Michalis Pavlidis

A CASE Tool to Support Automated Modelling and Analysis of Security Requirements, Based on Secure Tropos

Secure Tropos, an extension of the Tropos methodology, considers security requirements alongside functional requirements, from the early stages of the system development process. The Secure Tropos language uses security concepts such as security constraint, secure goal, secure plan, secure resource, and threat to capture the security concepts from both social and organisational settings. These concepts are used to model and reason about security for a specific system context. This paper presents a CASE tool, called SecTro, which supports automated modelling and analysis of security requirements based on Secure Tropos. The tool’s architecture, layout, and functionalities are demonstrated through a real world example using the Secure Tropos concepts.

Trustworthy Selection of Cloud Providers Based on Security and Privacy Requirements: Justifying Trust Assumptions

Cloud computing is a new paradigm with a promising potential. However, issues of security, privacy, and trust raise concerns and discourage its adoption. In previous work we presented a framework for the selection of appropriate cloud provider based on security and privacy requirements criteria. However, the adoption of cloud includes release of control over valuable assets, which constitutes trust in the cloud provider of paramount importance. In this paper we extend the framework by incorporating trust and control concepts in its language and adding a new activity to properly identify and reason about trust assumptions during the selection of appropriate cloud provider. Also, the CASE tool was extended to support the new activity. A case study is used to illustrate the usefulness of our approach.

Dealing with trust and control: A meta-model for trustworthy information systems development

Information systems exist in every aspect of our life and our society depends on them enormously. Despite this reliance, these systems are often unreliable, prone to errors, and pose vulnerabilities for potential security attacks. We are often faced with a choice between using a valuable (or even an essential) system, which is not fully trustworthy, or else forgoing the services it provides. Developing a trustworthy software system is a challenging task. The systems overall trustworthiness depends on trust relationships that are usually assumed and not properly analysed during the analysis and design of the system. The lack of appropriate analysis of such trust relationships, or the lack of appropriate justification of relevant trust assumptions, usually results in systems that can potentially fail to fully achieve those functionalities that depend on such trust relationships. In this paper, we present a meta-model for a modelling language that allows developers to capture possible trust relationships and to reason about them. The meta-model includes a set of trust based concepts, which support the development of trustworthy systems. A case study from the UK health care sector is used to illustrate the usefulness of the meta-model.

Modeling Trust Relationships for Developing Trustworthy Information Systems

Developing a trustworthy information system is a challenging task. The overall trustworthiness of an information system depends on trust relationships that are generally assumed without adequate justification. However, lack of appropriate analysis of such relationships and of appropriate justification of relevant trust assumptions might lead to systems that fail to fully achieve their functionalities. Existing literature does not provide adequate guidelines for a systematic process or an appropriate modeling language to support such trust-focused analysis. This paper fills this gap by introducing a process that allows developers to capture possible trust relationships and to reason about them. The process is supported by a modeling language based on a set of concepts relating to trust and control and a CASE tool. An illustrative example from the UK health care domain is used to demonstrate the applicability and usefulness of the approach.

A Meta-model for Legal Compliance and Trustworthiness of Information Systems

Information systems manage and hold a huge amount of important and critical information. For this reason, information systems must be trustworthy and should comply with relevant laws and regulations. Legal issues should be incorporated into the system development process and there should be a systematic and structured assessment of a system’s trustworthiness to fulfil relevant legal obligations. This paper presents a novel meta-model, which combines legal and trust related concepts, to enable information systems developers to model and reason about the trustworthiness of a system in terms of its law compliance. A case study is used to demonstrate the applicability and benefits of the proposed meta-model.

Cyber-attack path discovery in a dynamic supply chain maritime risk management system

Maritime port infrastructures rely on the use of information systems for collaboration, while a vital part of collaborating is to provide protection to these systems. Attack graph analysis and risk assessment provide information that can be used to protect the assets of a network from cyber-attacks. Furthermore, attack graphs provide functionality that can be used to identify vulnerabilities in a network and how these can be exploited by potential attackers. Existing attack graph generation methods are inadequate in satisfying certain requirements necessary in a dynamic supply chain risk management environment, since they do not consider variables that assist in exploring specific network parts that satisfy certain criteria, such as the entry and target points, the propagation length and the location and capability of the potential attacker. In this paper, we present a cyber-attack path discovery method that is used as a component of a maritime risk management system. The method uses constraints and Depth-first search to effectively generate attack graphs that the administrator is interested in. To support our method and to show its effectiveness we have evaluated it using real data from a maritime supply chain.

Selecting Security Mechanisms in Secure Tropos

As security is a growing concern for modern information systems, Security Requirements Engineering has been developed as a very active area of research. A large body of work deals with elicitation, modelling, analysis, and reasoning about security requirements. However, there is little evidence of efforts to align security requirements with security mechanisms. This paper extends the Secure Tropos methodology to enable a clear alignment, between security requirements and security mechanisms, and a reasoning technique to optimise the selection of security mechanisms based on these security requirements and a set of other factors. The extending Secure Tropos supports modelling and analysis of security mechanisms; defines mathematically relevant modelling concepts to support a formal analysis; and defines and solves an optimisation problem to derive optimal sets of security mechanisms. We demonstrate the applicability of our work with the aid of a case study from the health care domain.

Privacy Data Management and Awareness for Public Administrations: a Case Study from the Healthcare Domain

Development of Information Systems that ensure privacy is a challenging task that spans various fields such as technology, law and policy. Reports of recent privacy infringements indicate that we are far from not only achieving privacy but also from applying Privacy by Design principles. This is due to lack of holistic methods and tools which should enable to understand privacy issues, incorporate appropriate privacy controls during design-time and create and enforce a privacy policy during run-time. To address these issues, we present VisiOn Privacy Platform which provides holistic privacy management throughout the whole information system lifecycle. It contains a privacy aware process that is supported by a software platform and enables Data Controllers to ensure privacy and Data Subjects to gain control of their data, by participating in the privacy policy formulation. A case study from the healthcare domain is used to demonstrate the platform’s benefits.

Recommender systems meeting security: From product recommendation to cyber-attack prediction

Modern information society depends on reliable functionality of information systems infrastructure, while at the same time the number of cyber-attacks has been increasing over the years and damages have been caused. Furthermore, graphs can be used to show paths than can be exploited by attackers to intrude into systems and gain unauthorized access through vulnerability exploitation. This paper presents a method that builds attack graphs using data supplied from the maritime supply chain infrastructure. The method delivers all possible paths that can be exploited to gain access. Then, a recommendation system is utilized to make predictions about future attack steps within the network. We show that recommender systems can be used in cyber defense by predicting attacks. The goal of this paper is to identify attack paths and show how a recommendation method can be used to classify future cyber-attacks. The proposed method has been experimentally evaluated and it is shown that it is both practical and effective.

Towards the Definition of a Security Incident Response Modelling Language

This paper presents a cyber-physical systems modelling language for capturing and describing health-based critical infrastructures. Following this practice incident response plan developers are able to model and reason about security and recovery issues in medical cyber-physical systems from a security requirements engineering perspective. Our work builds upon concepts from the Secure Tropos methodology, where in this paper we introduce novel cyber-physical concepts, relationships and properties in order to carry out analysis of incident response plans based on security requirements. We illustrate our concepts through a case study of a radiological department’s medical cyber-physical systems that have been infected with the WannaCry ransomware. Finally, we discuss how our modelling language enriches security models with incident response concepts, guiding plan developers of health-based critical infrastructures in understanding cyber-physical systems vulnerabilities and support decision making at a tactical and a strategic level, through semi-automated secure recovery analysis.