The last years have seen a major interest in designing and deploying trust management and public key infrastructures. Yet, it is still far from clear how one can pass from the organization and system requirements to the actual credentials and attribution of permissions in the PKI infrastructure.

Abstract. Information Systems (IS), particularly e-business systems, are required to be more secure in order to resist to the increasing number of attacks. Security is no longer just a desirable quality of IT systems, but is required for compliance to international regulations. The Requirements Engineering (RE) community has started to make successful contributions in the domain of security engineering. This concerns the integration of RE techniques at the early stages of security engineering, as well as the iterative management of security requirements, due to the intertwining between requirements and software architecture design. This paper proposes to complement these results by adapting and integrating another key activity of security, namely risk analysis. The aim of this paper is to show, that using and adapting an appropriate set of existing tools and techniques of risk analysis methods, improves the effectiveness of an iterative security engineering method starting at the earliest stage of IS development. 1

Major information processing and associated value-added services provided by information systems in critical infrastructures are being increasingly used for various purposes irrespective of their security posture. Although several infrastructure-wide standard security Certification and Accreditation (C&A) processes exist, their effectiveness in the real world is challenged by the complexity of information systems and their diverse socio-technical operational environments. We identify that these factors naturally demand the integration of several modeling techniques, to adequately support the breath and depth of C&A processes, with complementary semantics and levels of abstraction to elicit, represent and analyze the diversity of factors associated with the system under consideration. Furthermore, to promote cohesiveness between the artifacts captured through this approach, we identify the need for a comprehensive framework that allows them to synergistically understand and link to each other through the application domain concepts, properties and their relationships. In this paper, we specifically focus on the interactions between various models within such a framework based on the relationships between security requirements and the elements of risk assessment for driving an objective, repeatable and justifiable risk assessment process.

Assumptions are frequently made during requirements analysis of a system about the trustworthiness of its various components (including human components). These trust assumptions, whether implicit or explicit, affect the scope of the analysis, derivation of security requirements, and in some cases how functionality is realized. This paper presents trust assumptions in the context of analysis of security requirements. A running example shows how trust assumptions can be used by a requirements engineer to help define and limit the scope of analysis and to document the decisions made during the process. The paper concludes with a case study examining the impact of trust assumptions on software that uses the secure electronic transaction specification.

Abstract. In designing software systems, security is typically only one design objective among many. It may compete with other objectives such as functionality, usability, and performance. Too often, security mechanisms such as firewalls, access control, or encryption are adopted without explicit recognition of competing design objectives and their origins in stakeholder interests. Recently, there is increasing acknowledgement that security is ultimately about trade-offs. One can only aim for “good enough ” security, given the competing demands from many parties. In this paper, we examine how conceptual modeling can provide explicit and systematic support for analyzing security trade-offs. After considering the desirable criteria for conceptual modeling methods, we examine several existing approaches for dealing with security trade-offs. From analyzing the limitations of existing methods, we propose an extension to the i * framework for security trade-off analysis, taking advantage of its multi-agent and goal orientation. The method was applied to several case studies used to exemplify existing approaches.

In this paper, we present an approach using problem frames to analyse security problems in order to determine security threats and vulnerabilities. We use problem frames to capture and bound the base system that is to be protected. We consider threats to this base problem frame from the point of view of the attacker. For each class of threats, their successful realisation is regarded as the anti-requirement in an abuse frame. Antirequirements are quantified existentially: that is, the attacker succeeds by realising the threat in any one instance. For a threat to be realised, its abuse frame must be composed with the base problem frame in the sense that the asset attacked in the abuse frame must overlap, or be identified with, a domain of the base problem frame. We explain the process of composition and some of its variations. We illustrate and assess our approach using a case study of a medical information system, and suggest how abuse frames can provide a means for bounding the scope of and reasoning about security problems in order to analyse security threats and identify vulnerabilities. We conclude with an agenda for future work.

... This paper discusses the effectiveness of these languages within the context of a case study that entailed the expression of common online privacy statements for a healthcare website, employing requirements engineering quality factors as a framework for our discussion.

Abstract. In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts proposed for capturing security aspects, and presents an implemented graphical CASE tool that supports the Secure Tropos methodology. Specifically, the tool supports the creation of Secure Tropos models, their translation to formal specifications, as well as the analysis of these specifications to ensure that they comply with specific security properties. Apart from presenting the tool, the paper also presents a two-tier evaluation consisting of two case studies and an experimental evaluation of the tool’s scalability.

Engineering dependability requirements for software-intensive systems is inherently difficult. Dependability of these systems relies heavily on the emergent properties that result from the complex interdependencies that exist among the involved systems and their environments. Furthermore, the choice of a modeling technique significantly affects the semantics and the level of abstraction at which these systems are modeled and analyzed. Therefore, to effectively predict the emergent properties of the system as a whole, it is necessary to gather information based on multiple philosophies from complementary modeling techniques and analyze them in the context of each other. To realize such a unified approach during the early stages of the RE lifecycle, we advocate the need for the definition of a common language. The common language provides a framework within which several modeling techniques can be used in harmony to elicit and create a common understanding through the problem domain concepts, properties and their relationships. We provide examples from our case study on automating the standard Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP) to motivate the applicability and appropriateness of our approach. 1.

A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.