Model-based Management of Information System Security Risk

During the last twenty years, the impact of security concerns on the development and exploitation of information systems never ceased to grow. Security risk management methods are methodological tools, helping organisations to take rational decisions, regarding the security of their IS. Feedbacks on the use of such approaches show that they considerably reduce losses originating from security problems. Today, these methods are generally built around a well structured process. However, the product coming from the different risk management steps is still largely informal, and often not analytical enough. This lack of formality hinders the automation of the management of risk-related information. Another drawback of current methods is that they are generally designed for being used a posteriori, that is, to assess the way existing systems handle risks, and are with difficulty usable a priori, during information system development. Finally, with method using its own terminology, it is difficult to combine several methods, in the aim of taking advantage of each of them. For tackling the preceding problems, this thesis proposes a model-based approach for risk management, applicable from the early phases of information system development. This approach relies on a study of the domain's own concepts. This scientific approach is composed of three successive steps. The first step aims at defining a reference conceptual model for security risk management. The research method followed proposes to base the model on an extensive study of the literature. The different risk management and/or security standards, a set of methods representative of the current state of the practice, and the scientific works related to the domain, are analysed. The result is a semantic alignment table of the security risk management concepts, highlighting the key concepts taking place in such an approach. Based on this set of concepts, the security risk management domain model is built. This model is challenged by domain experts in standardisation, risk management practitioners and scientists. The second step of this research work enriches the domain model with the different metrics used in a risk management method. The proposed approach combines two methods to define this set of metrics. The first one is the Goal-Question-Metric (GQM) method applied on the domain model. This method allows to focus on reaching the best return on security investment. The second one enriches the metrics identified with the first approach, through a study of the literature based on standards and methods addressed during the first step. An experimentation on a real case of these metrics is performed, in the frame of supporting a SME towards the ISO/IEC 27001 certification. Finally, in a third step, a set of conceptual modelling languages dedicated to information security is noticed in the literature. These languages are mainly coming from the requirements engineering domain. They allow to tackle security during the early phases of information system development. The conceptual support proposed by each of them is evaluated, and thus the gap to bridge for being able to completely model the different steps of risk management too. This work ends in an extension proposal of the Secure Tropos language, and a process to follow for using this extension in the frame of risk management, illustrated by an example.

[1]  Ian Sommerville,et al.  Software engineering (5th ed.) , 1995 .

[2]  John Mylopoulos,et al.  Non-Functional Requirements in Software Engineering , 2000, International Series in Software Engineering.

[3]  Donald Firesmith,et al.  Common Concepts Underlying Safety, Security, and Survivability Engineering , 2003 .

[4]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[5]  Nicolas Mayer,et al.  Design of a Modelling Language for Information System Security Risk Management , 2007, RCIS.

[6]  Christopher J. Alberts,et al.  OCTAVE Method Implementation Guide Version 2.0. Volume 2: Preliminary Activities , 2001 .

[7]  Egon Berghout,et al.  The Goal/Question/Metric method: a practical guide for quality improvement of software development , 1999 .

[8]  Guttorm Sindre,et al.  Mal-Activity Diagrams for Capturing Attacks on Business Processes , 2007, REFSQ.

[9]  Eric Dubois,et al.  Towards a Decision Model Based on Trust and Security Risk Management , 2009, AISC.

[10]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[11]  Bashar Nuseibeh,et al.  Analysing Security Threats and Vulnerabilities Using Abuse Frames , 2003 .

[12]  Daniel Moody,et al.  What Makes a Good Diagram? Improving the Cognitive Effectiveness of Diagrams in IS Development , 2006 .

[13]  Ronald D. Moen,et al.  The Improvement Guide: A Practical Approach to Enhancing Organizational Performance , 1996 .

[14]  Bashar Nuseibeh,et al.  The effect of trust assumptions on the elaboration of security requirements , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[15]  Bashar Nuseibeh,et al.  Introducing abuse frames for analysing security requirements , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[16]  H. D. Rombach,et al.  The Goal Question Metric Approach , 1994 .

[17]  Daryl Kulak,et al.  Use cases: requirements in context , 2000, SOEN.

[18]  Haralambos Mouratidis,et al.  Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems , 2003, CAiSE.

[19]  Isabelle Mirbel,et al.  Situational method engineering: combining assembly-based and roadmap-driven approaches , 2005, Requirements Engineering.

[20]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[21]  John Dunnion,et al.  Constructing conceptual graphs using linguistic resources , 2005, ICT 2005.

[22]  Robin A. Gandhi,et al.  Discovering and Understanding Multi-dimensional Correlations among Certification Requirements with application to Risk Assessment , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[23]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[24]  David Cooper,et al.  SafSec: Commonalities Between Safety and Security Assurance , 2005, SSS.

[25]  Pierre-Yves Schobbens,et al.  Feature Diagrams: A Survey and a Formal Semantics , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[26]  John Mylopoulos,et al.  Improving Risk-Based Security Analysis with i* , 2011 .

[27]  Xavier Parent,et al.  Specifying Legal Risk Scenarios Using the CORAS Threat Modelling Language , 2005, iTrust.

