A Template-Based Approach To Write Complete Security Requirements For Software Development Environment

Writing quality security requirements contributes to the success of secure software development. It has been a common practice to include security requirements in a software system after the system is defined. Thus, incorporating security requirements at a later stage of software development will increase the risks of security vulnerabilities in software development. However, the process of writing security requirements is tedious and complex. There are a few gaps found in the existing works, categorized into method-related and people-related issues. The method-related issues include the lack of checking on security requirements completeness, security requirements templates, security standards used as reference and automated tool for validation. While, the people-related issues consist of inexperienced requirements engineers, minimal involvement of technical team in defining security requirements and language barriers. Motivated from these gaps, the main objective of this study is to propose a template-based approach to write complete security requirements. This study proposes a new template-based approach to assist the requirements engineers and client-stakeholders for writing complete security requirements. For this, we integrate the template-based approach with security requirements density using probability ratio, syntax-based density using lexical density and security requirements completeness prioritization using numerical assignment. We also developed two new pattern libraries, SecLib and SRCLib to validate the syntax and the completeness of security requirements. Additionally, an automated tool support called SecureMEReq was also developed to realize the approach. Finally, a comprehensive evaluation of the approach, comprising the comparison study between manual and automated tool as well as usability test were conducted. In summary, the findings of the evaluations show that our approach can contribute to the body of knowledge of requirements engineering, especially in enhancing the completeness of writing security requirements. It is found that the approach is able to enhance the completeness level of security requirements compared to the manual approach and produce a complete generation of security requirements. The results of the usability tests show that the approach is useful and helpful in eliciting complete security requirements of software development and able to ease the security requirements elicitation process

Usable Security Heuristics for Instant Messaging Application Development

As instant messaging (IM) applications have become more popular, the privacy and security concerns associated with their usage has become ever more relevant. As with many software programs, IM applications have a history of security vulnerabilities. Although IM application usage is globally increasing, it has been found that currently no generally recognised standards exist to aid IM application developers when developing the usability of the security features they implement. The problem is further exacerbated as research suggests that typical users have neither the requisite understanding of the available IM security features, nor the capacity to make full use of those protection features. The primary objective of this study is to create a set of usable security heuristics to assist developers of instant messaging applications to consider the usability of the security features implemented in these applications. This primary objective is further divided into several secondary objectives, which collectively aim to address the proposed problem. Therefore, the secondary objectives are to determine IM security risks and their related implications on users; to identify and investigate existing security and usability heuristics, guidelines, standards and best practices for mobile application development; to map the identified security and usability heuristics, guidelines, standards and best practices to IM applications; and to develop a prototype to demonstrate the applicability of the proposed usable security heuristics to a typical IM application. First, a comprehensive literature study is used to determine and understand the information security threats relevant to IM applications, how IM applications operate, the security features implemented by IM applications and the potential impact the relevant information security threats could have on IM application users. Thereafter, a further literature review and content analysis are used to identify and investigate existing heuristics, guidelines, standards, and best practices for mobile application development. The findings from the content analysis, in combination with the previously identified threats to IM applications, are then mapped to IM applications, and a preliminary set of usable security heuristics for IM application development is established. This preliminary set of usable security heuristics undergoes multiple iterations of refinement to establish the proposed set of usable security heuristics for IM application development. Furthermore, an expert review is conducted to validate the proposed set of usable security heuristics from the perspectives of security, usability, and mobile application development. In addition, the expert review was also used to determine the efficacy, utility, and quality of the proposed usable security heuristics. To further validate the proposed heuristics, a proof-of-concept prototype is used, in addition to the expert review, to demonstrate the applicability of the proposed set of usable security heuristics to a typical IM application. Such a set of usable security heuristics would be useful for IM application developers and would result in the vi improved implementation of usable security, leading to an improvement in the security of IM applications. The proposed set of usable security heuristics therefore adds a further contribution to this research area, providing a solid foundation for future research.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202

