Our goal in this paper is to introduce and motivate a methodology, called Tropos, for building agent oriented software systems. Tropos is based on two key ideas. First, the notion of agent and all related mentalistic notions (for instance goals and plans) are used in all phases of software development, from early analysis down to the actual implementation. Second, Tropos covers also the very early phases of requirements analysis, thus allowing for a deeper understanding of the environment where the software must operate, and of the kind of interactions that should occur between software and human agents. The methodology is illustrated with the help of a case study. The Tropos language for conceptual modeling is formalized in a metamodel described with a set of UML class diagrams.

Systems composed of interacting autonomous agents offer a promising software engineering approach for developing applications in complex domains. However, this multiagent system paradigm introduces a number of new abstractions and design/development issues when compared with more traditional approaches to software development. Accordingly, new analysis and design methodologies, as well as new tools, are needed to effectively engineer such systems.

www.utdallas.edu/~chung/, www.inf.puc-rio.br/~julio Abstract. Essentially a software system’s utility is determined by both its functionality and its non-functional characteristics, such as usability, flexibility, performance, interoperability and security. Nonetheless, there has been a lop-sided emphasis in the functionality of the software, even though the functionality is not useful or usable without the necessary non-functional characteristics. In this chapter, we review the state of the art on the treatment of non-functional requirements (hereafter, NFRs), while providing some prospects for future directions.

Despite all the research done in the last years on the development of methodologies for designing MAS, there is no methodology suitable for the specification and design of MAS in complex domains where both the agent view and the organizational view can be modelled. Current multi-agent approaches either take a centralist, static approach to organizational design or take an emergent view in which agent interactions are not pre determined, thus making it impossible to make any predictions on the behavior of the whole systems. Most of them also lack a model of the norms in the environment that should rule the (emergent) behavior of the agent society as a whole and/or the actions of individuals. In this paper, we propose a framework for modelling agent organizations, Omni , that allows the balance of global organizational requirements with the autonomy of individual agents. It specifies

Abstract. Security issues for software systems ultimately concern relationships among social actors – stakeholders, users, potential attackers, etc.-- and software acting on their behalf. In assessing vulnerabilities and mitigation measures, actors make strategic decisions to achieve desired levels of security while trading off competing requirements such as costs, performance, usability and so on. This paper explores the explicit modeling of relationships among strategic actors in order to elicit, identify and analyze security requirements. In particular, actor dependency analysis helps in the identification of attackers and their potential threats, while actor goal analysis helps to elicit the dynamic decision making process of system players for security issues. Patterns of relationships at various levels of abstraction (e.g. intentional dependencies among abstract roles) can be studied separately. These patterns can be selectively applied and combined for analyzing specific system configurations. The approach is particularly suitable for new Internet applications where layers of software entities and human roles interact to create complex security challenges. Examples from Peer-to-Peer computing are used to illustrate the proposed framework. 1.

Early requirements analysis is concerned with modeling and understanding the organizational context within which a software system will operate. Such organizational models can describe either the status quo or a desired new status. It is convenient to build such models by deploying organizational patterns which describe oftenused organizational structures. The paper proposes a catalogue of patterns which adopt concepts from organization theory and strategic alliances literature. The patterns are modeled using the i * framework which offers the notions of actor, goal and actor dependency and specified in Telos. Each proposed pattern is evaluated with respect to a set of quality attributes, such as predictability, adaptability and openness. We illustrate the use of our proposed patterns with a business-tobusiness example modeling alternative organizational settings. This research has been conducted within the context of a comprehensive software development methodology called Tropos. 1.

We introduce a variability-intensive approach to goal decomposition that is tailored to support requirements identification for highly customizable software. The approach is based on the semantic characterization of ORdecompositions of goals. We first show that each high-level goal can be associated with a set of concerns, in response to which, alternative refinements of the goal can be introduced. A text corpus relevant to the domain of discourse can be used to derive such variability concerns that are specific to the problem. In parallel, contextual facts that can vary while a goal is being fulfilled are modeled. Then, a highvariability goal model is constructed aiming at responding to the predefined variability concerns completely, while contextual factors are used to test whether it addresses all realistic background circumstances. We apply our approach in a study from the geriatric health care domain. 1.

The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering.

Abstract. Several agent-oriented methodologies have been proposed over the last few years. Unlike the object-oriented domain and unfortunately for designers, most of the time, each methodology has its own purposes and few standardization works have been done yet, limiting the impact of agent design on the industrial world. By studying three existing methodologies- ADELFE, Gaia and PASSI- and the concepts related to them, this paper tries to find a means to unify their metamodels. Comparing a certain number of features at the agent or system level (such as the agent structure, its society or organization, its interactions capacities or how agents may be implemented) has enabled us to draw up a first version of a unified meta-model proposed as a first step toward interoperability between agent-oriented methodologies. 1

Abstract. Computer Security is one of today’s hot topic and the need for conceptual models of security features have brought up a number of proposals ranging from UML extensions to novel conceptual models. What is still missing, however, are models that focus on high-level security requirements, without forcing the modeler to immediately get down to security mechanisms. The modeling process itself should make it clear why encryption, authentication or access control are necessary, and what are the tradeoffs, if they are selected. In this paper we show that the i*/Tropos framework lacks the ability to capture these essential features and needs to be augmented. To motivate our proposal, we build upon a substantial case study – the modeling of the Secure Electronic Transactions e-commerce suites by VISA and MasterCard – to identify missing modeling features. In a nutshell, the key missing concept is the separation of the notion of offering a service (of a handling data, performing a task or fulfilling a goal) and ownership of the very same service. This separation is what makes security essential. The ability of the methodology to model a clear dependency relation between those offering a service (the merchant processing a credit card number), those requesting the service (the bank debiting the payment), and those owning the very same data (the cardholder), make security solutions emerge as a natural consequence of the modeling process. 1