论文信息 - A UML Profile for the Identification and Analysis of Security Risks during Structured Brainstorming

A UML Profile for the Identification and Analysis of Security Risks during Structured Brainstorming

Methods for identification and analysis of security risks make use of structured brainstorming sessions. The effectiveness of such sessions depends on the extent to which the stakeholders and analysts involved understand and are understood by each other. Since such sessions involve people with different backgrounds and competencies, like users, system-developers, decision makers and system managers, communication among them may be difficult. This report proposes a carefully designed specification language defined as a UML profile aiming to improve communication and understanding during such sessions. We claim that the profile (1) allows the target of evaluation to be described in a uniform manner at a suitable level of abstraction, (2) improves understanding and communication during structured brainstorming sessions concerned with security, (3) facilitates the documentation of results from such brainstorming sessions, and security assessments in general.

F. Vraalsen | K. Stølen | S. Lund

[1] Andreas L. Opdahl,et al. Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[2] Ketil Stølen,et al. Maintaining results from security assessments , 2003, Seventh European Conference onSoftware Maintenance and Reengineering, 2003. Proceedings..

[3] Ketil Stølen,et al. The CORAS methodology: model-based risk assessment using UML and UP , 2003 .

[4] Ian F. Alexander,et al. Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[5] John Krogstie,et al. Evaluating UML using a generic quality framework , 2003 .

[6] David A. Basin,et al. SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7] Jan Jürjens,et al. UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[8] Thomas Peltier,et al. Information Technology: Code of Practice for Information Security Management , 2001 .

[9] Andreas L. Opdahl,et al. Templates for Misuse Case Description , 2001 .