Trustworthy information systems are information systems that fulfill all the functional
and non-functional requirements. To this end, all the components of an information
system, either human or technical, need to collaborate in order to meet its
requirements and achieve its goals. This entails that system components will show
the desired or expected behaviour once the system is put in operation. However,
modern information systems include a great number of components that can behave
in a very unpredictable way. This unpredictability of the behaviour of the system
components is a major challenge to the development of trustworthy information systems
and more particularly during the modelling stage. When a system component
is modelled as part of a requirements engineering model it creates an uncertainty
about its future behaviour, thus undermining the accuracy of the system model and
eventually the system trustworthiness. Therefore, the addition of system components
inevitably is based on assumptions of their future behaviour. Such assumptions are
underlying the development of a system and usually are assumptions of trust by the
system developer about her trust relationships with the system components, which
are instantly formed when a component is inserted into a requirements engineering
model of a system. However, despite the importance of such issues, a requirements
engineering methodology that explicitly captures such trust relationships along with
the entailing trust assumptions and trustworthiness requirements is still missing.
For tackling the preceding problems, the thesis proposes a requirements engineering
methodology, namely JTrust (Justifying Trust) for developing trustworthy information
systems. The methodology is founded upon the notions of trust and control
as the means of confidence achievement. In order to develop an information system
the developer needs to consider her trust relationships with the system components
that are formed with their addition in a system model, reason about them, and proceed
to a justified decision about the design of the system. If the system component
cannot be trusted to behave in a desired or expected way then the question of what
are the alternatives in order to build confidence in the future behaviour of the system
component raises. To answer this question we define a new class of requirements,
namely trustworthiness requirements. Trustworthiness requirements prescribe the
functionality of the software included in the information system that compels the
rest of the information system components to behave in a desired or expected way.
The proposed methodology consists of: (i) a modelling language which contains trust
i
and control abstractions; (ii) and a methodological process for capturing and reasoning
about trust relationships, modelling and analysing trustworthiness requirements,
and assessing the system trustworthiness at a requirements stage. The methodology
is accompanied by a CASE tool to support it.
To evaluate our proposal, we have applied our methodology to a case study, and
we carried out a survey to get feedback from experts. The topic of the case study was
the e-health care system of the National Health Service in England, which was used to
reason about trust relationships with system components and identify trustworthiness
requirements. Researchers from three academic institutions across Europe and from
one industrial company, British Telecom, have participated in the survey in order to
provide valuable feedback about the effectiveness and efficiency of the methodology.
The results conclude that JTrust is useful and easy to use in modelling and reasoning
about trust relationships, modelling and analysing trustworthiness requirements and
assessing the system trustworthiness at a requirements level
