Skip to main content
SpringerLink
Log in

A Combined Process for Elicitation and Analysis of Safety and Security Requirements

  • Conference paper
Enterprise, Business-Process and Information Systems Modeling (BPMDS 2012, EMMSAD 2012)

Part of the book series: Lecture Notes in Business Information Processing ((LNBIP,volume 113))

Abstract

The aim of safety and security assessments are very similar since they both consider harm during system development. However, they apply different means for it and are performed in separated processes. As security and safety areas are merging in new systems that are critical, and more openly interconnected, there is a need to relate the different processes during the development. A combined assessment process could save resources compared to separated safety and security assessments, as well as support the understanding of mutual constraints and the resolution of conflicts between the two areas. We suggest a combined method covering the harm identification and analysis part of the assessment process using UML-based models. The process is applied on a case from the Air Traffic Management domain. Experts’ opinions about the results have also been collected for feedback.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Object Management Group: Unified modeling language (OMG UML), superstructure (2011), http://www.omg.org/spec/UML/2.4/Superstructure

  2. Watson, A.: Visual modelling: past, present and future (2011), http://www.uml.org/VisualModeling.pdf

  3. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirement Engineering 10, 34–44 (2005)

    Article  Google Scholar 

  4. Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  5. Katta, V., Karpati, P., Opdahl, A.L., Raspotnig, C., Sindre, G.: Comparing Two Techniques for Intrusion Visualization. In: van Bommel, P., Hoppenbrouwers, S., Overbeek, S., Proper, E., Barjis, J. (eds.) PoEM 2010. LNBIP, vol. 68, pp. 1–15. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  6. Raspotnig, C., Opdahl, A.: Supporting Failure Mode and Effect Analysis: A Case Study with Failure Sequence Diagrams. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 117–131. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  7. Ericson, C.: Hazard analysis techniques for system safety. Wiley-Interscience (2005)

    Google Scholar 

  8. ATM Bedriftsnettverk: Delievery DA-1.1. Technical report (2011)

    Google Scholar 

  9. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS approach. Springer (2011)

    Google Scholar 

  10. Giorgini, P., Mouratidis, H.: Secure tropos: A security-oriented extension of the tropos methodology. Journal of Autonomous Agents and Multi-Agent Systems (2005)

    Google Scholar 

  11. Lin, L., Nuseibeh, B.A., Ince, D.C., Jackson, M., Moffett, J.D.: Analysing security threats and vulnerabilities using abuse frames. Technical Report 2003/10, The Open University, Walton Hall, United Kingdom (October 2003)

    Google Scholar 

  12. Lamsweerde, A.V.: Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley (2009)

    Google Scholar 

  13. Lamsweerde, A.V.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC (2004)

    Chapter  Google Scholar 

  14. Firesmith, D.G.: Common Concepts Underlying Safety, Security, and Survivability Engineering. Technical Note CMU/SEI-2003-TN-033, Software Engineering Institute (2003)

    Google Scholar 

  15. Firesmith, D.G.: A taxonomy of security-related requirements. In: Proceedings of the Fourth International Workshop on Requirements Engineering for High- Availability Systems. RHAS’9205. IEEE Computer Society, Washington, DC (2005)

    Google Scholar 

  16. Winther, R., Johnsen, O.A., Gran, B.A.: Security Assessments of Safety Critical Systems Using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  17. Ministry of Defence: HAZOP studies on systems containing programmable electronics. UK Ministry of Defence Interim Def Stan 00-58 (1994), http://www.dstan.mod.uk/dstandata/ix-00.htm

  18. Srivatanakul, T., Clark, J.A., Polack, F.: Effective Security Requirements Analysis: HAZOP and Use Cases. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 416–427. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  19. Eurocontrol: SESAR ATM preliminary security risk assessment method (2011)

    Google Scholar 

  20. Eurocontrol: ATM security risk management toolkit. Technical Report EUROCONTROL- GUID-144, EUROCONTROL ATM Security Domain (2010)

    Google Scholar 

  21. ISO/IEC: Information Technology - Security Techniques - Information Security Risk Management ISO 27005

    Google Scholar 

  22. Sindre, G.: A look at misuse cases for safety concerns. In: Ralyté, J., Brinkkemper, S., Henderson-Sellers, B. (eds.) Situational Method Engineering: Fundamentals and Experiences. IFIP, vol. 244, pp. 252–266. Springer, Boston (2007)

    Chapter  Google Scholar 

  23. Stålhane, T., Sindre, G.: A Comparison of Two Approaches to Safety Analysis Based on Use Cases. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 423–437. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  24. Alexander, I.F.: Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering, RE 2002, pp. 61–70. IEEE Computer Society, Washington, DC (2002)

    Chapter  Google Scholar 

  25. Raspotnig, C., Opdahl, A.: Improving security and safety modelling with failure sequence diagrams. International Journal of Secure Software Engineering (IJSSE), 20–36 (2012)

    Google Scholar 

  26. SESAR Joint Undertaking: About SESAR JU (2012), http://www.sesarju.eu/about

  27. Saab, L.F.V.: Advanced remote tower (2012), http://adv.remote-tower.net/

  28. Eurocontrol: Air Navigation Safety Assessment Methodology. (electronic) edn. 2.1 (2006)

    Google Scholar 

  29. CORAS: The CORAS Method, http://coras.sourceforge.net/

Download references

Author information

Authors and Affiliations

  1. University of Bergen, NO-5020, Bergen, Norway

    Christian Raspotnig

  2. Norwegian University of Science and Technology, NO-7491, Trondheim, Norway

    Peter Karpati & Vikash Katta

  3. Institute for Energy Technology, NO-1751, Halden, Norway

    Christian Raspotnig & Vikash Katta

Authors
  1. Christian Raspotnig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Peter Karpati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vikash Katta
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IbisSoft AB, Stockholm, Box 19567, SE-10432, Stockholm, Sweden

    Ilia Bider

  2. LogicBlox, Australia, and INTI International University, Malaysia

    Terry Halpin

  3. Department of Computer and Information Science, Norwegian University of Science and Technology (NTNU), Sem Sælands Vei 7-9, 7491, Trondheim, Norway

    John Krogstie

  4. University Paris 1 Pantheon-Sorbonne, Paris, France

    Selmin Nurcan

  5. Erik Proper, PRC Henri Tudor, Luxembourg-Kirchberg, Luxembourg

    Erik Proper

  6. Aalen University, Aalen, Germany

    Rainer Schmidt

  7. University of Haifa, Carmel Mountain, 31905, Haifa, Israel

    Pnina Soffer

  8. Department of Business Informatics, University of Gdansk, ul. Piaskowa 9, 81-864, Sopot, Poland

    Stanisław Wrycza

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Raspotnig, C., Karpati, P., Katta, V. (2012). A Combined Process for Elicitation and Analysis of Safety and Security Requirements. In: Bider, I., et al. Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2012 2012. Lecture Notes in Business Information Processing, vol 113. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31072-0_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-31072-0_24

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-31071-3

  • Online ISBN: 978-3-642-31072-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation