Quality Matters: Systematizing Quality Deficiencies in the Documentation of Business Security Requirements

The ever increasing need for businesses to ensure compliance with various laws and regulations as well as internal and external policies increasingly requires businesses to manage a plethora of documentation on different business security requirements. However, business security requirement documentation often suffers from quality deficiencies and faults due to negligence, inconsistencies, conflicts or unclear responsibilities in globally distributed businesses. A key factor to successfully address these deficiencies and to support continuous quality improvement of business security requirements documentation is to know exactly what faults to look for in a structured manner. Based on a think-aloud study, we identify and categorize specific quality deficiencies that can be found in the documentation of business security requirements and classify the faults that might cause them. We conclude by proposing a taxonomy that covers the specification, interaction, and life-cycle faults that are at the root of observable failures in the documentation of business security requirements.

[1]  Martin Kuhlmann,et al.  Role mining - revealing business roles for security administration using data mining technology , 2003, SACMAT '03.

[2]  Meina Song,et al.  Notice of RetractionA Governance Model for Cloud Computing , 2010, 2010 International Conference on Management and Service Science.

[3]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[4]  Peter C. Wright,et al.  The use of think-aloud evaluation methods in design , 1991, SGCH.

[5]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[6]  S. Rivard,et al.  Série Scientifique Scientific Series Managing It Outsourcing Risk: Lessons Learned Managing It Outsourcing Risk: Lessons Learned , 2022 .

[7]  Balachandra Reddy Kandukuri,et al.  Cloud Security Issues , 2009, 2009 IEEE International Conference on Services Computing.

[8]  Bharat B. Madan,et al.  Modeling and quantification of security attributes of software systems , 2002, Proceedings International Conference on Dependable Systems and Networks.

[9]  A. Parasuraman,et al.  A Conceptual Model of Service Quality and Its Implications for Future Research , 1985 .

[10]  M. Host,et al.  Experimental context classification: incentives and experience of subjects , 2005, Proceedings. 27th International Conference on Software Engineering, 2005. ICSE 2005..

[11]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[12]  C. Grönroos A Service Quality Model and its Marketing Implications , 1984 .

[13]  Ruth Breu,et al.  Living Security - Collaborative Security Management in a Changing World , 2011 .

[14]  Kirstie Hawkey,et al.  An integrated view of human, organizational, and technological challenges of IT security management , 2009, Inf. Manag. Comput. Secur..

[15]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[16]  Soumya Ray,et al.  Security Assurance: How Online Service Providers Can Influence Security Control Perceptions and Gain Trust , 2011, Decis. Sci..

[17]  H. Susanto,et al.  Information Security Management System Standards : A Comparative Study of the Big Five , 2011 .

[18]  Tsutomu Ishida,et al.  Metrics and Models in Software Quality Engineering , 1995 .

[19]  Ruth Breu,et al.  Towards an Architecture for Collaborative Cross-Organizational Security Requirements Management , 2013, BIS.

[20]  I. Seidman Interviewing as qualitative research : a guide for researchersin education and the social sciences , 1991 .

[21]  Markus Jakobsson,et al.  Controlling data in the cloud: outsourcing computation without outsourcing control , 2009, CCSW '09.

[22]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[23]  H. D. Rombach,et al.  The Goal Question Metric Approach , 1994 .

[24]  AvizienisAlgirdas,et al.  Basic Concepts and Taxonomy of Dependable and Secure Computing , 2004 .

[25]  John Leach,et al.  Improving user security behaviour , 2003, Comput. Secur..

[26]  P. R. H. Hendriks,et al.  Specifying software quality with the extended ISO model , 1996, Software Quality Journal.

[27]  Ruth Breu,et al.  A situational method for semi-automated Enterprise Architecture Documentation , 2014, Software & Systems Modeling.

[28]  Tejaswini Herath,et al.  Encouraging information security behaviors in organizations: Role of penalties, pressures and perceived effectiveness , 2009, Decis. Support Syst..

[29]  Anne Goudvis,et al.  Strategies That Work: Teaching Comprehension to Enhance Understanding. , 2000 .

[30]  Philippe Massonet,et al.  GRAIL/KAOS: An Environment for Goal-Driven Requirements Engineering , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[31]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[32]  Kristin Wende,et al.  A Model for Data Governance - Organising Accountabilities for Data Quality Management , 2007 .

[33]  Xavier Franch,et al.  Using Quality Models in Software Package Selection , 2003, IEEE Softw..

[34]  S. Singhal,et al.  Outsourcing Business to Cloud Computing Services: Opportunities and Challenges , 2009 .

[35]  Barbara A. Kitchenham,et al.  The use and usefulness of the ISO/IEC 9126 quality standard , 2005, 2005 International Symposium on Empirical Software Engineering, 2005..

[36]  Alexander Pretschner,et al.  Towards Systematic Achievement of Compliance in Service-Oriented Architectures: The MASTER Approach , 2008, Wirtsch..

[37]  Marlon Dumas,et al.  A Comparison of SecureUML and UMLsec for Role-based Access Control , 2010 .

[38]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[39]  Tim Mather,et al.  Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[40]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[41]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[42]  Monique W. M. Jaspers,et al.  The think aloud method: a guide to user interface design , 2004, Int. J. Medical Informatics.

[43]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[44]  Anthony Tarantino,et al.  Governance, Risk, and Compliance Handbook: Technology, Finance, Environmental, and International Guidance and Best Practices , 2008 .

[45]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[46]  John A. Anderson,et al.  Managing Security and Privacy Integration across Enterprise Business Process and Infrastructure , 2008, 2008 IEEE International Conference on Services Computing.

[47]  Graeme G. Shanks,et al.  Improving the quality of data models: empirical validation of a quality management framework , 2003, Inf. Syst..

[48]  Khaled M. Khan,et al.  Establishing Trust in Cloud Computing , 2010, IT Professional.

[49]  F. Kohlbacher The Use of Qualitative Content Analysis in Case Study Research , 2006 .

[50]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[51]  Eirik Albrechtsen,et al.  A qualitative study of users' view on information security , 2007, Comput. Secur..

[52]  Meina Song,et al.  Notice of Retraction A Governance Model for Cloud Computing , 2010, MASS 2010.

[53]  Gurpreet Dhillon,et al.  Technical opinion: Information system security management in the new millennium , 2000, CACM.

[54]  Erik Elmroth,et al.  Unifying Cloud Management: Towards Overall Governance of Business Level Objectives , 2011, 2011 11th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.