Modelling Reusable Security Requirements based on an Ontology Framework

In recent years, security in Information Systems (IS) has become an important issue, and needs to be taken into account in all stages of IS development, including the early phase of Requirements Engineering (RE). Reuse of requirements improves the productivity and quality of software process and products. This can be facilitated by Semantic Web technologies. We describe an ontology-based framework for representing and reusing security requirements based on risk analysis. A risk analysis ontology and a requirement ontology have been developed and combined to represent reusable security requirements formally and to improve security in IS by detecting incompleteness and inconsistency and achieving semantic processing in requirements analysis. This extensible framework is the basis on which to elaborate a “lightweight” method to elicit and specify security requirements, based on security standards.

[1]  Betty H. C. Cheng,et al.  Research Directions in Requirements Engineering , 2007, Future of Software Engineering (FOSE '07).

[2]  Sean W. Smith,et al.  Grand challenges in information security: process and output , 2004, IEEE Security & Privacy Magazine.

[3]  Torsten Lodderstedt,et al.  Model driven security from UML models to access control architectures , 2003 .

[4]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[5]  Rubén Prieto-Díaz,et al.  Status report: software reusability , 1993, IEEE Software.

[6]  Uday R. Kulkarni,et al.  Strategies for Software Reuse: A Principal Component Analysis of Reuse Practices , 2003, IEEE Trans. Software Eng..

[7]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[8]  A Min Tjoa,et al.  First International Conference on Availability, Reliability and Security (ARES´06) , 2006 .

[9]  Robert L. Glass Software Engineering: Facts and Fallacies , 2002 .

[10]  Premkumar T. Devanbu,et al.  Software engineering for security: a roadmap , 2000, ICSE '00.

[11]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[12]  Huajun Chen,et al.  The Semantic Web , 2011, Lecture Notes in Computer Science.

[13]  Robin A. Gandhi,et al.  Ontology-based active requirements engineering framework , 2005, 12th Asia-Pacific Software Engineering Conference (APSEC'05).

[14]  Lakhmi C. Jain,et al.  Knowledge-Based Intelligent Information and Engineering Systems , 2004, Lecture Notes in Computer Science.

[15]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[16]  Dimitris Gritzalis,et al.  Towards an Ontology-based Security Management , 2006, 20th International Conference on Advanced Information Networking and Applications - Volume 1 (AINA'06).

[17]  Jacob L. Cybulski,et al.  Requirements Classification and Reuse: Crossing Domain Boundaries , 2000, ICSR.

[18]  Simon Buckingham Shum,et al.  Knowledge Representation with Ontologies: The Present and Future , 2004, IEEE Intell. Syst..

[19]  Joaquín Nicolás,et al.  Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach , 2002, Requirements Engineering.

[20]  Pete Sawyer,et al.  Revisiting Ontology-Based Requirements Engineering in the age of the Semantic Web , 2006 .

[21]  Myong H. Kang,et al.  Security Ontology for Annotating Resources , 2005, OTM Conferences.

[22]  Jan Jürjens,et al.  Risk-Driven Development Of Security-Critical Systems Using UMLsec , 2004, IFIP Congress Tutorials.

[23]  Mario Piattini,et al.  A Systematic Review and Comparison of Security Ontologies , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[24]  David Basin,et al.  Model driven security: From UML models to access control infrastructures , 2006, TSEM.

[25]  Mario Piattini,et al.  Legal requirements reuse: a critical success factor for requirements quality and personal data protection , 2002, Proceedings IEEE Joint International Conference on Requirements Engineering.

[26]  Nader Nada,et al.  An empirical study of a software reuse reference model , 2000, Inf. Softw. Technol..

[27]  Asunción Gómez-Pérez,et al.  ONTOMETRIC: A Method to Choose the Appropriate Ontology , 2004, J. Database Manag..

[28]  Mario Piattini,et al.  An Audit Method of Personal Data Based on Requirements Engineering , 2006, WOSIS.

[29]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[30]  Sergei Nirenburg,et al.  Ontology in information security: a useful theoretical foundation and methodological tool , 2001, NSPW '01.

[31]  Haralambos Mouratidis,et al.  An Ontology for Modelling Security: The Tropos Approach , 2003, KES.

[32]  Edgar R. Weippl,et al.  Ontology based IT-security planning , 2006, 2006 12th Pacific Rim International Symposium on Dependable Computing (PRDC'06).

[33]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[34]  Thomas R. Gruber,et al.  Toward principles for the design of ontologies used for knowledge sharing? , 1995, Int. J. Hum. Comput. Stud..