Background

Beckers, Kristian

doi:10.1007/978-3-319-16664-3_2

Kristian Beckers²

1389 Accesses

Abstract

The background that is required to follow the remainder of this book is provided in this chapter. We provide descriptions of security standards, which are supported by various methods and approaches presented in this book, namely the ISO 27001 and the Common Criteria. In addition, we show how to apply our research to the safety, as well. In contrast to security standards that are concerned with protecting a system from attackers, safety standards aim to prevent harm to humans arising from hazards. The safety standard ISO 26262 focuses on the automotive domain and we introduce the standard in this chapter, as well. This book provides methods and techniques of how to apply requirements engineering methods to the establishment of security and safety standards. Hence, we introduce a conceptual framework for security requirements engineering and several of these methods in detail such as Si* and CORAS. Finally, we show the agenda approach, which is the underlying conceptual foundation of all methods contributed by this book.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 84.99; Price excludes VAT (USA)

Softcover Book: USD 109.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
Reproduced by permission of DIN Deutsches Institut fr Normung e.V. The definitive version for the implementation of this standard is the edition bearing the most recent date of issue, obtainable from Beuth Verlag GmbH, Burggrafenstraße 6, 10787 Berlin, Germany.
2.
The standard was formerly known as ISO 17799 and later renamed to ISO 27002.
3.
Online Statement of the ISO 27000 series that ISO 27001 will remain the only mandatory standard of the series: http://www.iso27001security.com/html/27017.html.
4.
Note: This is the Bundesamt für Sicherheit in der Informationstechnik (BSI), a national government body that aims to increase IT security. This is not The British Standards Institution (BSI).
5.
Note that we defined the term establishment with regard to standards in Chap. 1.
6.
http://www.bsigroup.com/en-GB/iso-27001-information-security/ISOIEC-27001-Revision/.
7.
Note that in contrast to our work Massacci applies the ECO Model also to relations between actors and goals.
8.
http://www.uml.org/.
9.
http://www.omg.org/spec/OCL/2.0/.
10.
http://www.eclipse.org/.

References

Alebrahim, A., Hatebur, D., & Heisel, M. (2011). A method to derive software architectures from quality requirements. In Proceedings of the 18th Asia-Pacific Software Engineering Conference (APSEC) (pp. 322–330). IEEE Computer Society.
Google Scholar
Asnar, Y., Giorgini, P., & Mylopoulos, J. (2011). Goal-driven risk assessment in requirements engineering. Requirements Engineering, 16(2), 101–116.
Article Google Scholar
BSI. (2011). BSI Grundschutz Homepage. Bonn, Germany: Federal Office for Information Security (BSI). (https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html).
Calder, A. (2009). Implementing information security based on iso 27001/iso 27002: A management guide. Zaltbommel: Van Haren Publishing.
Google Scholar
Coleman, D., Arnold, P., Bodoff, S., Dollin, C., Gilchrist, H., Hayes, F., et al. (1994). Object-oriented development: The fusion method. Englewood Cliffs: Prentice Hall.
Google Scholar
Côté, I. (2012). A systematic approach to software evolution. Baden-Baden: Deutscher Wissenschafts-Verlag.
Google Scholar
Côté, I., Hatebur, D., Heisel, M., Schmidt, H., & Wentzlaff, I. (2008). A systematic account of problem frames. In Proceedings of the European Conference on Pattern Languages of Programs (EuroPLoP). Universitätsverlag Konstanz.
Google Scholar
Côté, I., Hatebur, D., Heisel, M., & Schmidt, H. (2011). UML4PF—A tool for problem-oriented requirements analysis. In Proceedings of the International Conference On Requirements Engineering (RE) (pp. 349–350). IEEE Computer Society.
Google Scholar
Fabian, B., Gürses, S., Heisel, M., Santen, T., & Schmidt, H., (2010). A comparison of security requirements engineering methods. Requirements Engineering—Special Issue on Security Requirements Engineering, 15(1), 7–40.
Google Scholar
Hatebur, D. (2012). Pattern and component-based development of dependable systems. Deutscher Wissenschafts-Verlag (DWV) Baden-Baden.
Google Scholar
Hatebur, D., & Heisel, M. (2009). A foundation for requirements analysis of dependable software. In Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP) (pp. 311–325). Springer.
Google Scholar
Hatebur, D., & Heisel, M. (2010). A UML profile for requirements analysis of dependable software. In Proceedings of the International Conference on Computer Safety, Reliability and Security (SAFECOMP) (pp. 317–331). Springer.
Google Scholar
Heisel, M. (1998). Agendas—A concept to guide software development activities. In Proceedings of the IFIP TC2 WG2.4 Working Conference on Systems Implementation: Languages, Methods and Tools (pp. 19–32). Chapman & Hall London.
Google Scholar
ISO. (2011). ISO 26262—Road Vehicles—Functional Safety. Geneva, Switzerland: International Organization for Standardization (ISO).
Google Scholar
ISO/IEC. (2000). ISO/IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-relevant systems. Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2005). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2008). Information technology—Security techniques—Information security risk management (ISO/IEC 27005). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2009). Information technology–Security techniques—Information security management systems—Overview and Vocabulary (ISO/IEC 27000). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2012). Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2013). Information technology—Security techniques—Information security management systems—Requirements (ISO/IEC 27001). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO/IEC. (2014). Information technology–Security techniques—Information security management systems—Overview and Vocabulary (ISO/IEC 27000). Geneva, Switzerland: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC).
Google Scholar
ISO. (2009). ISO 31000 risk management—Principles and guidelines Geneva. International Organization for Standardization (ISO): Switzerland.
Google Scholar
Jackson, M. (2001). Problem frames: Analyzing and structuring software development problems. Boston: Addison-Wesley.
Google Scholar
Jackson, M., & Zave, P. (1995). Deriving specifications from requirements: An example. In Proceedings of the 17th International Conference on Software Engineering (pp. 15–24). ACM.
Google Scholar
Karpati, P., Sindre, G., & Opdahl, A. L. (2011). Characterising and analysing security requirements modelling initiatives. In Proceedings of the International Conference on Availability, Reliability and Security (ARES) (pp. 710–715). IEEE Computer Society.
Google Scholar
Klipper, S. (2010). Information Security Risk Management MIT ISO/IEC 27005: Risikomanagement MIT ISO/IEC 27001, 27005 und 31010. Vieweg+Teubner.
Google Scholar
Lund, M. S., Solhaug, B., & Stølen, K. (2010). Model-driven risk analysis: The CORAS approach (1st ed.). London: Springer.
Google Scholar
Mahler, T. (2010). Legal risk management. Unpublished doctoral dissertation, University of Oslo.
Google Scholar
Massacci, F., Mylopoulos, J., & Zannone, N. (2010). Security requirements engineering: The SI* modeling language and the secure tropos methodology. Advances in Intelligent Information Systems, 265, 147–174.
Article Google Scholar
UML Revision Task Force. (2010). OMG unified modeling language: Superstructure.
Google Scholar

Download references

Author information

Authors and Affiliations

paluno-The Ruhr Institute for Software Technology, University of Duisburg-Essen, Duisburg, Germany
Kristian Beckers

Authors

Kristian Beckers
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kristian Beckers .

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Beckers, K. (2015). Background. In: Pattern and Security Requirements. Springer, Cham. https://doi.org/10.1007/978-3-319-16664-3_2

Download citation

DOI: https://doi.org/10.1007/978-3-319-16664-3_2
Published: 16 April 2015
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-16663-6
Online ISBN: 978-3-319-16664-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics