Skip to main content
SpringerLink
Log in

Graphical Modeling of Security Arguments: Current State and Future Directions

  • Conference paper
  • First Online:
Graphical Models for Security (GraMSec 2017)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 10744))

Included in the following conference series:

Abstract

Identifying threats and risks to complex systems often requires some form of brainstorming. In addition, eliciting security requirements involves making traceable decisions about which risks to mitigate and how. The complexity and dynamics of modern socio-technical systems mean that their security cannot be formally proven. Instead, some researchers have turned to modeling the claims underpinning a risk assessment and the arguments which support security decisions. As a result, several argumentation-based risk analysis and security requirements elicitation frameworks have been proposed. These draw upon existing research in decision making and requirements engineering. Some provide tools to graphically model the underlying argumentation structures, with varying degrees of granularity and formalism. In this paper, we compare these approaches, discuss their applicability and suggest avenues for future research. We find that the core of existing security argumentation frameworks are the links between threats, risks, mitigations and system components. Graphs - a natural representation for these links - are used by many graphical security argumentation tools. But, in order to be human-readable, the graphical models of these graphs need to be both scalable and easy to understand. Therefore, in order to facilitate adoption, both the creation and exploration of these graphs need to be streamlined.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 60.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Adelard Safety Case Development (ASCAD) Manual, London, UK (2010)

    Google Scholar 

  2. Beel, J., Langer, S.: An exploratory analysis of mind maps. In: Proceedings of the 11th ACM Symposium on Document Engineering, pp. 81–84. ACM (2011)

    Google Scholar 

  3. Bloomfield, R.E., Guerra, S., Miller, A., Masera, M., Weinstock, C.B.: International working group on assurance cases (for security). IEEE Secur. Priv. 4(3), 66–68 (2006)

    Article  Google Scholar 

  4. Breaux, T.D., Baumer, D.L.: Legally “reasonable” security requirements: a 10-year FTC retrospective. Comput. Secur. 30(4), 178–193 (2011)

    Article  Google Scholar 

  5. Buckingham Shum, S.: The Roots of Computer Supported Argument Visualization, pp. 3–24. Springer, London (2003)

    Google Scholar 

  6. Campbell-Kelly, M.: The History of Mathematical Tables: From Sumer to Spreadsheets. Oxford University Press, Oxford (2003)

    Google Scholar 

  7. Cleland, G.M., Habli, I., Medhurst, J.: Evidence: Using Safety Cases in Industry and Healthcare. The Health Foundation, London (2012)

    Google Scholar 

  8. Cyra, L., Górski, J.: Support for argument structures review and assessment. Reliab. Eng. Syst. Saf. 96(1), 26–37 (2011). Special Issue on Safecomp 2008

    Article  Google Scholar 

  9. Defence standard 00-56 issue 4 (part 1): Safety management requirements for defence systems, July 2007

    Google Scholar 

  10. Emmet, L.: Using claims, arguments and evidence: a pragmatic view-and tool support in ASCE. www.adelard.com

  11. Eppler, M.J.: A comparison between concept maps, mind maps, conceptual diagrams, and visual metaphors as complementary tools for knowledge construction and sharing. Inf. Vis. 5(3), 202–210 (2006)

    Article  Google Scholar 

  12. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off. J. Eur. Union L119/59, 1–88, May 2016. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L:2016:119:TOC

  13. Firesmith, D.G.: Analyzing and specifying reusable security requirements. Technical report DTIC Document (2003)

    Google Scholar 

  14. Fischer, G., Lemke, A.C., McCall, R., Morch, A.I.: Making argumentation serve design. Hum.-Comput. Interact. 6(3), 393–419 (1991)

    Article  Google Scholar 

  15. Franqueira, V.N.L., Tun, T.T., Yu, Y., Wieringa, R., Nuseibeh, B.: Risk and argument: a risk-based argumentation method for practical security. In: RE, pp. 239–248. IEEE (2011)

    Google Scholar 

  16. Gold, J.: Data breaches and computer hacking: liability & insurance issues. American Bar Association’s Government Law Committee Newsletter Fall (2011)

    Google Scholar 

  17. Goodwin, J., Fisher, A.: Wigmore’s chart method. Inf. Logic 20(3), 223–243 (2000)

    Google Scholar 

  18. Górski, J., Jarz̧bowicz, A., Leszczyna, R., Miler, J., Olszewski, M.: Trust case justifying trust in an it solution. Reliab. Eng. Syst. Saf. 89(1), 33–47 (2005)

    Article  Google Scholar 

  19. Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Soft. Eng. 34(1), 133–153 (2008)

    Article  Google Scholar 

  20. Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Arguing satisfaction of security requirements. In: Integrating Security and Software Engineering: Advances and Future Visions, pp. 16–43 (2006)

    Google Scholar 

  21. Haley, C.B., Moffett, J.D., Laney, R., Nuseibeh, B.: Arguing security: validating security requirements using structured argumentation. In: Proceedings of Third Symposium on Requirements Engineering for Information Security (SREIS 2005) held in conjunction with the 13th International Requirements Engineering Conference (RE 2005) (2005)

    Google Scholar 

  22. Ionita, D., Bullee, J.W., Wieringa, R.J.: Argumentation-based security requirements elicitation: the next round. In: 2014 IEEE 1st Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), pp. 7–12. Springer, Heidelberg, August 2014

