Towards a Risk-Based Security Requirements Engineering Framework

Information Systems (IS), particularly e-business systems, are required to be more secure in order to resist to the increasing number of attacks. Security is no longer just a desirable quality of IT systems, but is required for compliance to international regulations. The Requirements Engineering (RE) community has started to make successful contributions in the domain of security engineering. This concerns the integration of RE techniques at the early stages of security engineering, as well as the iterative management of security requirements, due to the intertwining between requirements and software architecture design. This paper proposes to complement these results by adapting and integrating another key activity of security, namely risk analysis. The aim of this paper is to show, that using and adapting an appropriate set of existing tools and techniques of risk analysis methods, improves the effectiveness of an iterative security engineering method starting at the earliest stage of IS development.

[1]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[2]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[3]  Eric Dubois,et al.  A Model-based Ontology of the Software Interoperability Problem: Preliminary Results , 2004, CAiSE Workshops.

[4]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[5]  Haralambos Mouratidis,et al.  An Ontology for Modelling Security: The Tropos Approach , 2003, KES.

[6]  Eric Dubois,et al.  Bridging the Gap between Risk Analysis and Security Policies , 2003, SEC.

[7]  I. Alexander,et al.  Misuse cases help to elicit non-functional requirements , 2003 .

[8]  Bashar Nuseibeh,et al.  Analysing Security Threats and Vulnerabilities Using Abuse Frames , 2003 .

[9]  Ketil Stølen,et al.  The CORAS Framework for a Model-Based Risk Management Process , 2002, SAFECOMP.

[10]  Roland Jochem Common Representation through UEML - Requirements and Approach , 2002, ICEIMT.

[11]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[12]  Thomas Peltier,et al.  Information Technology: Code of Practice for Information Security Management , 2001 .

[13]  Axel van Lamsweerde,et al.  Goal-Oriented Requirements Engineering: A Guided Tour , 2001, RE.

[14]  Mordechai Ben-Menachem,et al.  Writing effective use cases , 2001, SOEN.

[15]  Lin Liu,et al.  Modelling Trust for System Design Using the i* Strategic Actors Framework , 2000, Trust in Cyber-societies.

[16]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[17]  Bashar Nuseibeh,et al.  Requirements engineering: a roadmap , 2000, ICSE '00.

[18]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[19]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[20]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[21]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..