Skip to main content
SpringerLink
Log in

Problem-Based Security Requirements Elicitation and Refinement with PresSuRE

  • Conference paper
  • First Online:
Software Technologies (ICSOFT 2014)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 555))

Included in the following conference series:

Abstract

Recently published reports on cybercrime indicate an ever-increasing number of security incidents related to IT systems. Many attacks causing the incidents abuse (in)directly one or more security defects. Fixing the security defect once fielded is costly. To avoid the defects and the subsequent need to fix them, security has to be considered thoroughly when developing software. The earliest phase to do so is the requirements engineering, in which security threats should be identified early on and treated by defining sufficient security requirements. In a previous paper [1], we introduced a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE provides a computer-aided security threat identification. The identification is based on the functional requirements for a system-to-be. Still, there is a need for guidance on how to derive security requirements once the threats are identified. In this work, we provide such guidance extending PresSuRE and its tool support. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.

Part of this work is funded by the German Research Foundation (DFG) under grant number HE3322/4-2 and the EU project Network of Excellence on Engineering Secure Future Internet Software Services and Systems (NESSoS, ICT-2009.1.4 Trustworthy ICT, Grant No. 256980).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.uml4pf.org/ext-pressure/installation.html.

  2. 2.

    http://www.nessos-project.eu/.

  3. 3.

    http://www.openmeter.com/.

References

  1. Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security pressure. In: ICSOFT-PT 2014 - Proceedings of the 9th International Conference on Software Paradigm Trends, Vienna, Austria, 29–31 August 2014

    Google Scholar 

  2. Bundeskriminalamt (federal criminal police office): Bundeslagebild Cybercrime 2013 (report on cybercrime 2013). Technical report, Germany (2014)

    Google Scholar 

  3. Bundeskriminalamt (federal criminal police office): Bundeslagebild Cybercrime 2012 (report on cybercrime 2012). Technical report, Germany (2013)

    Google Scholar 

  4. Norton: Norton Report 2013. Technical report, Norton (2013)

    Google Scholar 

  5. Willis, R.: Hughes Aircraft’s Widespread Deployment of a Continuously Improving Software Process. AD-a358 993. Carnegie-mellon university, Pittsburgh (1998)

    Google Scholar 

  6. Boehm, B.W., Papaccio, P.N.: Understanding and controlling software costs. IEEE Trans. Softw. Eng. 14, 1462–1477 (1988)

    Article  Google Scholar 

  7. Firesmith, D.: Specifying good requirements. J. Object Technol. 2, 77–87 (2003)

    Article  Google Scholar 

  8. Beckers, K., Faßbender, S., Heisel, M., Meis, R.: A problem-based approach for computer-aided privacy threat identification. In: Preneel, B., Ikonomou, D. (eds.) APF 2012. LNCS, vol. 8319, pp. 1–16. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  9. Jackson, M.: Problem Frames: Analyzing and structuring software development problems. Addison-Wesley, Boston (2001)

    Google Scholar 

  10. Kreutzmann, H., Vollmer, S., Tekampe, N., Abromeit, A.: Protection profile for the gateway of a smart metering system. Technical report, BSI (2011)

    Google Scholar 

  11. Requirements of AMI. Technical report, OPEN meter project (2009)

    Google Scholar 

  12. Hatebur, D., Heisel, M.: Making pattern- and model-based software development more rigorous. In: Dong, J.S., Zhu, H. (eds.) ICFEM 2010. LNCS, vol. 6447, pp. 253–269. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  13. Beckers, K., Hatebur, D., Heisel, M.: A problem-based threat analysis in compliance with common criteria. In: ARES 2013, IEEE Computer Society (2013)

    Google Scholar 

  14. Dolev, D., Yao, A.C.: On the security of public key protocols. IEEE Trans. Inf. Theor. 29, 198–207 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  15. ISO/IEC: Common Criteria for Information Technology Security Evaluation. ISO/IEC 15408, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva, Switzerland (2009)

    Google Scholar 

  16. ISO/IEC: Information technology - Security techniques - Information security management systems - Overview and Vocabulary. ISO/IEC 27000, International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), Geneva, Switzerland (2009)

    Google Scholar 

  17. Hatebur, D., Heisel, M.: A UML profile for requirements analysis of dependable software. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 317–331. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  18. Volkamer, M., Vogt, R.: Common Criteria Protection Profile for Basic set of security requirements for Online Voting Products. Bundesamt f”ur Sicherheit in der Informationstechnik (2008)

    Google Scholar 

  19. Faßbender, S., Heisel, M.: From problems to laws in requirements engineering using model-transformation. In: ICSOFT 2013, SciTePress. pp. 447–458 (2013)

    Google Scholar 

  20. Schmidt, H., Jürjens, J.: Connecting security requirements analysis and secure design using patterns and UMLsec. In: Mouratidis, H., Rolland, C. (eds.) CAiSE 2011. LNCS, vol. 6741, pp. 367–382. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  21. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)

    MATH  Google Scholar 

  22. Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34, 133–153 (2008)

    Article  Google Scholar 

  23. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: RE 2003. pp. 151–161 (2003)

    Google Scholar 

  24. Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17, 285–309 (2007)

    Article  Google Scholar 

  25. Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: RE 2012. pp. 111–120 (2012)

    Google Scholar 

  26. Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: ICSE 2004. pp. 148–157 (2004)

    Google Scholar 

  27. Alrajeh, D., Kramer, J., Russo, A., Uchitel, S.: Learning operational requirements from goal models. In: ICSE 2009. pp. 265–275 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Paluno - The Ruhr Institute for Software Technology, University of Duisburg-Essen, Essen, Germany

    Stephan Faßbender, Maritta Heisel & Rene Meis

Authors
  1. Stephan Faßbender
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Rene Meis
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stephan Faßbender .

Editor information

Editors and Affiliations

  1. Medical Informatis, Statistics, Document, Medical University Graz, Graz, Austria

    Andreas Holzinger

  2. Engenharia Informática Dept, Universidade de Coimbra, Coimbra, Portugal

    Jorge Cardoso

  3. INSTICC and IPS, Setúbal, Portugal

    José Cordeiro

  4. Dépt. Informatique, Université de Montpellier, Montpellier, France

    Therese Libourel

  5. Wroclaw University of Economics, Wroclaw, Poland

    Leszek A. Maciaszek

  6. Dept. of Computer Science, University of Twente, Enschede, Overijssel, The Netherlands

    Marten van Sinderen

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Faßbender, S., Heisel, M., Meis, R. (2015). Problem-Based Security Requirements Elicitation and Refinement with PresSuRE. In: Holzinger, A., Cardoso, J., Cordeiro, J., Libourel, T., Maciaszek, L., van Sinderen, M. (eds) Software Technologies. ICSOFT 2014. Communications in Computer and Information Science, vol 555. Springer, Cham. https://doi.org/10.1007/978-3-319-25579-8_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25579-8_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25578-1

  • Online ISBN: 978-3-319-25579-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation