Elda Paja

Managing Security Requirements Conflicts in Socio-Technical Systems

Requirements are inherently prone to conflicts, for they originate from stakeholders with different, often opposite, needs. Security requirements are no exception. Importantly, their violation leads to severe effects, including privacy infringement, legal sanctions, and exposure to security attacks. Todays systems are Socio-Technical Systems STSs: they consist of autonomous participants humans, organisations, software that interact to get things done. In STSs, security is not just a technical challenge, but it needs to consider the social components of STSs too. We have previously proposed STS-ml, a security requirements modelling language for STSs that expresses security requirements as contractual constraints over the interactions among STS participants. In this paper, we build on top of STS-ml and propose a framework that, via automated reasoning techniques, supports the identification and management of conflicts in security requirements models. We apply our framework to a case study about e-Government, and report on promising scalability results of our implementation.

Formative User-Centered Evaluation of Security Modeling: Results from a Case Study

Developing a security modeling language is a complex activity. Particularly, it becomes very challenging for Security Requirements Engineering (SRE) languages where social/organizational concepts are used to represent high-level business aspects, while security aspects are typically expressed in a technical jargon at a lower level of abstraction. In order to reduce this socio-technical mismatch and reach a high quality outcome, appropriate evaluation techniques need to be chosen and carried out throughout the development process of the modeling language. In this article, we present and discuss the formative user-centered evaluation approach, namely an evaluation technique that starts since the early design stages and actively involves end-users. We demonstrate the approach in a real case study presenting the results of the evaluation. From the gained empirical evidence, we may conclude that formative user-centered evaluation is highly recommended to investigate any security modeling language.

Security Requirements Engineering for Secure Business Processes

Traditional approaches to business process modelling deal with security only after the business process has been defined, namely without considering security needs as input for the definition. This may require very costly corrections if new security issues are discovered. Moreover, security concerns are mainly considered at the system level without providing the rationale for their existence, that is, without taking into account the social or organizational perspective, which is essential for business processes related to considerably large organizations. In this paper, we introduce a framework for engineering secure business processes. We propose a security requirements engineering approach to model and analyze participants’ objectives and interactions, and then derive from them a set of security requirements that are used to annotate business processes. We capture security requirements through the notion of social commitment, that is a promise with contractual validity between participants. We illustrate the framework by means of an Air Traffic Management scenario.

STS-tool: Socio-technical Security Requirements through social commitments

Security Requirements Engineering (SRE) deals with the elicitation and analysis of security needs to specify security requirements for the system-to-be. In previous work, we have presented STS-ml, a security requirements modelling language for Socio-Technical Systems (STSs) that elicits security needs, using a goal-oriented approach, and derives the security requirements specification based on these needs. Particularly, STS-ml relates security to the interaction among actors in the STS. In this paper, we present STS-Tool, the modelling and analysis support tool for STS-ml. STS-Tool allows designers to model a STS at a high-level of abstraction, while expressing security needs over the interactions between the actors in the STS, and derive security requirements in terms of social commitments - promises with contractual validity - once the modelling is done.

Goal-Oriented Requirements Engineering: A Systematic Literature Map

Over the last two decades, much attention has been paid to the area of Goal-Oriented Requirements Engineering(GORE), where goals are used as a useful conceptualization to elicit, model and analyze requirements, capturing alternatives and conflicts. Goal modeling has been adapted and applied to many sub-topics within RE and beyond, such as agent-orientation, aspect-orientation, business intelligence, model-driven development, security, and so on. Despite extensive efforts in this field, the RE community lacks a recent, general systematic literature review of the area. As a first step towards providing a GORE overview, we present a Systematic Literature Map, focusing on GORE-related publications at a high-level, categorizing and analyzing paper information in order to answer several research questions, while omitting a detailed analysis of individual paper quality. Our Literature Map covers the 246 top-cited GORE-related conference and journal papers, according to Scopus, classifying them into a number of descriptive paper types and topics, providing an analysis of the data, which is made publicly available. We use our analysis results to make recommendations concerning future GORE research.