    Google Scholar 

  23. Ionita, D., Kegel, R., Baltuta, A., Wieringa, R.: Arguesecure: out-of-the-box security risk assessment. In: 2016 IEEE 24th International Requirements Engineering Conference Workshops (REW), pp. 74–79, September 2016

    Google Scholar 

  24. Kelly, T., Weaver, R.: The goal structuring notation - a safety argument notation. In: Proceedings of Dependable Systems and Networks 2004 Workshop on Assurance Cases (2004)

    Google Scholar 

  25. Kelly, T.P.: Arguing Safety: A Systematic Approach to Managing Safety Cases. University of York, York (1999)

    Google Scholar 

  26. Lee, J., Lai, K.Y.: What’s in design rationale? Hum.-Comput. Interact. 6(3–4), 251–280 (1991)

    Article  Google Scholar 

  27. Liao, S.H.: Expert system methodologies and applications - a decade review from 1995 to 2004. Exp. Syst, Appl. 28(1), 93–103 (2005)

    Article  Google Scholar 

  28. Maclean, A., Young, R.M., Moran, T.P.: Design rationale: the argument behind the artefact. In: Proceedings of the Computer Human Interaction conference (CHI) (1989)

    Google Scholar 

  29. Markham, K.M., Mintzes, J.J., Jones, M.G.: The concept map as a research and evaluation tool: further evidence of validity. J. Res. Sci. Teach. 31(1), 91–101 (1994)

    Article  Google Scholar 

  30. Mosier, K.L.: Myths of expert decision making and automated decision aids. In: Naturalistic Decision Making, pp. 319–330 (1997)

    Google Scholar 

  31. Mylopoulos, J., Borgida, A., Jarke, M., Koubarakis, M.: Telos: representing knowledge about information systems. ACM Trans. Inf. Syst. (TOIS) 8(4), 325–362 (1990)

    Article  Google Scholar 

  32. Park, J.S., Montrose, B., Froscher, J.N.: Tools for information security assurance arguments. In: Proceedings of the DARPA Information Survivability Conference, DISCEX 2001, vol. 1, pp. 287–296 (2001)

    Google Scholar 

  33. Polikar, R.: Ensemble based systems in decision making. IEEE Circ. Syst. Mag. 6(3), 21–45 (2006)

    Article  Google Scholar 

  34. Prakken, H.: An abstract framework for argumentation with structured arguments. Argument Comput. 1, 93–124 (2010)

    Article  Google Scholar 

  35. Prakken, H., Ionita, D., Wieringa, R.: Risk assessment as an argumentation game. In: Leite, J., Son, T.C., Torroni, P., van der Torre, L., Woltran, S. (eds.) CLIMA 2013. LNCS (LNAI), vol. 8143, pp. 357–373. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40624-9_22

    Chapter  Google Scholar 

  36. Rowe, J., Levitt, K., Parsons, S., Sklar, E., Applebaum, A., Jalal, S.: Argumentation logic to assist in security administration. In: Proceedings of the 2012 New Security Paradigms Workshop, NSPW 2012, pp. 43–52. ACM, New York (2012)

    Google Scholar 

  37. Rushby, J.: The interpretation and evaluation of assurance cases. SRI International, Menlo Park, CA, USA (2015)

    Google Scholar 

  38. Shum, S.J.B., MacLean, A., Bellotti, V.M.E., Hammond, N.V.: Graphical argumentation and design cognition. Hum.-Comput. Interact. 12(3), 267–300 (1997)

    Article  Google Scholar 

  39. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)

    Article  Google Scholar 

  40. Toulmin, S., Rieke, R., Janik, A.: An Introduction to Reasoning. Macmillan, Basingstoke (1979)

    Google Scholar 

  41. Toulmin, S.E.: The Uses of Argument. Cambridge University Press, Cambridge (1958)

    Google Scholar 

  42. Yu, Y., Tun, T.T., Tedeschi, A., Franqueira, V.N.L., Nuseibeh, B.: Openargue: supporting argumentation to evolve secure software systems. In: 2011 IEEE 19th International Requirements Engineering Conference, pp. 351–352, August 2011

    Google Scholar 

  43. Yu, Y., Franqueira, V.N.L., Tun, T.T., Wieringa, R., Nuseibeh, B.: Automated analysis of security requirements through risk-based argumentation. J. Syst. Soft. 106, 102–116 (2015)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Services, Cybersecurity and Safety group, University of Twente, Drienerlolaan 5, 7522 NB, Enschede, The Netherlands

    Dan Ionita, Alexandr Vasenev & Roel Wieringa

  2. Consult Hyperion, 10-12 The Mount, Guildford, GU2 4HN, UK

    Margaret Ford

Authors
  1. Dan Ionita
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Margaret Ford
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Alexandr Vasenev
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Roel Wieringa
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dan Ionita .

Editor information

Editors and Affiliations

  1. Pennsylvania State University, University Park, Pennsylvania, USA

    Peng Liu

  2. University of Luxembourg, Esch-sur-Alzette, Luxembourg

    Sjouke Mauw

  3. Blindern, SINTEF ICT, Oslo, Norway

    Ketil Stolen

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ionita, D., Ford, M., Vasenev, A., Wieringa, R. (2018). Graphical Modeling of Security Arguments: Current State and Future Directions. In: Liu, P., Mauw, S., Stolen, K. (eds) Graphical Models for Security. GraMSec 2017. Lecture Notes in Computer Science(), vol 10744. Springer, Cham. https://doi.org/10.1007/978-3-319-74860-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-74860-3_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-74859-7

  • Online ISBN: 978-3-319-74860-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation