Abstract
Recently published reports on cybercrime indicate an ever-increasing number of security incidents related to IT systems. Many attacks causing the incidents abuse (in)directly one or more security defects. Fixing the security defect once fielded is costly. To avoid the defects and the subsequent need to fix them, security has to be considered thoroughly when developing software. The earliest phase to do so is the requirements engineering, in which security threats should be identified early on and treated by defining sufficient security requirements. In a previous paper [1], we introduced a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE provides a computer-aided security threat identification. The identification is based on the functional requirements for a system-to-be. Still, there is a need for guidance on how to derive security requirements once the threats are identified. In this work, we provide such guidance extending PresSuRE and its tool support. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.
Part of this work is funded by the German Research Foundation (DFG) under grant number HE3322/4-2 and the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980).
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security pressure. In: ICSOFT-PT 2014 - Proceedings of the 9th International Conference on Software Paradigm Trends, Vienna, Austria, 29–31 August 2014
Bundeskriminalamt (federal criminal police office): Bundeslagebild Cybercrime 2013 (report on cybercrime 2013). Technical report, Germany (2014)
Bundeskriminalamt (federal criminal police office): Bundeslagebild Cybercrime 2012 (report on cybercrime 2012). Technical report, Germany (2013)
Norton: Norton Report 2013. Technical report, Norton (2013)
Willis, R.: Hughes Aircraft’s Widespread Deployment of a Continuously Improving Software Process. AD-a358 993. Carnegie-mellon university, Pittsburgh (1998)
Boehm, B.W., Papaccio, P.N.: Understanding and controlling software costs. IEEE Trans. Softw. Eng. 14, 1462–1477 (1988)
Firesmith, D.: Specifying good requirements. J. Object Technol. 2, 77–87 (2003)
Beckers, K., Faßbender, S., Heisel, M., Meis, R.: A problem-based approach for computer-aided privacy threat identification. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 1–16. Springer, Heidelberg (2014)
Jackson, M.: Problem Frames: Analyzing and structuring software development problems. Addison-Wesley, Boston (2001)
Kreutzmann, H., Vollmer, S., Tekampe, N., Abromeit, A.: Protection profile for the gateway of a smart metering system. Technical report, BSI (2011)
Requirements of AMI. Technical report, OPEN meter project (2009)
Hatebur, D., Heisel, M.: Making pattern- and model-based software development more rigorous. In: Dong, J.S., Zhu, H. (eds.) ICFEM 2010. LNCS, vol. 6447, pp. 253–269. Springer, Heidelberg (2010)
Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with common criteria. In: ARES 2013, IEEE Computer Society (2013)
Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29, 198–207 (1983)
ISO/IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva, Switzerland (2009)
ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva, Switzerland (2009)
Hatebur, D., Heisel, M.: A UML profile for requirements analysis of dependable software. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 317–331. Springer, Heidelberg (2010)
Volkamer, M., Vogt, R.: Common Criteria Protection Profile for Basic set of security requirements for Online Voting Products. Bundesamt f”ur Sicherheit in der Informationstechnik (2008)
Faßbender, S., Heisel, M.: From problems to laws in requirements engineering using model-transformation. In: ICSOFT 2013, SciTePress. pp. 447–458 (2013)
Schmidt, H., Jürjens, J.: Connecting security requirements analysis and secure design using patterns and UMLsec. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 367–382. Springer, Heidelberg (2011)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34, 133–153 (2008)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: RE 2003. pp. 151–161 (2003)
Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17, 285–309 (2007)
Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: RE 2012. pp. 111–120 (2012)
Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: ICSE 2004. pp. 148–157 (2004)
Alrajeh, D., Kramer, J., Russo, A., Uchitel, S.: Learning operational requirements from goal models. In: ICSE 2009. pp. 265–275 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Faßbender, S., Heisel, M., Meis, R. (2015). Problem-Based Security Requirements Elicitation and Refinement with PresSuRE. In: Holzinger, A., Cardoso, J., Cordeiro, J., Libourel, T., Maciaszek, L., van Sinderen, M. (eds) Software Technologies. ICSOFT 2014. Communications in Computer and Information Science, vol 555. Springer, Cham. https://doi.org/10.1007/978-3-319-25579-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-319-25579-8_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25578-1
Online ISBN: 978-3-319-25579-8
eBook Packages: Computer ScienceComputer Science (R0)