Rene Meis

A Problem-Based Approach for Computer-Aided Privacy Threat Identification

Recently, there has been an increase of reported privacy threats hitting large software systems. These threats can originate from stakeholders that are part of the system. Thus, it is crucial for software engineers to identify these privacy threats, refine these into privacy requirements, and design solutions that mitigate the threats. In this paper, we introduce our methodology named Problem-Based Privacy Analysis ProPAn. The ProPAn method is an approach for identifying privacy threats during the requirements analysis of software systems using problem frame models. Our approach does not rely entirely on the privacy analyst to detect privacy threats, but allows a computer aided privacy threat identification that is derived from the relations between stakeholders, technology, and personal information in the system-to-be. To capture the environment of the system, e.g., stakeholders and other IT systems, we use problem frames, a requirements engineering approach founded on the modeling of a machine system-to-be in its environment e.g. stakeholders, other software. We define a UML profile for privacy requirements and a reasoning technique that identifies stakeholders, whose personal information are stored or transmitted in the system-to-be and stakeholders from whom we have to protect this personal information. We illustrate our approach using an eHealth scenario provided by the industrial partners of the EU project NESSoS.

A Structured Approach for Eliciting, Modeling, and Using Quality-Related Domain Knowledge

In requirements engineering, properties of the environment and assumptions about it, called domain knowledge, need to be captured in addition to exploring the requirements. Despite the recognition of the significance of capturing and using the required domain knowledge, it might be missing, left implicit, or be captured inadequately during the software development. This results in an incorrect specification. Moreover, the software might fail to achieve its quality objectives because of ignored required constraints and assumptions. In order to analyze software quality properly, we propose a structured approach for eliciting, modeling, and using domain knowledge. We investigate what kind of quality-related domain knowledge is required for the early phases of quality-driven software development and how such domain knowledge can be systematically elicited and explicitly modeled to be used for the analysis of quality requirements. Our method aims at improving the quality of the requirements engineering process by facilitating the capturing and using of implicit domain knowledge.

Problem-Based Consideration of Privacy-Relevant Domain Knowledge

Especially for a privacy analysis, an adequate and accurate consideration of domain knowledge is needed. Domain knowledge is often only implicitly given and mainly stored in the minds of domain experts. It is important to make this implicit knowledge explicit and to use it in the privacy analysis of a software system. To our knowledge, no privacy-aware requirements engineering approach exists yet which explicitly considers the elicitation of privacy-relevant domain knowledge. This paper presents an extension of the problem-based privacy analysis (ProPAn) method. The extension consists of three parts. First, we elicit the relevant domain knowledge based on questionnaires which are derived from the stakeholder analysis literature. Second, we present generic patterns which can be instantiated to represent the elicited knowledge. Last, we extend the definitions of ProPAn’s privacy graphs to take into account the domain knowledge.

Pattern-Based context establishment for service-oriented architectures

A context description of a software system and its environment is essential for any given software engineering process. Requirements define statements about the environment (according to Jacksons terminology). The context description of a Service-Oriented Architecture is difficult to provide, because of the variety of technical systems and stakeholders involved. We present two patterns for SOA systems and support their instantiation with a structured method. In addition, we show how the pattern can be used in a secure service development life-cycle.

Computer-Aided Identification and Validation of Privacy Requirements

Privacy is a software quality that is closely related to security. The main difference is that security properties aim at the protection of assets that are crucial for the considered system, and privacy aims at the protection of personal data that are processed by the system. The identification of privacy protection needs in complex systems is a hard and error prone task. Stakeholders whose personal data are processed might be overlooked, or the sensitivity and the need of protection of the personal data might be underestimated. The later personal data and the needs to protect them are identified during the development process, the more expensive it is to fix these issues, because the needed changes of the system-to-be often affect many functionalities. In this paper, we present a systematic method to identify the privacy needs of a software system based on a set of functional requirements by extending the problem-based privacy analysis (ProPAn) method. Our method is tool-supported and automated where possible to reduce the effort that has to be spent for the privacy analysis, which is especially important when considering complex systems. The contribution of this paper is a semi-automatic method to identify the relevant privacy requirements for a software-to-be based on its functional requirements. The considered privacy requirements address all dimensions of privacy that are relevant for software development. As our method is solely based on the functional requirements of the system to be, we enable users of our method to identify the privacy protection needs that have to be addressed by the software-to-be at an early stage of the development. As initial evaluation of our method, we show its applicability on a small electronic health system scenario.