[28]  Nancy G. Leveson,et al.  Safeware: System Safety and Computers , 1995 .

[29]  Michael A. Jackson,et al.  Software requirements and specifications - a lexicon of practice, principles and prejudices , 1995 .

[30]  Haralambos Mouratidis,et al.  A Novel Agent-Based System to Support the Single Assessment Process of Older People , 2003, Health Informatics J..

[31]  Le Moigne,et al.  La théorie du système général : théorie de la modélisation , 1984 .

[32]  Marko Grobelnik,et al.  Extracting Summary Sentences Based on the Document Semantic Graph , 2005 .

[33]  Andreas L. Opdahl,et al.  Templates for Misuse Case Description , 2001 .

[34]  John Mylopoulos,et al.  From object-oriented to goal-oriented requirements analysis , 1999, CACM.

[35]  Ian F. Alexander,et al.  Initial industrial experience of misuse cases in trade-off analysis , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[36]  Haralambos Mouratidis,et al.  Enhancing Secure Tropos to Effectively Deal with Security Requirements in the Development of Multiagent Systems , 2009, Safety and Security in Multiagent Systems.

[37]  E. Dubois,et al.  Towards a Risk-Based Security Requirements Engineering Framework , 2005 .

[38]  Eric Dubois,et al.  Towards a Measurement Framework for Security Risk Management , 2008, MODSEC@MoDELS.

[39]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[40]  Andreas L. Opdahl,et al.  Comparing GRL and KAOS using the UEML Approach , 2007, IESA.

[41]  Marcela Genero,et al.  METRICS FOR USE CASES: A SURVEY OF CURRENT PROPOSALS , 2005 .

[42]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[43]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[44]  Lawrence Bodin,et al.  Evaluating information security investments using the analytic hierarchy process , 2005, CACM.

[45]  Donald Firesmith A Taxonomy of Safety-Related Requirements , 2004 .

[46]  Iris Reinhartz-Berger,et al.  A Domain Engineering Approach to Specifying and Applying Reference Models , 2005, EMISA.

[47]  Paolo Giorgini,et al.  Modelling Risk and Identifying Countermeasure in Organizations , 2006, CRITIS.

[48]  Karl E. Wiegers First Things First: Prioritizing Requirements , 1999 .

[49]  Bernhard Rumpe,et al.  Meaningful modeling: what's the semantics of "semantics"? , 2004, Computer.

[50]  Sjaak Brinkkemper,et al.  Assembly Techniques for Method Engineering , 1998, CAiSE.

[51]  Axel van Lamsweerde,et al.  Elaborating security requirements by construction of intentional anti-models , 2004, Proceedings. 26th International Conference on Software Engineering.

[52]  Jörg P. Müller,et al.  Agent UML: A Formalism for Specifying Multiagent Software Systems , 2001, Int. J. Softw. Eng. Knowl. Eng..

[53]  A. Herrmann,et al.  Requirements Prioritization Based on Benefit and Cost Prediction: An Agenda for Future Research , 2008, 2008 16th IEEE International Requirements Engineering Conference.

[54]  Erhard Rahm,et al.  A survey of approaches to automatic schema matching , 2001, The VLDB Journal.

[55]  Bashar Nuseibeh,et al.  Requirements engineering: a roadmap , 2000, ICSE '00.

[56]  John Mylopoulos,et al.  Analyzing security requirements as relationships among strategic actors , 2002 .

[57]  Mark T True,et al.  Software Requirements , 2005 .

[58]  Marco Pistore,et al.  Model checking early requirements specifications in Tropos , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[59]  Maurizio Sebastianis,et al.  Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[60]  John F. Sowa,et al.  Conceptual Graphs for a Data Base Interface , 1976, IBM J. Res. Dev..

[61]  Vasant Honavar,et al.  A Software Fault Tree Approach to Requirements Analysis of an Intrusion Detection System , 2002, Requirements Engineering.

[62]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[63]  Alan M. Davis,et al.  The Art of Requirements Triage , 2003, Computer.

[64]  Ketil Stølen,et al.  On the comprehension of security risk scenarios , 2005, 13th International Workshop on Program Comprehension (IWPC'05).

[65]  Karl Cox,et al.  A roadmap of problem frames research , 2005, Inf. Softw. Technol..

[66]  Tom Pender UML Bible , 2003 .

[67]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[68]  Eric Yu,et al.  From Requirements to Architectural Design –Using Goals and Scenarios , 2001 .

[69]  A. Goldberg General System Theory: Foundations, Development, Applications. , 1969 .

[70]  Haralambos Mouratidis,et al.  Security Attack Testing (SAT) - testing the security of information systems at design time , 2007, Inf. Syst..

[71]  Bashar Nuseibeh,et al.  Security requirements engineering: when anti-requirements hit the fan , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[72]  Paolo Giorgini,et al.  Using Risk Analysis to Evaluate Design Alternatives , 2006, AOSE.

[73]  Ketil Stølen,et al.  The coras approach for model-based risk management applied to e-commerce domain , 2002, Communications and Multimedia Security.

