Assessing System of Systems Security Risk and Requirements with OASoSIS

When independent systems come together as a System of Systems (SoS) to achieve a new purpose, dealing with requirements conflicts across systems becomes a challenge. Moreover, assessing and modelling security risk for independent systems and the SoS as a whole is challenged by a gap in related research and approaches within the SoSs domain. In this paper, we present an approach for bridging SoS and Requirements Engineering by identifying aligning SoSs concepts to assess and model security risk and requirements. We introduce our OASoSIS approach modifying OCTAVE Allegro for SoSs using CAIRIS (Computer Aided Integration of Requirements and Information Security) with a medical evacuation (MEDEVAC) SoS exemplar for Security Requirements Engineering tool-support.

[1]  Shamal Faily,et al.  System of Systems Characterisation assisting Security Risk Assessment , 2018, 2018 13th Annual Conference on System of Systems Engineering (SoSE).

[2]  Inger Anne Tøndel,et al.  How can the developer benefit from security modeling? , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[3]  Donald Firesmith Analyzing and Specifying Reusable Security Requirements , 2003 .

[4]  Anne Bruseberg Human Views for MODAF as a Bridge Between Human Factors Integration and Systems Engineering , 2008 .

[5]  Eugene Miya,et al.  On "Software engineering" , 1985, SOEN.

[6]  J.S. Dahmann,et al.  Understanding the Current State of US Defense Systems of Systems and the Implications for Systems Engineering , 2008, 2008 2nd Annual IEEE Systems Conference.

[7]  Qi Shi,et al.  System-of-systems boundary check in a public event scenario , 2010, 2010 5th International Conference on System of Systems Engineering.

[8]  Shamal Faily,et al.  Re-framing “the AMN”: A case study eliciting and modelling a System of Systems using the Afghan Mission Network , 2017, 2017 11th International Conference on Research Challenges in Information Science (RCIS).

[9]  Shamal Faily,et al.  Design as Code: Facilitating Collaboration Between Usability and Security Engineers Using CAIRIS , 2017, 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW).

[10]  Huseyin Dogan,et al.  SmartPowerchair: Characterization and Usability of a Pervasive System of Systems , 2017, IEEE Transactions on Human-Machine Systems.

[11]  James Stevens,et al.  Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process , 2007 .

[12]  Philippe Aniorte,et al.  Challenges in Security Engineering of Systems-of-Systems , 2014 .

[13]  R. H. Smith Cyber supply chain risk management: Revolutionizing the strategic control of critical IT systems , 2015 .

[14]  Judith S. Dahmann,et al.  Security engineering in a system of systems environment , 2013, 2013 IEEE International Systems Conference (SysCon).

[15]  Shamal Faily,et al.  From Requirements to Operation: Components for Risk Assessment in a Pervasive System of Systems , 2017, 2017 IEEE 25th International Requirements Engineering Conference Workshops (REW).

[16]  Ketil Stølen,et al.  The CORAS Model-based Method for Security Risk Analysis , 2006 .

[17]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[18]  Adam Shostack,et al.  Threat Modeling: Designing for Security , 2014 .

[19]  Brian J. Sauser,et al.  System of Systems - the meaning of of , 2006, 2006 IEEE/SMC International Conference on System of Systems Engineering.

[20]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[21]  Paul Davidsson,et al.  IoT-based Systems of Systems , 2016 .

[22]  Sandro Etalle,et al.  A Semantic Security Framework for Systems of Systems , 2013, Int. J. Cooperative Inf. Syst..

[23]  Shamal Faily,et al.  Barry is not the weakest link: eliciting secure system requirements with personas , 2010, BCS HCI.

[24]  Michael McEvilley,et al.  Systems Security Engineering Guideline: An Integrated Approach to Building Trustworthy Resilient Systems , 2016 .

[25]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.

[26]  Mark W. Maier,et al.  Architecting Principles for Systems‐of‐Systems , 1996 .

[27]  Shamal Faily,et al.  The Secret Lives of Assumptions: Developing and Refining Assumption Personas for Secure System Design , 2010, HCSE.

[28]  Stewart Green,et al.  Aligning systems of systems engineering with goal-oriented approaches using the i∗ framework , 2016, 2016 IEEE International Symposium on Systems Engineering (ISSE).

[29]  Cornelius Ncube,et al.  On Systems of Systems Engineering: A Requirements Engineering Perspective and Research Agenda , 2018, 2018 IEEE 26th International Requirements Engineering Conference (RE).

[30]  Heather A. Johnson Trello , 2017, Journal of the Medical Library Association : JMLA.

[31]  Haralambos Mouratidis,et al.  Secure Software Systems Engineering: The Secure Tropos Approach (Invited Paper) , 2011, J. Softw..

[32]  Cornelius Ncube,et al.  Identifying top challenges for international research on requirements engineering for systems of systems engineering , 2013, 2013 21st IEEE International Requirements Engineering Conference (RE).

[33]  Per Håkon Meland,et al.  Secure Software Design in Practice , 2008, 2008 Third International Conference on Availability, Reliability and Security.