Ontology-Based Support for Security Requirements Specification Process

The security requirements specification (SRS) is an integral aspect of the development of secured information systems and entails the formal documentation of the security needs of a system in a correct and consistent way. However, in many cases there is lack of sufficiently experienced security experts or security requirements (SR) engineer within an organization, which limits the quality of SR that are specified. This paper presents an approach that leverages ontologies and requirements boilerplates in order to alleviate the effect of lack of highly experienced personnel for SRS. It also offers a credible starting point for the SRS process. A preliminary evaluation of the tool prototype – ReqSec tool - was used to demonstrate the approach and to confirm its usability to support the SRS process. The tool helps to reduce the amount of effort required, stimulate discovery of latent security threats, and enables the specification of good quality SR.

[1]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[2]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[3]  Isabelle Comyn-Wattiau,et al.  Ontologies for Security Requirements: A Literature Survey and Classification , 2012, CAiSE Workshops.

[4]  Linda H. Rosenberg,et al.  Automated Analysis of Requirement Specifications , 1997, Proceedings of the (19th) International Conference on Software Engineering.

[5]  Stefania Gnesi,et al.  An Automatic Quality Evaluation for Natural Language Requirements , 2001 .

[6]  Thomas Moser,et al.  DODT: Increasing requirements formalism using domain ontologies for improved embedded systems development , 2011, 14th IEEE International Symposium on Design and Diagnostics of Electronic Circuits and Systems.

[7]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[8]  Benedikt Gleich,et al.  Ambiguity Detection: Towards a Tool Explaining Ambiguity Sources , 2010, REFSQ.

[9]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[10]  Haralambos Mouratidis,et al.  A CASE Tool to Support Automated Modelling and Analysis of Security Requirements, Based on Secure Tropos , 2011, CAiSE Forum.

[11]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.

[12]  Donald G. Firesmith A Taxonomy of Security-Related Requirements , 2005 .

[13]  Jeremy Dick,et al.  Requirements Engineering , 2002, Springer International Publishing.

[14]  Jakob Nielsen,et al.  A mathematical model of the finding of usability problems , 1993, INTERCHI.

[15]  K Alagarsamy,et al.  Security Requirements Engineering – A Strategic Approach , 2011 .

[16]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[17]  Marc Donner,et al.  Toward a Security Ontology , 2003, IEEE Secur. Priv..

[18]  Nahid Shahmehri,et al.  An Ontology of Information Security , 2007, Int. J. Inf. Secur. Priv..

[19]  John Viega Building security requirements with CLASP , 2005, SOEN.

[20]  Selmin Nurcan IS Olympics: Information Systems in a Diverse World , 2011, Lecture Notes in Business Information Processing.

[21]  Inger Anne Tøndel,et al.  Combining Misuse Cases with Attack Trees and Security Activity Models , 2010, 2010 International Conference on Availability, Reliability and Security.

[22]  John Mylopoulos,et al.  ST-Tool: A CASE Tool for Modeling and Analyzing Trust Requirements , 2005, iTrust.

[23]  Tor Stålhane,et al.  Enabling hazard identification from requirements and reuse-oriented HAZOP analysis , 2011, 2011 4th International Workshop on Managing Requirements Knowledge.