A meta-model for usable secure requirements engineering

There is a growing recognition of the need for secure software engineering approaches addressing both technical and human factors. Existing approaches to secure software engineering focus on the need for technical security to the detriment of usability. This paper presents the IRIS (Integrating Requirements and Information Security) meta-model, a conceptual model for usable secure requirements engineering. We describe a practical application of the meta-model through a case study in the Critical Infrastructure domain.

[1]  Michael A. Jackson,et al.  Problem Frames - Analysing and Structuring Software Development Problems , 2000 .

[2]  Ross J. Anderson,et al.  Security Economics and Critical National Infrastructure , 2009, WEIS.

[3]  Haralambos Mouratidis,et al.  Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development , 2008, CAiSE.

[4]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[5]  Axel van Lamsweerde,et al.  Requirements Engineering: From System Goals to UML Models to Software Specifications , 2009 .

[6]  Michael Jackson,et al.  Four dark corners of requirements engineering , 1997, TSEM.

[7]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[8]  Betty H. C. Cheng,et al.  Research Directions in Requirements Engineering , 2007, Future of Software Engineering (FOSE '07).

[9]  Shamal Faily,et al.  Analysing and Visualising Security and Usability in IRIS , 2010, 2010 International Conference on Availability, Reliability and Security.

[10]  Nicolas Mayer,et al.  Alignment of Misuse Cases with Security Risk Management , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[11]  Chris Hinds,et al.  The case against a positivist philosophy of requirements engineering , 2008, Requirements Engineering.

[12]  Yvonne Rogers,et al.  Reflecting human values in the digital age , 2009, CACM.

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Dan Diaper,et al.  Task Analysis for Human-Computer Interaction , 1990 .

[15]  Jonathan Earthy,et al.  The Benefits of Using ISO 13407: Human Centred Design Process for Interactive Systems , 2001, INTERACT.

[16]  Jerome H. Saltzer,et al.  The protection of information in computer systems , 1975, Proc. IEEE.

[17]  Neil Maiden,et al.  Scenarios, Stories, Use Cases: Through the Systems Development Life-Cycle , 2004 .

[18]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[19]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[20]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[21]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[22]  Gilbert Cockton Grounded Design: Integrating Models and Evaluations , 1999 .

[23]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.

[24]  Nicolas Mayer,et al.  Model-based Management of Information System Security Risk , 2012 .

[25]  Alan Cooper,et al.  About Face 3: the essentials of interaction design , 1995 .

[26]  Yijun Yu,et al.  Towards a Unified Framework for Contextual Variability in Requirements , 2009, 2009 Third International Workshop on Software Product Management.

[27]  Eric S. K. Yu,et al.  A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities , 2010, Requirements Engineering.