Security requirements engineering via commitments

Security Requirements Engineering (SRE) is concerned with the elicitation of security needs and the specification of security requirements of the system-to-be. Current approaches to SRE either express stakeholders' needs via high-level organisational abstractions that are hard to map to system design, or specify only technical security requirements. In this paper, we introduce SecCo, an SRE framework that starts with goal-oriented modelling of the security needs and derives security requirements from such needs. Importantly, SecCo relates security requirements to the interaction among actors. Security requirements are specified as social commitments — promises with contractual validity from one actor to another — that define constraints on the way actors can interact. These commitments shall be implemented by the system-to-be.

[1]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[2]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[3]  Munindar P. Singh An ontology for commitments in multiagent systems: , 1999, Artificial Intelligence and Law.

[4]  Donald Firesmith,et al.  Security Use Cases , 2003, J. Object Technol..

[5]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[6]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[7]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[8]  John Mylopoulos,et al.  Reasoning with Goal Models , 2002, ER.

[9]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[10]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[11]  Munindar P. Singh An ontology for commitments in multiagent systems: , 1999, Artificial Intelligence and Law.

[12]  Rose Hightower Delegation of Authority , 2012 .

[13]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[14]  John Mylopoulos,et al.  Modeling and Reasoning about Service-Oriented Applications via Goals and Commitments , 2010, CAiSE.

[15]  Haralambos Mouratidis,et al.  Guest editorial: security requirements engineering: past, present and future , 2009, Requirements Engineering.

[16]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[17]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[18]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.