–265 (2003)
Gandhi, R.A., Lee, S.W.: Discovering and Understanding Multi-dimensional Correlations among Certification Requirements with application to Risk Assessment. In: Proceedings of the 15th IEEE International Requirements Engineering Conference (RE 07), Delhi, India, October 15-19, (2007)
Gandhi, R.A., Lee, S.W.: Visual Analytics for Requirements-driven Risk Assessment. In: The Proceedings of 2nd International Workshop on Requirements Engineering Visualization (REV 2007) at the 15th IEEE International Requirements Engineering Conference (RE 2007), Delhi, India, October 15-19 (2007)
Ganter, B., Wille, R.: Formal Concept Analysis. Springer, Heidelberg (1996)
Jackson, M.: The Meaning of Requirements, in Annals of Software Engineering, vol. 3, pp. 5–21. Baltzer Science Publication (1997)
Johansson, E., Johnson, P.: Assessment of Enterprise Information Security - Estimating the Credibility of the Results. In: Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS 2005) in conjunction with the 13th IEEE International Requirements Engineering Conference (RE 2005), Paris, France, 8/29 – 9/2. IEEE Press, Los Alamitos (2005)
Juristo, N., Moreno, A.M.: Introductory paper: Reflections on Conceptual Modeling. Data & Knowledge Engineering 33(2), 103–117 (2000)
Kaplan, R.S., Norton, D.P.: The Balanced Scorecard: Translating Strategy into Action. Harvard Business School Press, Boston (1996)
Kimbell, J., Walrath, M.: Life Cycle Security and DITSCAP. IANewsletter 4(2) (Spring 2001), http://iac.dtic.mil/iatac
Kotonya, G., Sommerville, I.: Requirements engineering with viewpoints. Software Engineering Journal 11(1), 5–18 (1996)
Lee, S.W., Gandhi, R.A., Ahn, G.: Certification Process Artifacts Defined as Measurable Units for Software-intensive Systems Lifecycle. International Journal on Software Process: Improvement and Practice 12(2), 165–189 (2007)
Lee, S.W., Gandhi, R.A., Wagle, S.J., Murty, A.B.: r-AnalytiCA Workbench: Requirements Analytics for Certification & Accreditation. In: Proceedings of the IEEE 15th International Requirements Engineering Conference (RE 2007), Posters, Demos and Exhibits Session, Delhi, India, October 15-19 (2007)
Lee, S.W., Muthurajan, D., Gandhi, R.A., Yavagal, D., Ahn, G.: Building Decision Support Problem Domain Ontology from Security Requirements to Engineer Software-intensive Systems. International Journal on Software Engineering and Knowledge Engineering 16(6), 851–884 (2006)
Lee, S.W., Gandhi, R.A.: Ontology-based Active Requirements Engineering Framework. In: Proceedings of the 12th Asia-Pacific Software Engineering Conference (APSEC 2005), Taipei, Taiwan, December 15-17, 2005, pp. 481–490. IEEE Computer Society Press, Los Alamitos (2005)
Lee, S.W., Gandhi, R.A.: Requirements as Enablers for Software Assurance. CrossTalk: The Journal of Defense Software Engineering 19(12), 20–24 (2006)
Lee, S.W., Gandhi, R.A., Wagle, S.J.: Ontology-guided Service-oriented Architecture Composition to Support Complex and Evolving Process Definitions. To appear in the International Journal of Software Engineering and Knowledge Engineering(March 2008) (accepted July 14, 2008)
Lee, S.W., Rine, D.C.: Missing Requirements and Relationship Discovery through Proxy Viewpoints Model. Studia Informatica Universalis: International Journal on Informatics 3(3), 315–342 (2004)
Lee, S.W., Wagle, S., Gandhi, R.A.: GenOM/GenOM-DB Programmer’s Guide. Version 3, Technical Report TR-NISE-07-04, Knowledge Intensive Software Engineering Research Group, Dept. of Software and Information Systems, UNC Charlotte (2007)
Lekkas, D., Spinellis, D.: Handling and Reporting Security Advisories: A Scorecard Approach. IEEE Security and Privacy Magazine 3(4), 32–41 (2005)
Mead, N.R., Hough, E., Stehney, T.: Security Quality Requirements Engineering (SQUARE) Methodology. Technical Report (CMU/SEI-2005-TR-009). Software Engineering Institute, Carnegie Mellon University, Pittsburgh (2005)
Moffett, J.D., Haley, C.B., Nuseibeh, B.A.: Core Security Requirements Artefacts. Technical Report 2004/23. Department of Computing, The Open University, Milton Keynes (June 2004)
Black, P.E.: SAMATE’s contribution to Information Assurance. IAnewsletter 9(2) (Fall 2006), http://iac.dtic.mil/iatac
Robinson, W.N., Pawlowski, S.: Surfacing Root Requirements Interactions from Inquiry Cycle Requirements. In: Proc. 6th Int’l Conf. on RE, pp. 82–89 (1998)
Rolland, C., Prakash, N.: From conceptual modeling to requirements engineering. Annals of Software Engineering 10, 151–176 (2000)
SAMATE Reference Dataset, http://samate.nist.gov/SRD/
Sutcliffe, A.: Scenario-based requirements analysis. Requirements Engineering Journal 3(1), 48–65 (1998)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. NIST Special Publication #800-55, Gaithersburg, MD, USA (2003)
Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security Metrics Guide for Information Technology Systems. In: NIST Special Publication #800-55, Revised as Performance Measurement Guide for Information Security, Gaithersburg, MD, USA (July 2008)
Swartout, W., Tate, A.: Ontologies. IEEE Intelligent Systems 14(1), 18–19 (1999)
Tsipenyuk, K., Chess, B., McGraw, G.: Seven Pernicious Kingdoms: A Taxonomy of Software Security Errors. IEEE Security & Privacy Magazine 3(6), 81–84 (2005)
van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Proceedings of the fifth IEEE International Symposium on Requirements Engineering, August 2001, pp. 249–262 (2001)
Vaughn, R.B., Henning, R., Siraj, A.: Information Assurance Measures and Metrics – State of Practice and Proposed Taxonomy. In: Proceedings of the 36th Annual Hawaii International Conference on System Sciences, pp. 331–340 (2003)
Verdon, D., McGraw, G.: Risk Analysis in Software Design. IEEE Security & Privacy Magazine 2(4), 79–84 (2004)
Wang, H., Wang, C.: Taxonomy of Security Considerations and Software Quality. Communications of the ACM 46(6), 75–78 (2003)
Wasson, K.S.: A Case Study in Systematic Improvement of Language for Requirements. In: 14th Int’l RE Conf., pp. 6–15 (2006)
Wong, P.C., Thomas, J.: Visual Analytics. IEEE Computer Graphics and Applications 24(5), 20–21 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Gandhi, R., Lee, SW. (2009). Ontology Guided Risk Analysis: From Informal Specifications to Formal Metrics. In: Ras, Z.W., Ribarsky, W. (eds) Advances in Information and Intelligent Systems. Studies in Computational Intelligence, vol 251. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04141-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-04141-9_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04140-2
Online ISBN: 978-3-642-04141-9
eBook Packages: EngineeringEngineering (R0)