Abstract
Assessing security-related risks in software or systems engineering is a challenging task: often, a heterogeneous set of distributed stakeholders creates a complex system of (software) components which are highly connected to each other, consumer electronics, or Internet-based services. Changes during development are frequent and must be evaluated and handled efficiently. Consequently, risk assessment itself becomes a complex task and its results must be comprehensible by all actors in the distributed environment. Especially, systematic and repeatable identification of security goals based on a model of the system under development (SUD) is not well-supported in established methods. Thus, we demonstrate how the systematic identification, merging, and validation of security goals based on a model of the SUD in a concrete implementation of our method Modular Risk Assessment (MoRA) supports security engineers to handle this challenge.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Board, C.C.E.: Common Methodology for Information Technology Security Evaluation – Version 3.1 – Revision 4. Evaluation methodology (2012)
BSI. Standard 100-1: Managementsysteme für Informationssicherheit (ISMS). Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)
BSI. Standard 100-2: IT-Grundschutz Vorgehensweise. Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)
BSI. Standard 100-3: Risikoanalyse auf der Basis von IT-Grundschutz. Bonn: Bundesamt für Sicherheit in der Informationstechnik (2008)
Eichler, J.: Model-based Security Engineering for Electronic Business Processes. PhD thesis, Technische Universität München (2015)
Eichler, J., Angermeier, D.: Modular risk assessment for the development of secure automotive systems. In: 31. VDI/VW-Gemeinschaftstagung Automotive Security (2015)
Islam, M.M., Lautenbach, A., Sandberg, C., Olovsson, T.: A risk assessment framework for automotive embedded systems. In: Proceedings of the 2nd ACM International Workshop on Cyber-Physical System Security, pp. 3–14. ACM (2016)
ISO/IEC. 15408-1: Information technology – security techniques – evaluation criteria for IT security – part 1: Introduction and general model (2009)
ISO/IEC. 31000: Risk management – principles and guidelines (2009)
ISO/IEC. 27005: Information technology – security techniques – information security risk management (2011)
Kohnfelder, L., Garg, P.: The threats to our products. Microsoft Interface, Microsoft Corporation (1999)
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer Science & Business Media, Heidelberg (2010)
Mead, N.R., Stehney, T.: Security quality requirements engineering (SQUARE) methodology, vol. 30. ACM (2005)
Mellado, D., Fernández-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stan. Interfaces 29(2), 244–253 (2007)
Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modelling secure information systems. Inf. Syst. 30(8), 609–629 (2005)
O’Connor, M., Das, A.: SQWRL: a query language for OWL. In: Proceedings of the 6th International Conference on OWL: Experiences and Directions, vol. 529, pp. 208–215. CEUR-WS.org (2009)
Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)
Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)
Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). doi:10.1007/978-3-319-15618-7_13
Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008)
Weldemariam, K., Villafiorita, A.: Procedural security analysis: a methodological approach. J. Syst. Softw. 84(7), 1114–1129 (2011)
Wynn, J., Whitmore, J., Upton, G., Spriggs, L., McKinnon, D., McInnes, R., Graubart, R., Clausen, L.: Threat assessment & remediation analysis (TARA): Methodology description version 1.0. Technical report, DTIC Document (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Angermeier, D., Nieding, A., Eichler, J. (2017). Supporting Risk Assessment with the Systematic Identification, Merging, and Validation of Security Goals. In: Großmann, J., Felderer, M., Seehusen, F. (eds) Risk Assessment and Risk-Driven Quality Assurance. RISK 2016. Lecture Notes in Computer Science(), vol 10224. Springer, Cham. https://doi.org/10.1007/978-3-319-57858-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-57858-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-57857-6
Online ISBN: 978-3-319-57858-3
eBook Packages: Computer ScienceComputer Science (R0)