A Taxonomy of Requirements for the Privacy Goal Transparency

Privacy is a growing concern during software development. Transparency–in the sense of increasing user’s privacy-awareness–is a privacy goal that is not as deeply studied in the literature as the properties anonymity and unlinkability. To be compliant with legislation and standards, requirements engineers have to identify the requirements on transparency that are relevant for the software to be developed. To assist the identification process, we provide a taxonomy of transparency requirements derived from legislation and standards. This taxonomy is validated using related research which was identified using a systematic literature review. Our proposed taxonomy can be used by requirements engineers as basis to systematically identify the relevant transparency requirements leading to a more complete and coherent set of requirements.

Problem-Based Requirements Interaction Analysis

[Context] The ability to address the diverse interests of different stakeholders in a software project in a coherent way is one fundamental software quality. These diverse and maybe conflicting interests are reflected by the requirements of each stakeholder. [Problem] Thus, it is likely that aggregated requirements for a software system contain interactions. To avoid unwanted interactions and improve software quality, we propose a structured method consisting of three phases to find such interactions. [Principal ideas] For our method, we use problem diagrams, which describe requirements in a structured way. The information represented in the problem diagrams is translated into a formal Z model. Then we reduce the number of combinations of requirements, which might conflict. [Contribution] The reduction of requirements interaction candidates is crucial to lower the effort of the in depth interaction analysis. For validation of our method, we use a real-life example in the domain of smart grid.

Supporting Privacy Impact Assessments Using Problem-Based Privacy Analysis

Privacy-aware software development is gaining more and more importance for nearly all information systems that are developed nowadays. As a tool to force organizations and companies to consider privacy properly during the planning and the execution of their projects, some governments advise to perform privacy impact assessments (PIAs). During a PIA, a report has to be created that summarizes the consequence on privacy the project may have and how the organization or company addresses these consequences. As basis for a PIA, it has to be documented which personal data is collected, processed, stored, and shared with others in the context of the project. Obtaining this information is a difficult task that is not yet well supported by existing methods. In this paper, we present a method based on the problem-based privacy analysis (ProPAn) that helps to elicit the needed information for a PIA systematically from a given set of functional requirements. Our tool-supported method shall reduce the effort that has to be spent to elicit the information needed to conduct a PIA in a way that the information is as complete and consistent as possible.

Functional requirements under security PresSuRE

Recently, there has been an increase of reported security incidents hitting large software systems. Such incidents can originate from different attackers exploiting vulnerabilities of different parts of a system. Hence, there is a need for enhancing security considerations in software development. It is crucial for requirements engineers to identify security threats early on, and to refine the threats into security requirements. In this paper, we introduce a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE is a method for identifying security needs during the requirements analysis of software systems using a problem frame model. Our method does not rely entirely on the requirements engineer to detect security needs, but provides a computer-aided security threat identification, and subsequently the elicitation of security requirements. The identification is based on the functional requirements for a system-to-be. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.

Determining the Probability of Smart Grid Attacks by Combining Attack Tree and Attack Graph Analysis

Smart grid is an intelligent energy distribution system consisting of multiple information and communication technologies (ICT). One of the challenges for such complex and heterogeneous system as smart grid is to unite security analysis on a high level of abstraction and concrete behavioral attack patterns that exploit low-level vulnerabilities. We provide a structured method that combines the Si* language, which can express attacker motivations as a goal hierarchy, and vulnerability specific attack graphs, which shows every step available for an attacker. We derive system specific information from the low-level representation of the system for a high-level probabilistic analysis.