STS-tool: using commitments to specify socio-technical security requirements

In this paper, we present STS-Tool, the modelling and analysis support tool for STS-ml, an actor- and goal-oriented security requirements modelling language for Socio-Technical Systems (STSs). STS-Tool allows designers to model a socio-technical system at a high-level of abstraction, while expressing constraints (security needs) over the interactions between the actors in the STS, and derive security requirements in terms of social commitments (promises with contractual validity) once the modelling is done.

STS-Tool: Security Requirements Engineering for Socio-Technical Systems

We present the latest version of STS-Tool, the modelling and analysis support tool for STS-ml, an actor- and goal-oriented security requirements modelling language for socio-technical systems. We show how the STS-Tool supports requirements analysts and security designers in (i) modelling socio-technical systems as a set of interacting actors, who have security needs over their interactions, and (ii) deriving security requirements for the system-to-be. The tool integrates a set of automated reasoning techniques that allow checking if a given STS-ml model is well-formed, verifying whether there are any conflicts among security requirements, and calculating the threat trace of events threatening actors’ assets. We first illustrate the modelling and reasoning activities supported by STS-ml, to then guide the design of a secure socio-technical system from the eGovernment domain through a series of exercises.

Goal-oriented requirements engineering: an extended systematic mapping study

Abstract Over the last two decades, much attention has been paid to the area of goal-oriented requirements engineering (GORE), where goals are used as a useful conceptualization to elicit, model, and analyze requirements, capturing alternatives and conflicts. Goal modeling has been adapted and applied to many sub-topics within requirements engineering (RE) and beyond, such as agent orientation, aspect orientation, business intelligence, model-driven development, and security. Despite extensive efforts in this field, the RE community lacks a recent, general systematic literature review of the area. In this work, we present a systematic mapping study, covering the 246 top-cited GORE-related conference and journal papers, according to Scopus. Our literature map addresses several research questions: we classify the types of papers (e.g., proposals, formalizations, meta-studies), look at the presence of evaluation, the topics covered (e.g., security, agents, scenarios), frameworks used, venues, citations, author networks, and overall publication numbers. For most questions, we evaluate trends over time. Our findings show a proliferation of papers with new ideas and few citations, with a small number of authors and papers dominating citations; however, there is a slight rise in papers which build upon past work (implementations, integrations, and extensions). We see a rise in papers concerning adaptation/variability/evolution and a slight rise in case studies. Overall, interest in GORE has increased. We use our analysis results to make recommendations concerning future GORE research and make our data publicly available.

Security attack analysis using attack patterns

Discovering potential attacks on a system is an essential step in engineering secure systems, as the identified attacks will determine essential security requirements. The prevalence of Socio-Technical Systems (STSs) makes attack analysis particularly challenging. These systems are composed of people and organizations, their software systems, as well as physical infrastructures. As such, a thorough attack analysis needs to consider strategic (social and organizational) aspects of the involved people and organizations, as well as technical aspects affecting software systems and the physical infrastructure, requiring a large amount of security knowledge which is difficult to acquire. In this paper, we propose a systematic approach to efficiently leverage a comprehensive attack knowledge repository (CAPEC) in order to identify realistic and detailed attack behaviors, avoiding severe repercussions of security breaches. In particular, we propose a systematic method to model CAPEC attack patterns, which has been applied to 102 patterns, in order to semi-automatically select and apply such patterns. Using the CAPEC patterns as part of a systematic and tool-supported process, we can efficiently operationalize attack strategies and identify realistic alternative attacks on an STS. We validate our proposal by performing a case study on a smart grid scenario.

Preserving Compliance with Security Requirements in Socio-Technical Systems

Socio-technical systems are an interplay of social (humans and organizations) and technical components interacting with one another to achieve their objectives. Security is a central issue in such complex systems, and it cannot be tackled only through technical mechanisms: the encryption of sensitive data while being transmitted, does not assure that the receiver will not disclose them to unauthorized parties. Therefore, dealing with security in socio-technical systems requires an analysis: (i) from a social and organizational perspective, to elicit the objectives and security requirements of each component; (ii) from a procedural perspective, to define how the actors behave and interact with each other. But, socio-technical systems need to adapt to changes of the external environment, making the need to deal with security a problem that has to be faced during all the systems’ life-cycle. We propose an iterative and incremental process to elicit security requirements and verify the socio-technical system’s compliance with such requirements throughout the systems’ life cycle.