Organizational Patterns for Security and Dependability: From Design to Application

Designing secure and dependable IT systems requires a deep analysis of organizational as well as social aspects of the environment where the system will operate. Domain experts and analysts often face security and dependability S&D issues they have already encountered before. These concerns require the design of S&D patterns to facilitate designers when developing IT systems. This article presents the experience in designing S&D organizational patterns, which was gained in the course of an industry lead EU project. The authors use an agent-goal-oriented modeling framework i.e., the SI* framework to analyze organizational settings jointly with technical functionalities. This framework can assist domain experts and analysts in designing S&D patterns from their experience, validating them by proof-of-concept implementations, and applying them to increase the security level of the system.

[1]  Fausto Giunchiglia,et al.  Tropos: An Agent-Oriented Software Development Methodology , 2004, Autonomous Agents and Multi-Agent Systems.

[2]  Markus Schumacher,et al.  Security Engineering with Patterns: Origins, Theoretical Models, and New Applications , 2003 .

[3]  Markus Endler,et al.  Developing Map-Based and Location-Aware Collaborative Applications for Mobile Users , 2012 .

[4]  Khaled M. Khan,et al.  Ell Secure Information System Using Modal Logic Technique , 2011, Int. J. Secur. Softw. Eng..

[5]  Karama Kanoun,et al.  Stepwise construction and refinement of dependability models , 2002, Proceedings International Conference on Dependable Systems and Networks.

[6]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[7]  Edgardo Palza Vargas Quality, Improvement and Measurements in High Risk Software , 2012 .

[8]  Fabio Massacci,et al.  Security and Trust Requirements Engineering , 2005, FOSAD.

[9]  Eric S. K. Yu,et al.  A Goal Oriented Approach for Modeling and Analyzing Security Trade-Offs , 2007, ER.

[10]  Axel van Lamsweerde,et al.  From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering , 2003 .

[11]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[12]  Makis Stamatelatos,et al.  Fault tree handbook with aerospace applications , 2002 .

[13]  Cui Zhang,et al.  2-SQUARE: A Web-Based Enhancement of SQUARE Privacy and Security Requirements Engineering , 2013, Int. J. Softw. Innov..

[14]  Ross J. Anderson Why cryptosystems fail , 1993, CCS '93.

[15]  Fabio Massacci,et al.  A Model-Driven Approach for the Specification and Analysis of Access Control Policies , 2008, OTM Conferences.

[16]  Karama Kanoun,et al.  Dependability Evaluation of an Air Traffic Control Computing System , 1999, Perform. Evaluation.

[17]  István Majzik,et al.  Quantitative analysis of dependability critical systems based on UML statechart models , 2000, HASE.

[18]  Maurizio Sebastianis,et al.  Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[19]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[20]  A. N. Kolmogorov,et al.  Foundations of the theory of probability , 1960 .

[21]  John Mylopoulos,et al.  Modeling security requirements through ownership, permission and delegation , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[22]  Zongwei Luo,et al.  RFID Enabled Vehicular Network for Ubiquitous Travel Query , 2011, Int. J. Syst. Serv. Oriented Eng..

[23]  Arthur P. Dempster,et al.  The Dempster-Shafer calculus for statisticians , 2008, Int. J. Approx. Reason..

[24]  John Mylopoulos,et al.  Requirements engineering for trust management: model, methodology, and reasoning , 2006, International Journal of Information Security.

[25]  Keqin Li,et al.  S&D Pattern Deployment at Organizational Level: A Prototype for Remote Healthcare System , 2009, STM@IFIPTM.

[26]  Paolo Giorgini,et al.  Secure and dependable patterns in organizations: an empirical approach , 2007, 15th IEEE International Requirements Engineering Conference (RE 2007).

[27]  Joseph W. Yoder,et al.  Architectural Patterns for Enabling Application Security , 1998 .

[28]  Massimo Felici,et al.  Using Security and Dependability Patterns for Reaction Processes , 2008, 2008 19th International Workshop on Database and Expert Systems Applications.

[29]  Xavier Défago,et al.  A Brief Comparative Study on Analytical Models of Computer System Dependability and Security , 2005, Sixth International Conference on Parallel and Distributed Computing Applications and Technologies (PDCAT'05).

[30]  Fabio Massacci,et al.  How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns , 2009, Artificial Intelligence and Law.

[31]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .