Abstract
The aim of safety and security assessments are very similar since they both consider harm during system development. However, they apply different means for it and are performed in separated processes. As security and safety areas are merging in new systems that are critical, and more openly interconnected, there is a need to relate the different processes during the development. A combined assessment process could save resources compared to separated safety and security assessments, as well as support the understanding of mutual constraints and the resolution of conflicts between the two areas. We suggest a combined method covering the harm identification and analysis part of the assessment process using UML-based models. The process is applied on a case from the Air Traffic Management domain. Experts’ opinions about the results have also been collected for feedback.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Object Management Group: Unified modeling language (OMG UML), superstructure (2011), http://www.omg.org/spec/UML/2.4/Superstructure
Watson, A.: Visual modelling: past, present and future (2011), http://www.uml.org/VisualModeling.pdf
Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirement Engineering 10, 34–44 (2005)
Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)
Katta, V., Karpati, P., Opdahl, A.L., Raspotnig, C., Sindre, G.: Comparing Two Techniques for Intrusion Visualization. In: van Bommel, P., Hoppenbrouwers, S., Overbeek, S., Proper, E., Barjis, J. (eds.) PoEM 2010. LNBIP, vol. 68, pp. 1–15. Springer, Heidelberg (2010)
Raspotnig, C., Opdahl, A.: Supporting Failure Mode and Effect Analysis: A Case Study with Failure Sequence Diagrams. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 117–131. Springer, Heidelberg (2012)
Ericson, C.: Hazard analysis techniques for system safety. Wiley-Interscience (2005)
ATM Bedriftsnettverk: Delievery DA-1.1. Technical report (2011)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS approach. Springer (2011)
Giorgini, P., Mouratidis, H.: Secure tropos: A security-oriented extension of the tropos methodology. Journal of Autonomous Agents and Multi-Agent Systems (2005)
Lin, L., Nuseibeh, B.A., Ince, D.C., Jackson, M., Moffett, J.D.: Analysing security threats and vulnerabilities using abuse frames. Technical Report 2003/10, The Open University, Walton Hall, United Kingdom (October 2003)
Lamsweerde, A.V.: Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley (2009)
Lamsweerde, A.V.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, ICSE 2004, pp. 148–157. IEEE Computer Society, Washington, DC (2004)
Firesmith, D.G.: Common Concepts Underlying Safety, Security, and Survivability Engineering. Technical Note CMU/SEI-2003-TN-033, Software Engineering Institute (2003)
Firesmith, D.G.: A taxonomy of security-related requirements. In: Proceedings of the Fourth International Workshop on Requirements Engineering for High- Availability Systems. RHAS’9205. IEEE Computer Society, Washington, DC (2005)
Winther, R., Johnsen, O.A., Gran, B.A.: Security Assessments of Safety Critical Systems Using HAZOPs. In: Voges, U. (ed.) SAFECOMP 2001. LNCS, vol. 2187, pp. 14–24. Springer, Heidelberg (2001)
Ministry of Defence: HAZOP studies on systems containing programmable electronics. UK Ministry of Defence Interim Def Stan 00-58 (1994), http://www.dstan.mod.uk/dstandata/ix-00.htm
Srivatanakul, T., Clark, J.A., Polack, F.: Effective Security Requirements Analysis: HAZOP and Use Cases. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 416–427. Springer, Heidelberg (2004)
Eurocontrol: SESAR ATM preliminary security risk assessment method (2011)
Eurocontrol: ATM security risk management toolkit. Technical Report EUROCONTROL- GUID-144, EUROCONTROL ATM Security Domain (2010)
ISO/IEC: Information Technology - Security Techniques - Information Security Risk Management ISO 27005
Sindre, G.: A look at misuse cases for safety concerns. In: Ralyté, J., Brinkkemper, S., Henderson-Sellers, B. (eds.) Situational Method Engineering: Fundamentals and Experiences. IFIP, vol. 244, pp. 252–266. Springer, Boston (2007)
Stålhane, T., Sindre, G.: A Comparison of Two Approaches to Safety Analysis Based on Use Cases. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 423–437. Springer, Heidelberg (2007)
Alexander, I.F.: Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering, RE 2002, pp. 61–70. IEEE Computer Society, Washington, DC (2002)
Raspotnig, C., Opdahl, A.: Improving security and safety modelling with failure sequence diagrams. International Journal of Secure Software Engineering (IJSSE), 20–36 (2012)
SESAR Joint Undertaking: About SESAR JU (2012), http://www.sesarju.eu/about
Saab, L.F.V.: Advanced remote tower (2012), http://adv.remote-tower.net/
Eurocontrol: Air Navigation Safety Assessment Methodology. (electronic) edn. 2.1 (2006)
CORAS: The CORAS Method, http://coras.sourceforge.net/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Raspotnig, C., Karpati, P., Katta, V. (2012). A Combined Process for Elicitation and Analysis of Safety and Security Requirements. In: Bider, I., et al. Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2012 2012. Lecture Notes in Business Information Processing, vol 113. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31072-0_24
Download citation
DOI: https://doi.org/10.1007/978-3-642-31072-0_24
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31071-3
Online ISBN: 978-3-642-31072-0
eBook Packages: Computer ScienceComputer Science (R0)