Evaluation Framework for Software Security Requirements Engineering Tools

Tarkvaraarenduses on nõuded kui süsteemi vundament, mis vastutavad ka ebaõnnestumiste eest. Valed nõuded võivad viia tarkvara eripäradeni, mis tegelikult ei vasta spetsifikatsioonidele. Sel põhjusel peetakse nõuete koostamist kõige keerulisemaks ja olulisemaks sammuks tarkvaraarenduse elutsükli kõikide protsesside jooksul. Tänapäeval, kus küberrünnakud on \n\rtavalised, mängivad turvalisuse nõuded väga olulist rolli tarkvaraarenduse protsessis. On levimas uut tüüpi tööriistad, mille kasutamist peetakse kõige efektiivsemaks meetodiks turvalisusnõuete väljatöötamisel. Lisaks võimaldavad need tööriistad lahendada turvalisusega seotud küsimusi kasutajal endal, hoides märgatavalt kokku inseneride aega. Siiski on nende tööriistade \n\rareng alles algstaadiumis ning neid ei ole tarkvarainseneride poolt massiliselt kasutusele võetud. Põhjus on väga pikas uue tarkvara õppimise ja sellega kohanemise protsessis, mis põhjustab ajakadu arendusprotsessis ning lisab projektile kulusid. Projekti jaoks konkreetse tööriista valimisel võib tutvumine ja katsetamine võtta inseneridel hulgaliselt aega. Lisaks sellele võib struktureerimata valikuprotsess viia vale tööriista kasutuselevõtmisele, mis raiskab omakorda kõigi aega ja pingutusi. Selles uurimuses kavatseme me koostada struktureeritud lähenemise, mis aitab insenere turvaliste tööriistade valimisel. Protsessile kaasaaitamiseks saavad analüütikud ja arhitektid hinnata tarkvara omadusi, mida nad enda seisukohast olulisimateks peavad. Sellest lähtuvalt saavad nad valida kindlate tööriistade vahel ning teha parima valiku. \n\rAntud uurimustöös konstrueeritud lähenemisega on võimalik säästa aega, vaeva ja kulutusi. Uurimuse koostamise käigus uurime me tarkvaraarenduse turvaprotsesse, meetodeid ja tööriistu ning püüame luua raamistikku, mis oleks inseneridele turvalisusnõuete tööriistade hindamisel abiks.In software development requirements are considered as building blocks of software system, which also are considered to be responsible in event of failure. Bad requirements can lead to software features that are not to the specifications. For that reason requirement gathering process is considered as the most sensitive and complicated process among all software engineering lifecycle processes. In current age where cyber-attacks are common security requirements also comes into place and plays a very important role in software development process. In order to elicit security requirements new type of tools are begin to form a shape called security engineering tools which help in eliciting security requirements. That considered being the most efficient way of eliciting security requirements. Moreover these tools empower users with artifacts specifically to cater security needs, which save time and efforts for engineers in return. Nevertheless these tools are still at their infantry and are lacking mass adoption by software security engineers. Reason because these tools have steep learning curve which can add-up to development time and end up pushing more cost to the project. In order to decide which tool to select for a particular project require engineers to use these tools which in return will consume tremendous amount of time. Moreover using unstructured tool selection process can also leads to wrong tool selection which will be the waste of time and efforts. In this research work we are going to construct structured approach which will help engineers in security engineering tool selection process. In order to aid this process analysts and architects will be able to rate the features they want the most in a particular security engineering tool. In return from this process they will be able to choose between security engineering tools and select the best one. Finally using approach constructed in this research work will save time, efforts, and costs. In our approach we will analyze security engineering processes, methods and tools, to construct a framework that will help aid engineers in security engineering tool evaluation process

Negotiation of software requirements in an asynchronous collaborative environment

