DIGS: A Framework for Discovering Goals for Security Requirements Engineering

Context: The security goals of a software system provide a foundation for security requirements engineering. Identifying security goals is a process of iteration and refinement, leveraging the knowledge and expertise of the analyst to secure not only the core functionality but the security mechanisms as well. Moreover, a comprehensive security plan should include goals for not only preventing a breach, but also for detecting and appropriately responding in case a breach does occur. Goal: The objective of this research is to support analysts in security requirements engineering by providing a framework that supports a systematic and comprehensive discovery of security goals for a software system. Method: We develop a framework, Discovering Goals for Security (DIGS), that models the key entities in information security, including assets and security goals. We systematically develop a set of security goal patterns that capture multiple dimensions of security for assets. DIGS explicitly captures the relations and assumptions that underlie security goals to elicit implied goals. We map the goal patterns to NIST controls to help in operationalizing the goals. We evaluate DIGS via a controlled experiment where 28 participants analyzed systems from mobile banking and human resource management domains. Results: Participants considered security goals commensurate to the knowledge available to them. Although the overall recall was low given the empirical constraints, participants using DIGS identified more implied goals and felt more confident in completing the task. Conclusion: Explicitly providing the additional knowledge for the identification of implied security goals significantly increased the chances of discovering such goals, thereby improving coverage of stakeholder security requirements, even if they are unstated.

[1]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[2]  Janice Singer,et al.  Guide to Advanced Empirical Software Engineering , 2007 .

[3]  Laurie A. Williams,et al.  How have we evaluated software pattern application? A systematic mapping study of research design practices , 2015, Inf. Softw. Technol..

[4]  D. Harville Maximum Likelihood Approaches to Variance Component Estimation and to Related Problems , 1977 .

[5]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[6]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[7]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[8]  Jianwei Niu,et al.  Managing security requirements patterns using feature diagram hierarchies , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[9]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[10]  Gary McGraw,et al.  Software Security: Building Security In , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[11]  Jan Jürjens,et al.  Enhancing security requirements engineering by organizational learning , 2012, Requirements Engineering.

[12]  Laurie A. Williams,et al.  Towards a framework to measure security expertise in requirements analysis , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[13]  Laurie A. Williams,et al.  Protection Poker: The New Software Security "Game"; , 2010, IEEE Security & Privacy.

[14]  Annie I. Antón,et al.  The use of goals to surface requirements for evolving systems , 1998, Proceedings of the 20th International Conference on Software Engineering.

[15]  Eduardo B. Fernandez,et al.  Systematic mapping of security patterns research , 2015 .

[16]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[17]  Davor Svetinovic,et al.  Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure , 2012, Requirements Engineering.

[18]  Ahmed Elfatatry,et al.  Detecting defects in software requirements specification , 2014 .

[19]  Jeffrey C. Carver,et al.  A systematic literature review to identify and classify software requirement errors , 2009, Inf. Softw. Technol..

[20]  Laurie A. Williams,et al.  Using templates to elicit implied security requirements from functional requirements - a controlled experiment , 2014, ESEM '14.

[21]  Dietmar Pfahl,et al.  Reporting Experiments in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.

[22]  Laurie A. Williams,et al.  Security requirements patterns: understanding the science behind the art of pattern writing , 2012, 2012 Second IEEE International Workshop on Requirements Patterns (RePa).

[23]  Laurie A. Williams,et al.  Hidden in plain sight: Automatically identifying security requirements from natural language artifacts , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[24]  Shireesh Reddy Annam An Overview of Computer security , 2001, ArXiv.