Usable Security Heuristics for Instant Messaging Application Development

As instant messaging (IM) applications have become more popular, the privacy and security concerns associated with their usage has become ever more relevant. As with many software programs, IM applications have a history of security vulnerabilities. Although IM application usage is globally increasing, it has been found that currently no generally recognised standards exist to aid IM application developers when developing the usability of the security features they implement. The problem is further exacerbated as research suggests that typical users have neither the requisite understanding of the available IM security features, nor the capacity to make full use of those protection features. The primary objective of this study is to create a set of usable security heuristics to assist developers of instant messaging applications to consider the usability of the security features implemented in these applications. This primary objective is further divided into several secondary objectives, which collectively aim to address the proposed problem. Therefore, the secondary objectives are to determine IM security risks and their related implications on users; to identify and investigate existing security and usability heuristics, guidelines, standards and best practices for mobile application development; to map the identified security and usability heuristics, guidelines, standards and best practices to IM applications; and to develop a prototype to demonstrate the applicability of the proposed usable security heuristics to a typical IM application. First, a comprehensive literature study is used to determine and understand the information security threats relevant to IM applications, how IM applications operate, the security features implemented by IM applications and the potential impact the relevant information security threats could have on IM application users. Thereafter, a further literature review and content analysis are used to identify and investigate existing heuristics, guidelines, standards, and best practices for mobile application development. The findings from the content analysis, in combination with the previously identified threats to IM applications, are then mapped to IM applications, and a preliminary set of usable security heuristics for IM application development is established. This preliminary set of usable security heuristics undergoes multiple iterations of refinement to establish the proposed set of usable security heuristics for IM application development. Furthermore, an expert review is conducted to validate the proposed set of usable security heuristics from the perspectives of security, usability, and mobile application development. In addition, the expert review was also used to determine the efficacy, utility, and quality of the proposed usable security heuristics. To further validate the proposed heuristics, a proof-of-concept prototype is used, in addition to the expert review, to demonstrate the applicability of the proposed set of usable security heuristics to a typical IM application. Such a set of usable security heuristics would be useful for IM application developers and would result in the vi improved implementation of usable security, leading to an improvement in the security of IM applications. The proposed set of usable security heuristics therefore adds a further contribution to this research area, providing a solid foundation for future research.Thesis (MA) -- Faculty of Engineering, the Built Environment, and Technology, 202

A Dynamic Risk-Based Access Control Approach: Model and Implementation

Access control (AC) refers to mechanisms and policies that restrict access to resources, thus regulating access to physical or virtual resources of an information system. AC approaches are used to represent these mechanisms and policies by which users are granted access and specific access privileges to the resources or information of the system for which AC is provided. Traditional AC approaches encompass a variety of widely used approaches, including attribute-based access control (ABAC), mandatory access control (MAC), discretionary access control (DAC) and role-based access control (RBAC). Emerging AC approaches include risk adaptive access control (RAdAC), an approach that suggests that AC can adapt depending on specific situations. However, traditional and emerging AC approaches rely on static pre-defined risk mitigation tasks and do not support the adaptation of an AC risk mitigation process (RMP). There are no provided mechanisms and automated support that allow AC approaches to construct RMPs and to adapt to provide more flexible, custom-tailored responses to specific situations in order to minimize risks. Further, although existing AC approaches can operate in several knowledge domains at once, they do not explicitly take into account the relationships among risks related to different dimensions, e.g., security, productivity. In addition, although in the real world, risks accumulate over time, existing AC approaches do not appropriately provide means for risk resolution in situations in which risks accumulate as different, dangerous tasks impact risk measures. This thesis presents the definition, the implementation, and the application through two case studies of a novel AC risk-mitigation approach that combines dynamic RMP construction and risk assessment extended to include forecasting based on multiple risk-related utilities and events; provides support for a dynamic risk assessment that depends on one or multiple risk dimensions (e.g., security and productivity); offers cumulative risk assessment in which each action of interest can impact the risk-related utilities in a dynamic way; and presents an implementation of an adaptive simulation method based on risk-related utilities and events