Caring for security at requirements engineering time is a message that has finally received some attention recently. However, it is not yet very clear how to achieve this systematically through the various stages of the requirements engineering process. The paper presents a constructive approach to the modeling, specification and analysis of applicationspecific security requirements. The method is based on a goal-oriented framework for generating and resolving obstacles to goal satisfaction. The extended framework addresses malicious obstacles (called anti-goals) set up by attackers to threaten security goals. Threat trees are built systematically through anti-goal refinement until leaf nodes are derived that are either software vulnerabilities observable by the attacker or anti-requirements implementable by this attacker. New security requirements are then obtained as countermeasures by application of threat resolution operators to the specification of the antirequirements and vulnerabilities revealed by the analysis. The paper also introduces formal epistemic specification constructs and patterns that may be used to support a formal derivation and analysis process. The method is illustrated on a web-based banking system for which subtle attacks have been reported recently.

Abstract. Security issues for software systems ultimately concern relationships among social actors – stakeholders, users, potential attackers, etc.-- and software acting on their behalf. In assessing vulnerabilities and mitigation measures, actors make strategic decisions to achieve desired levels of security while trading off competing requirements such as costs, performance, usability and so on. This paper explores the explicit modeling of relationships among strategic actors in order to elicit, identify and analyze security requirements. In particular, actor dependency analysis helps in the identification of attackers and their potential threats, while actor goal analysis helps to elicit the dynamic decision making process of system players for security issues. Patterns of relationships at various levels of abstraction (e.g. intentional dependencies among abstract roles) can be studied separately. These patterns can be selectively applied and combined for analyzing specific system configurations. The approach is particularly suitable for new Internet applications where layers of software entities and human roles interact to create complex security challenges. Examples from Peer-to-Peer computing are used to illustrate the proposed framework. 1.

Problem frames provide a means of analyzing and decomposing problems. They emphasise the world outside of the computer, helping the developer to focus on the problem domain, instead of drifting into inventing solutions.

Exploring alternative options is at the heart of the requirements and design processes. Different alternatives contribute to different degrees of achievement of non-functional goals about system safety, security, performance, usability, and so forth. Such goals in general cannot be satisfied in an absolute, clear-cut sense. Various qualitative and quantitative frameworks have been proposed to support the assessment of alternatives for design decision making. In general they lead to limited conclusions due to the lack of accuracy and measurability of goal formulations and the lack of impact propagation rules along goal contribution links. The paper presents techniques for specifying partial degrees of goal satisfaction and for quantifying the impact of alternative system designs on the degree of goal satisfaction. The approach consists in enriching goal refinement models with a probabilistic layer for reasoning about partial satisfaction. Within such models, non-functional goals are specified in a precise, probabilistic way; their specification is interpreted in terms of application-specific measures; impact of alternative goal refinements is evaluated in terms of refinement equations over random variables involved in the system's functional goals. A systematic method is presented for guiding the elaboration of such models. The latter can then be used to assess the impact of alternative decisions on the degree of goal satisfaction or to derive quantitative, fine-grained requirements on the software to achieve the higher-level goals.

Caring for security at requirements engineering time is a message that has finally received some attention recently. However, it is not yet very clear how to achieve this systematically through the various stages of the requirements engineering process. We briefly introduce some of the requirements such a process should meet for high assurance to be provided from the resulting requirements product. A constructive approach to security requirements elicitation, modeling and analysis is then outlined as an attempt to address such meta-requirements. The approach is based on a framework we developed before for generating and resolving obstacles to requirements achievement. Our framework integrates intentional obstacles (or "antigoals") set up by attackers to break security goals. Attack trees are derived systematically through anti-goal refinement until leaf nodes are reached that are software vulnerabilities observable by the attacker or antirequirements implementable by this attacker. New security requirements are derived by resolution of the attack trees generated thereby. 1.

Jackson's Problem Frames provide a means of analysing and decomposing problems. They emphasise the world outside the computer helping the developer to focus on the problem domain instead of drifting into inventing solutions. The intention is to delay consideration of the solution space until a good understanding of the problem is gained.

Requirements engineers need to make sure that the requirements models and specifications they are building do accurately capture what stakeholders really want. Requirements animation has been recognized to be a promising approach to support this. The principle is to simulate an executable version of the requirements model and to visualize the simulation in some form appealling to stakeholders. Most animation tools available to date simulate operational models. Such models in general do not directly reflect the objectives, constraints and assumptions stated declaratively by stakeholders. It is also not possible to focus the animation on particular portions of a complex model relevant to some specific concern. The paper describes a tool aimed at overcoming such limitations by animating goal-oriented requirements models. The tool automatically generates parallel state machines from goal operationalizations, instantiates those machines to specific instances created by users at animation time, executes them from concurrent events input by multiple users, monitors property violations at animation time, and visualizes concurrent simulations in terms of animated scenes in the domain. 1.

Scenarios are an effective means for eliciting, validating and documenting requirements. At the requirements level, scenarios describe sequences of interactions between the software-to-be and agents in the environment. Interactions correspond to the occurrence of an event that is controlled by one agent and monitored by another. This paper presents a technique to analyse requirements-level scenarios for unforeseen, potentially harmful, consequences. Our aim is to perform analysis early in system development, where it is highly cost-effective. The approach recognises the importance of monitoring and control issues and extends existing work on implied scenarios accordingly. These so-called input-output implied scenarios expose problematic behaviours in scenario descriptions that cannot be detected using standard implied scenarios. Validation of these implied scenarios supports requirements elaboration. We demonstrate the relevance of inputoutput implied scenarios using a number of examples.

Goal-oriented methods are increasingly popular for elaborating software requirements. They provide systematic support for incrementally building intentional, structural and operational models of the software and its environment together with various techniques for early analysis, e.g., to manage conflicting goals or anticipate abnormal environment behaviors that prevent goals from being achieved. On the other hand, tabular event-based methods are well-established for specifying operational requirements for control software. They provide sophisticated techniques and tools for late analysis of software behavior models through, e.g., simulation, model checking or table exhaustiveness checks. The paper proposes to take the best out of these two worlds to engineer requirements for control software. It presents a technique for deriving event-based specifications, written in the SCR tabular language, from operational specifications built according to the KAOS goal-oriented method. The technique consists in a series of transformation steps each of which resolves semantic, structural or syntactic differences between the KAOS source language and the SCR target language. Some of these steps need human intervention and illustrate the kind of semantic subtleties that need to be taken into account when integrating multiple formalisms. As a result of our technique SCR specifiers may use upstream goal-based processes à la KAOS for the incremental elaboration, early analysis, organization and documentation of their tables while KAOS modelers may use downstream tables à la SCR for later analysis of the behavior models derived from goal specifications.

Software engineers of multi-agent systems (MASs) are faced with different concerns such as autonomy, adaptation, interaction, collaboration, learning, and mobility, which are essentially different from classical concerns addressed in object-oriented software engineering. MAS developers however have relied mostly on object-oriented design techniques and programming languages, such as Java. It often leads to a poor separation of MAS concerns and in turn to the production of MASs that are difficult to maintain and reuse. This paper discusses software engineering approaches for MASs, and presents a new method for integrating agents into object-oriented software engineering from an early stage of design. The proposed approach encourages the separate handling of MAS concerns, and provides a disciplined scheme for their composition. Our proposal explores the benefits of aspect-oriented software development for the incorporation of agents into object-oriented systems. We also illustrate our aspect-oriented approach through the Portalware multi-agent system, a web-based environment for the development of e-commerce portals. Keywords: Multi-agent systems, software agents, software engineering, object-oriented systems, aspect-oriented software development.