49,751 research outputs found
Picking battles: The impact of trust assumptions on the elaboration of security requirements
This position paper describes work on trust assumptions in the con-text of security requirements. We show how trust assumptions can affect the scope of the analysis, derivation of security requirements, and in some cases how functionality is realized. An example shows how trust assumptions are used by a requirements engineer to help define and limit the scope of analysis and to document the decisions made during the process
Responsibility modelling for civil emergency planning
This paper presents a new approach to analysing and understanding civil emergency planning based on the notion of responsibility modelling combined with HAZOPS-style analysis of information requirements. Our goal is to represent complex contingency plans so that they can be more readily understood, so that inconsistencies can be highlighted and vulnerabilities discovered. In this paper, we outline the framework for contingency planning in the United Kingdom and introduce the notion of responsibility models as a means of representing the key features of contingency plans. Using a case study of a flooding emergency, we illustrate our approach to responsibility modelling and suggest how it adds value to current textual contingency plans
Exploratory Study of the Privacy Extension for System Theoretic Process Analysis (STPA-Priv) to elicit Privacy Risks in eHealth
Context: System Theoretic Process Analysis for Privacy (STPA-Priv) is a novel
privacy risk elicitation method using a top down approach. It has not gotten
very much attention but may offer a convenient structured approach and
generation of additional artifacts compared to other methods. Aim: The aim of
this exploratory study is to find out what benefits the privacy risk
elicitation method STPA-Priv has and to explain how the method can be used.
Method: Therefore we apply STPA-Priv to a real world health scenario that
involves a smart glucose measurement device used by children. Different kinds
of data from the smart device including location data should be shared with the
parents, physicians, and urban planners. This makes it a sociotechnical system
that offers adequate and complex privacy risks to be found. Results: We find
out that STPA-Priv is a structured method for privacy analysis and finds
complex privacy risks. The method is supported by a tool called XSTAMPP which
makes the analysis and its results more profound. Additionally, we learn that
an iterative application of the steps might be necessary to find more privacy
risks when more information about the system is available later. Conclusions:
STPA-Priv helps to identify complex privacy risks that are derived from
sociotechnical interactions in a system. It also outputs privacy constraints
that are to be enforced by the system to ensure privacy.Comment: author's post-prin
Recommended from our members
Arguing satisfaction of security requirements
This chapter presents a process for security requirements elicitation and analysis,
based around the construction of a satisfaction argument for the security of a
system. The process starts with the enumeration of security goals based on assets
in the system, then uses these goals to derive security requirements in the form of
constraints. Next, a satisfaction argument for the system is constructed, using a
problem-centered representation, a formal proof to analyze properties that can be
demonstrated, and structured informal argumentation of the assumptions exposed
during construction of the argument. Constructing the satisfaction argument can
expose missing and inconsistent assumptions about system context and behavior
that effect security, and a completed argument provides assurances that a system
can respect its security requirements
On the Role of Primary and Secondary Assets in Adaptive Security: An Application in Smart Grids
peer-reviewedAdaptive security aims to protect valuable assets
managed by a system, by applying a varying set of security
controls. Engineering adaptive security is not an easy task. A
set of effective security countermeasures should be identified.
These countermeasures should not only be applied to (primary)
assets that customers desire to protect, but also to other
(secondary) assets that can be exploited by attackers to harm
the primary assets. Another challenge arises when assets vary
dynamically at runtime. To accommodate these variabilities, it
is necessary to monitor changes in assets, and apply the most
appropriate countermeasures at runtime. The paper provides
three main contributions for engineering adaptive security.
First, it proposes a modeling notation to represent primary
and secondary assets, along with their variability. Second,
it describes how to use the extended models in engineering
security requirements and designing required monitoring functions.
Third, the paper illustrates our approach through a set
of adaptive security scenarios in the customer domain of a
smart grid. We suggest that modeling secondary assets aids
the deployment of countermeasures, and, in combination with
a representation of assets variability, facilitates the design of
monitoring function
Arguing security: validating security requirements using structured argumentation
This paper proposes using both formal and structured informal arguments to show that an eventual realized system can satisfy its security requirements. These arguments, called 'satisfaction arguments', consist of two parts: a formal argument based upon claims about domain properties, and a set of informal arguments that justify the claims. Building on our earlier work on trust assumptions and security requirements, we show how using satisfaction arguments assists in clarifying how a system satisfies its security requirements, in the process identifying those properties of domains that are critical to the requirements
Toward optimal multi-objective models of network security: Survey
Information security is an important aspect of a successful business today. However, financial difficulties and budget cuts create a problem of selecting appropriate security measures and keeping networked systems up and running. Economic models proposed in the literature do not address the challenging problem of security countermeasure selection. We have made a classification of security models, which can be used to harden a system in a cost effective manner based on the methodologies used. In addition, we have specified the challenges of the simplified risk assessment approaches used in the economic models and have made recommendations how the challenges can be addressed in order to support decision makers
- …