Decision-making in security requirements engineering with constrained goal models

Nikolaos Argyropoulos, Konstantinos Angelopoulos, Haralambos Mouratidis, Andrew Fish

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBNResearchpeer-review

Abstract

Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

Original languageEnglish
Title of host publicationComputer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers
Pages262-280
Number of pages19
ISBN (Electronic)9783319728179
DOIs
Publication statusPublished - 22 Dec 2017
Event3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway
Duration: 14 Sep 201715 Sep 2017

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10683 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Workshop

Workshop3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017
CountryNorway
CityOslo
Period14/09/1715/09/17

Fingerprint

Requirements Engineering
Requirements engineering
Decision making
Decision Making
Systems analysis
Multiobjective optimization
Risk assessment
System Design
Electronic Government
Linear Optimization
Elicitation
Multiple Objectives
Risk Assessment
Multi-objective Optimization
Model
Software System
Costs
Complex Systems
Sector
Reasoning

Keywords

  • Constraint goal models
  • Decision making
  • Information security
  • Security requirements

Cite this

Argyropoulos, N., Angelopoulos, K., Mouratidis, H., & Fish, A. (2017). Decision-making in security requirements engineering with constrained goal models. In Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers (pp. 262-280). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10683 LNCS). https://doi.org/10.1007/978-3-319-72817-9_17
Argyropoulos, Nikolaos ; Angelopoulos, Konstantinos ; Mouratidis, Haralambos ; Fish, Andrew. / Decision-making in security requirements engineering with constrained goal models. Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. 2017. pp. 262-280 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{dc0604a14df0478f914160ddf948163d,
title = "Decision-making in security requirements engineering with constrained goal models",
abstract = "Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.",
keywords = "Constraint goal models, Decision making, Information security, Security requirements",
author = "Nikolaos Argyropoulos and Konstantinos Angelopoulos and Haralambos Mouratidis and Andrew Fish",
year = "2017",
month = "12",
day = "22",
doi = "10.1007/978-3-319-72817-9_17",
language = "English",
isbn = "9783319728162",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "262--280",
booktitle = "Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers",

}

Argyropoulos, N, Angelopoulos, K, Mouratidis, H & Fish, A 2017, Decision-making in security requirements engineering with constrained goal models. in Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10683 LNCS, pp. 262-280, 3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017, Oslo, Norway, 14/09/17. https://doi.org/10.1007/978-3-319-72817-9_17

Decision-making in security requirements engineering with constrained goal models. / Argyropoulos, Nikolaos; Angelopoulos, Konstantinos; Mouratidis, Haralambos; Fish, Andrew.

Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. 2017. p. 262-280 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10683 LNCS).

Research output: Chapter in Book/Conference proceeding with ISSN or ISBNConference contribution with ISSN or ISBNResearchpeer-review

TY - GEN

T1 - Decision-making in security requirements engineering with constrained goal models

AU - Argyropoulos, Nikolaos

AU - Angelopoulos, Konstantinos

AU - Mouratidis, Haralambos

AU - Fish, Andrew

PY - 2017/12/22

Y1 - 2017/12/22

N2 - Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

AB - Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

KW - Constraint goal models

KW - Decision making

KW - Information security

KW - Security requirements

UR - http://www.scopus.com/inward/record.url?scp=85041501444&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-72817-9_17

DO - 10.1007/978-3-319-72817-9_17

M3 - Conference contribution with ISSN or ISBN

SN - 9783319728162

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 262

EP - 280

BT - Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers

ER -

Argyropoulos N, Angelopoulos K, Mouratidis H, Fish A. Decision-making in security requirements engineering with constrained goal models. In Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. 2017. p. 262-280. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-72817-9_17