[74]  Emmanuel Letier Reasoning about Agents in Goal-Oriented Requirements Engineering , 2002 .

[75]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[76]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[77]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[78]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[79]  Shari Lawrence Pfleeger,et al.  Software metrics (2nd ed.): a rigorous and practical approach , 1997 .

[80]  John Mylopoulos,et al.  Towards requirements-driven information systems engineering: the Tropos project , 2002, Inf. Syst..

[81]  William L. Simon,et al.  The Art of Deception: Controlling the Human Element of Security , 2001 .

[82]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[83]  Haralambos Mouratidis,et al.  A security oriented approach in the development of multiagent systems : applied to the management of the health and social care needs of older people in England , 2004 .

[84]  Donald Firesmith Engineering Safety - and Security-Related Requirements for Software-Intensive Systems , 2007, 2007 Sixth International IEEE Conference on Commercial-off-the-Shelf (COTS)-Based Software Systems (ICCBSS'07).

[85]  Tapani Kilpi,et al.  Implementing a Software Metrics Program at Nokia , 2001, IEEE Softw..

[86]  Tobias Mahler,et al.  Assessing Enterprise Risk Level: The CORAS Approach , 2007 .

[87]  Sjaak Brinkkemper,et al.  Conceptual Modelling in Information Systems Engineering , 2007 .

[88]  Paolo Giorgini,et al.  Secure and dependable patterns in organizations: an empirical approach , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[89]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[90]  Kyo Chul Kang,et al.  Feature-Oriented Domain Analysis (FODA) Feasibility Study , 1990 .

[91]  Robert B. Grady,et al.  Software Metrics: Establishing a Company-Wide Program , 1987 .

[92]  John C. Henderson,et al.  Strategic Alignment: Leveraging Information Technology for Transforming Organizations , 1993, IBM Syst. J..

[93]  Haralambos Mouratidis,et al.  Using Tropos Methodology to Model an Integrated Health Assessment System , 2002, AOIS@CAiSE.

[94]  Pierre-Yves Schobbens,et al.  Generic semantics of feature diagrams , 2007, Comput. Networks.

[95]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[96]  John Mylopoulos,et al.  The Tropos Metamodel and its Use , 2005, Informatica.

[97]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.

[98]  Fabio Massacci,et al.  From Trust to Dependability through Risk Analysis , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[99]  Bashar Nuseibeh,et al.  Weaving Together Requirements and Architectures , 2001, Computer.

[100]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[101]  John P. McDermott,et al.  Abuse-case-based assurance arguments , 2001, Seventeenth Annual Computer Security Applications Conference.

[102]  Joachim Karlsson,et al.  A Cost-Value Approach for Prioritizing Requirements , 1997, IEEE Softw..

[103]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[104]  Suzanne Robertson,et al.  Mastering the Requirements Process , 1999 .

[105]  Paul Jones,et al.  Secrets and Lies: Digital Security in a Networked World , 2002 .

[106]  Andreas L. Opdahl,et al.  Generalization/specialization as a structuring mechanism for misuse cases , 2002 .

[107]  Donald G. Firesmith A Taxonomy of Security-Related Requirements , 2005 .

[108]  Haralambos Mouratidis,et al.  A Natural Extension of Tropos Methodology for Modelling Security , 2002 .

[109]  João Alvaro Carvalho,et al.  Information System? Which One Do you Mean? , 2000, ISCO.

[110]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[111]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[112]  John A. McDermid,et al.  Assessing complex computer based systems using the Goal Structuring Notation , 1996, Proceedings of ICECCS '96: 2nd IEEE International Conference on Engineering of Complex Computer Systems (held jointly with 6th CSESAW and 4th IEEE RTAW).

[113]  Robin A. Gandhi,et al.  Security Requirements Driven Risk Assessment for Critical Infrastructure Information Systems , 2005 .

[114]  Jaap Gordijn,et al.  Understanding Business Strategies of Networked Value Constellations Using Goal- and Value Modeling , 2006, 14th IEEE International Requirements Engineering Conference (RE'06).

[115]  Michael Jackson,et al.  The meaning of requirements , 1997, Ann. Softw. Eng..

[116]  Eckhard D. Falkenberg,et al.  FRISCO: A framework of information system concepts : The FRISCO report (WEB edition) , 1998 .

[117]  Bashar Nuseibeh,et al.  Using trust assumptions with security requirements , 2005, Requirements Engineering.

[118]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[119]  Haralambos Mouratidis,et al.  Modelling security and trust with Secure Tropos , 2006 .

[120]  Martin Glinz,et al.  On Non-Functional Requirements , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[121]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[122]  Bashar Nuseibeh,et al.  Security Requirements Engineering: A Framework for Representation and Analysis , 2008, IEEE Transactions on Software Engineering.

[123]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[124]  Fabio Massacci,et al.  Security and Trust Requirements Engineering , 2005, FOSAD.

[125]  Helen M. Edwards,et al.  Problem frames: analyzing and structuring software development problems , 2002, Softw. Test. Verification Reliab..

[126]  Rubén Prieto-Díaz,et al.  DARE: Domain analysis and reuse environment , 1998, Ann. Softw. Eng..