The effect of task structure and negotiation sequence on collaborative software requirements negotiation is investigated. This work began with an extensive literature review that focused on current research in collaborative software engineering and, in particular, on the negotiation of software requirements and the requisite collaboration for the development of such requirements. A formal detailed experiment was then conducted to evaluate the effects of negotiation sequence and task structure in an asynchronous group meeting environment. The experiment tested the impact of these structures on groups negotiating the requirements for an emergency response information system. The results reported here show that these structures can have a positive impact on solution quality but a negative impact on process satisfaction, although following a negotiation sequence and task structure can help asynchronous groups come to agreement faster. Details of the experimental procedures, statistical analysis, and discussion of the results of the experiment are also presented, as are suggestions for improving this work and a plan for future research

Information Systems for Supporting Fire Emergency Response

Despite recent work on information systems, many first responders in emergency situations are unable to develop sufficient understanding of the situation to enable them to make good decisions. The record of the UK Fire and Rescue Service (FRS) has been particularly poor in terms of providing the information systems support to the fire fighters decision-making during their work. There is very little work on identifying the specific information needs of different types of fire fighters. Consequently, this study has two main aims. The first is to identify the information requirements of several specific members of the FRS hierarchy that lead to better Situation Awareness. The second is to identify how such information should be presented. This study was based on extensive data collected in the FRS brigades of three counties and focused on large buildings having a high-risk of fire and four key fire fighter job roles: Incident Commander, Sector Commander, Breathing Apparatus Entry Control Officer and Breathing Apparatus Wearers. The requirements elicitation process was guided by a Cognitive Task Analysis (CTA) tool: Goal Directed Information Analysis (GDIA), which was developed specifically for this study. Initially appropriate scenarios were developed. Based on the scenarios, 44 semi-structured interviews were carried out in three different elicitation phases with both novice and experienced fire fighters. Together with field observations of fire simulation and training exercises, fire and rescue related documentation; a comprehensive set of information needs of fire fighters was identified. These were validated through two different stages via 34 brainstorming sessions with the participation of a number of subject-matter experts. To explore appropriate presentation methods of information, software mock-up was developed. This mock-up is made up of several human computer interfaces, which were evaluated via 19 walkthrough and workshop sessions, involving 22 potential end-users and 14 other related experts. As a result, many of the methods used in the mock-up were confirmed as useful and appropriate and several refinements proposed. The outcomes of this study include: 1) A set of GDI Diagrams showing goal related information needs for each of the job roles with the link to their decision-making needs, 2) A series of practical recommendations suitable for designing of human computer interfaces of fire emergency response information system, 3) Human computer interface mock-ups for an information system to enhance Situation Awareness of fire fighters and 4) A conceptual architecture for the underlying information system. In addition, this study also developed an enhanced cognitive task analysis tool capable of exploring the needs of emergency first responders. This thesis contributes to our understanding of how information systems could be designed to enhance the Situation Awareness of first responders in a fire emergency. These results will be of particular interest to practicing information systems designers and developers in the FRS in the UK and to the wider academic community

Expert knowledge elicitation in the firefighting domain and the implications for training novices

Background/Purpose: Experienced fireground commanders are often required to make important decisions in time-pressured and dynamic environments that are characterized by a wide range of task constraints. The nature of these environments is such that firefighters are sometimes faced with novel situations that seek to challenge their expertise and therefore necessitate making knowledge-based as opposed to rule-based decisions. The purpose of this study is to elicit the tacitly held knowledge which largely underpinned expert competence when managing non-routine fire incidents. Design/Methodology/Approach: The study utilized a formal knowledge elicitation tool known as the critical decision method (CDM). The CDM method was preferred to other cognitive task analysis (CTA) methods as it is specifically designed to probe the cognitive strategies of domain experts with reference to a single incident that was both challenging and memorable. Thirty experienced firefighters and one staff development officer were interviewed in-depth across different fire stations in the UK and Nigeria (UK=15, Nigeria=16). The interview transcripts were analyzed using the emergent themes analysis (ETA) approach. Findings: Findings from the study revealed 42 salient cues that were sought by experts at each decision point. A critical cue inventory (CCI) was developed and cues were categorized into five distinct types based on the type of information each cue generated to an incident commander. The study also developed a decision making model — information filtering and intuitive decision making model (IFID), which describes how the experienced firefighters were able to make difficult fireground decisions amidst multiple informational sources without having to deliberate on their courses of action. The study also compiled and indexed the elicited tacit knowledge into a competence assessment framework (CAF) with which the competence of future incident commanders could potentially be assessed. Practical Implications: Through the knowledge elicitation process, training needs were identified, and the practical implications for transferring the elicited experts’ knowledge to novice firefighters were also discussed. The four component instructional design model aided the conceptualization of the CDM outputs for training purposes. Originality/Value: Although it is widely believed that experts perform exceptionally well in their domains of practice, the difficulty still lies in finding how best to unmask expert (tacit) knowledge, particularly when it is intended for training purposes. Since tacit knowledge operates in the unconscious realm, articulating and describing it has been shown to be challenging even for experts themselves. This study is therefore timely since its outputs can facilitate the development of training curricula for novices, who then will not have to wait for real fires to occur before learning new skills. This statement holds true particularly in this era where the rate of real fires and therefore the opportunity to gain experience has been on a decline. The current study also presents and discusses insights based on the cultural differences that were observed between the UK and the Nigerian fire service

