Peter Karpati

A Combined Process for Elicitation and Analysis of Safety and Security Requirements

The aim of safety and security assessments are very similar since they both consider harm during system development. However, they apply different means for it and are performed in separated processes. As security and safety areas are merging in new systems that are critical, and more openly interconnected, there is a need to relate the different processes during the development. A combined assessment process could save resources compared to separated safety and security assessments, as well as support the understanding of mutual constraints and the resolution of conflicts between the two areas. We suggest a combined method covering the harm identification and analysis part of the assessment process using UML-based models. The process is applied on a case from the Air Traffic Management domain. Experts’ opinions about the results have also been collected for feedback.

Visualizing Cyber Attacks with Misuse Case Maps

[Context and motivation] In the development of secure software, work on requirements and on architecture need to be closely intertwined, because possible threats and the chosen architecture depend on each other mutually. [Question/problem] Nevertheless, most security requirement techniques do not take architecture into account. The transition from security requirements to secure architectures is left to security experts and software developers, excluding domain experts and other groups of stakeholders from discussions of threats, vulnerabilities and mitigations in an architectural context. [Principal idea/results] The paper introduces misuse case maps, a new modelling technique that is the anti-behavioural complement to use case maps. The purpose of the new technique is to visualize how cyber attacks are performed in an architectural context. [Contribution] The paper investigates what a misuse case map notation might look like. A preliminary evaluation suggests that misuse case maps may indeed make it easier for less experienced stakeholders to gain an understanding of multi-stage intrusion scenarios.

Aligning mal-activity diagrams and security risk management for security requirements definitions

[Context and motivation] Security engineering is one of the important concerns during system development. It should be addressed throughout the whole system development process. There are several languages for security modelling that help dealing with security risk management at the requirements stage. [Question/problem] In this paper, we are focusing on Mal-activity diagrams that are used from requirement engineering to system design stage. More specifically we investigate how this language supports information systems security risks management (ISSRM). [Principal ideas/results] The outcome of this work is an alignment table between the Mal-activity diagrams language constructs to the ISSRM domain model concepts. [Contribution] This result may help developers understand how to model security risks at the system requirement and design stages. Also, it paves the way for interoperability between the modelling languages that are analysed using the same conceptual framework, thus facilitating transformation between these modelling approaches.

Comparing attack trees and misuse cases in an industrial setting

The last decade has seen an increasing focus on addressing security already during the earliest stages of system development, such as requirements determination. Attack trees and misuse cases are established techniques for representing security threats along with their potential mitigations. Previous work has compared attack trees and misuse cases in two experiments with students. The present paper instead presents an experiment where industrial practitioners perform the experimental tasks in their workplace. The industrial experiment confirms a central finding from the student experiments: that attack trees tend to help identifying more threats than misuse cases. It also presents a new result: that misuse cases tend to encourage identification of threats associated with earlier development stages than attack trees. The two techniques should therefore be considered complementary and should be used together in practical requirements work.

Comparing Two Techniques for Intrusion Visualization

Various techniques have been proposed to model attacks on systems. In order to understand such attacks and thereby propose efficient mitigations, the sequence of steps in the attack should be analysed thoroughly. However, there is a lack of techniques to represent intrusion scenarios across a system architecture. This paper proposes a new technique called misuse sequence diagrams (MUSD). MUSD represents the sequence of attacker interactions with system components and how they were misused over time by exploiting their vulnerabilities. The paper investigates MUSD in a controlled experiment with 42 students, comparing it with a similar technique called misuse case maps (MUCM). The results suggest that the two mostly perform equally well and they are complementary regarding architectural issues and temporal sequences of actions though MUSD was perceived more favourably.

Comparing Misuse Case and Mal-Activity Diagrams for Modelling Social Engineering Attacks

Understanding the social engineering threat is important in requirements engineering for security-critical information systems. Mal-activity diagrams have been proposed as being better than misuse cases for this purpose, but without any empirical testing. The research question in this study is whether mal-activity diagrams would be more efficient than misuse cases for understanding social engineering attacks and finding prevention measures. After a conceptual comparison of the modelling techniques, a controlled experiment is presented, comparing the efficiency of using the two techniques together with textual descriptions of social engineering attacks. The results were fairly equal, the only significant difference being a slight advantage for mal-activity diagrams concerning perceived ease of use. The study gives new insights into the relative merits of the two techniques, and suggests that the advantage of mal-activity diagrams is smaller than previously assumed. However, more empirical investigations are needed to make detailed conclusions.

Characterising and Analysing Security Requirements Modelling Initiatives

With the continuously developing technology and growing complexity of software and systems, new demands and challenges appear for security, calling for new techniques and methods in addition to the already existing ones. The variety of initiatives and the variations in the characterizations makes it hard for users to select the most appropriate one for their needs. We propose a set of uniform characterizing dimensions with sub-categories for security requirements initiatives. The set is derived by analyzing classifications and comparison frameworks from review papers on modelling techniques for security requirements engineering. The dimensions can be used to guide context-dependent choices of initiatives and further research of their combination and integration.

Enhancing CHASSIS: A Method for Combining Safety and Security

Safety and security assessments aim to keep harm away from systems. Although they consider different causes of harm, the mitigations suggested by the assessments are often interrelated and affect each other, either by strengthening or weakening the other. Considering the relations and effects, a combined process for safety and security could save resources. It also improves the reliability of the system development when compared to having two independent processes whose results might contradict. This paper extends our previous research on a combined method for security and safety assessment, named CHASSIS, by detailing the process in a broader context of system development with the help of feedback from a safety expert. The enhanced CHASSIS method is discussed based on a case from the Air Traffic Management domain.

Investigating security threats in architectural context

Misuse case maps (MUCM) augment use case maps with misuse case concepts.MUCMs provide integrated views of security issues and software systems architecture.MUCM were evaluated in controlled experiments with complex real-life intrusions.Misuse case maps lead to good understanding of intrusions and ability to suggest mitigations.Misuse case maps were perceived more positively and used more than two existing techniques used as alternative treatment. Many techniques have been proposed for eliciting software security requirements during the early requirements engineering phase. However, few techniques so far provide dedicated views of security issues in a software systems architecture context. This is a problem, because almost all requirements work today happens in a given architectural context, and understanding this architecture is vital for identifying security vulnerabilities and corresponding mitigations. Misuse case maps attempt to provide an integrated view of security and architecture by augmenting use case maps with misuse case concepts. This paper evaluates misuse case maps through two controlled experiments where 33 and 54 ICT students worked on complex real-life intrusions described in the literature. The students who used misuse case maps showed significantly better understanding of intrusions and better ability to suggest mitigations than students who used a combination of two existing techniques as an alternative treatment. Misuse case maps were also perceived more favourably overall than the alternative treatment, and participants reported using misuse case maps more when solving their tasks.

Experimental Comparison of Misuse Case Maps with Misuse Cases and System Architecture Diagrams for Eliciting Security Vulnerabilities and Mitigations

The idea of security aware system development from the start of the engineering process is generally accepted nowadays and is becoming applied in practice. Many recent initiatives support this idea with special focus on security requirements elicitation. However, there are so far no techniques that provide integrated overviews of security threats and system architecture. One way to achieve this is by combining misuse cases with use case maps into misuse case maps (MUCM). This paper presents an experimental evaluation of MUCM diagrams focusing on identification of vulnerabilities and mitigations. The controlled experiment with 33 IT students included a complex hacker intrusion from the literature, illustrated either with MUCM or with alternative diagrams. The results suggest that participants using MUCM found significantly more mitigations than participants using regular misuse cases combined with system architecture diagrams.