Graphical Modeling of Security Arguments: Current State and Future Directions

Identifying threats and risks to complex systems often requires some form of brainstorming. In addition, eliciting security requirements involves making traceable decisions about which risks to mitigate and how. The complexity and dynamics of modern socio-technical systems mean that their security cannot be formally proven. Instead, some researchers have turned to modeling the claims underpinning a risk assessment and the arguments which support security decisions. As a result, several argumentation-based risk analysis and security requirements elicitation frameworks have been proposed. These draw upon existing research in decision making and requirements engineering. Some provide tools to graphically model the underlying argumentation structures, with varying degrees of granularity and formalism. In this paper, we compare these approaches, discuss their applicability and suggest avenues for future research. We find that the core of existing security argumentation frameworks are the links between threats, risks, mitigations and system components. Graphs - a natural representation for these links - are used by many graphical security argumentation tools. But, in order to be human-readable, the graphical models of these graphs need to be both scalable and easy to understand. Therefore, in order to facilitate adoption, both the creation and exploration of these graphs need to be streamlined.

[1]  Martin J. Eppler A Comparison between Concept Maps, Mind Maps, Conceptual Diagrams, and Visual Metaphors as Complementary Tools for Knowledge Construction and Sharing , 2006, Inf. Vis..

[2]  Henry Prakken,et al.  Risk Assessment as an Argumentation Game , 2013, CLIMA.

[3]  Shu-Hsien Liao,et al.  Expert system methodologies and applications - a decade review from 1995 to 2004 , 2005, Expert Syst. Appl..

[4]  Simon Buckingham Shum,et al.  The Roots of Computer Supported Argument Visualization , 2003, Visualizing Argumentation.

[5]  Jean Goodwin,et al.  Wigmore's Chart Method , 2000 .

[6]  Bashar Nuseibeh,et al.  OpenArgue: Supporting argumentation to evolve secure software systems , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[7]  Roel Wieringa,et al.  ArgueSecure: Out-of-the-Box Security Risk Assessment , 2016, 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW).

[8]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[9]  Lukasz Cyra,et al.  Support for argument structures review and assessment , 2011, Reliab. Eng. Syst. Saf..

[10]  M. G. Jones,et al.  The concept map as a research and evaluation tool: Further evidence of validity , 1994 .

[11]  R. Polikar,et al.  Ensemble based systems in decision making , 2006, IEEE Circuits and Systems Magazine.

[12]  S. Toulmin The uses of argument , 1960 .

[13]  Tim Kelly,et al.  Arguing Safety - A Systematic Approach to Managing Safety Cases , 1998 .

[14]  Martin Campbell-Kelly,et al.  The History of Mathematical Tables , 2003 .

[15]  Jintae Lee,et al.  What's in design rationale? , 1991 .

[16]  Martin Campbell-Kelly,et al.  The history of mathematical tables : from Sumer to spreadsheets , 2003 .

[17]  Joon S. Park,et al.  Tools for information security assurance arguments , 2001, Proceedings DARPA Information Survivability Conference and Exposition II. DISCEX'01.

[18]  Bashar Nuseibeh,et al.  Risk and argument: A risk-based argumentation method for practical security , 2011, 2011 IEEE 19th International Requirements Engineering Conference.

[19]  Elizabeth Sklar,et al.  Argumentation logic to assist in security administration , 2012, NSPW '12.

[20]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[21]  John Rushby,et al.  The Interpretation and Evaluation of Assurance Cases , 2015 .

[22]  Jöran Beel,et al.  An exploratory analysis of mind maps , 2011, DocEng '11.

[23]  Bashar Nuseibeh,et al.  Automated analysis of security requirements through risk-based argumentation , 2015, J. Syst. Softw..

[24]  Matthias Jarke,et al.  Telos: representing knowledge about information systems , 1990, TOIS.

[25]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[26]  Thomas P. Moran,et al.  Design rationale: the argument behind the artifact , 1989, CHI '89.

[27]  Bashar Nuseibeh,et al.  Arguing security: validating security requirements using structured argumentation , 2005 .

[28]  Travis D. Breaux,et al.  Legally "reasonable" security requirements: A 10-year FTC retrospective , 2011, Comput. Secur..

[29]  Tim Kelly,et al.  The Goal Structuring Notation – A Safety Argument Notation , 2004 .

[30]  Roel Wieringa,et al.  Argumentation-based security requirements elicitation: The next round , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[31]  Henry Prakken,et al.  An abstract framework for argumentation with structured arguments , 2010, Argument Comput..

[32]  Rafal Leszczyna,et al.  Trust case: justifying trust in an IT solution , 2005, Reliab. Eng. Syst. Saf..

[33]  Nick Hammond,et al.  Graphical Argumentation and Design Cognition , 1997, Hum. Comput. Interact..

[34]  Donald Firesmith Analyzing and Specifying Reusable Security Requirements , 2003 .

[35]  Raymond McCall,et al.  Making argumentation serve design , 1991 .