Investigating the Use of Audiovisual Elicitation on the Creative Enterprise

Elicitation methods have been explored extensively in social science research, and in business contexts, to uncover unarticulated informant knowledge. This qualitative study investigates the use of an audiovisual elicitation interviewing technique, developed by a UKbased creative multimedia production social enterprise; Fifth Planet Productions CIC. The method employs a system of using audiovisual stimulus to elicit participant responses in the interview setting. This study, conducted in two parts, explores how the method improves solutions for eliciting client requirements. Part 1 explores the audiovisual elicitation interview within the business setting; how the techniques are effective at revealing tacit knowledge that would ordinarily remain unspoken in the standard interview. Part 2 tests the developed methods on a sample of 25 business owners seeking to improve communication within their respective organisations. This evidences how it is possible to elicit rich information that can be interpreted to determine clients’ requirements on professional commissions. The study presents a working method of audiovisual elicitation that is regularly employed by Fifth Planet Productions CIC. The methods are used to elicit project requirements in professional commissions and to establish stronger client relationship

Training Course on Steering an Expert Knowledge Elicitation : Final Report

EFSA’s scientific expertise and capacity consists of the members of the Scientific Panels, the Scientific Committee, their Working Groups, and the Authority’s own scientific staff as well as the scientists in Member State institutions working with EFSA. The overall objective of this project was to organize and deliver high quality training courses to meet the needs identified by EFSA to implement Expert Knowledge Elicitation (EKE) approach for quantifying uncertainty in food safety risk assessment. As outcome of the project a training course was developed on ‘Steering an Expert KnowledgeElicitation’. The course covered two working days and was conducted three times during the year 2015. The three courses had 73 participants in total, whereof 17 EFSA experts, 50 EFSA Staff and 6 Network members. This report contains a summary of the project, a technical description of the training, the final curriculum, the training materials, results from evaluation of the course by the participants, and recommendations for future training on this subject

Researching Across Two Cultures: Shifting Positionality

Embodied and creative research methods provoke honesty, emotion, and vulnerability in participants, which add to the richness of the stories they tell and are willing to share. The positionality of the researcher is less of “interviewer” and more “co-producer” or participant in a dialogue. Visual and creative approaches invite participants to share in ways in which they are not able or willing through words alone. The data and outputs they produce, with film, art, or objects, can in turn affect those who see it more than written text and need to be analysed and disseminated along with more traditional transcripts, articles, and presentations. In the context of investigating sensitive issues such as those around embodied identity, these methods, which use embodied methods to explore embodied research questions, may feel the most appropriate. These approaches lie along the boundary of therapy and research, asking much of researchers who are unlikely to have received therapeutic training or ongoing support. Due to this deficit, the researched may find that their experience is not held or contained in a way that the content would demand. Similarly, the data themselves lie on the boundary of art and research, in that they can be seen as more than a tool to facilitate reflection, but as artifacts in their own right. What are the implications in this scenario? Where should we position ourselves and our work along these boundaries? Who holds the space for the researcher and the researched if both are made vulnerable