Decision-making in security requirements engineering with constrained goal models

Nikolaos Argyropoulos; Konstantinos Angelopoulos; Haralambos Mouratidis; Andrew Fish

doi:10.1007/978-3-319-72817-9_17

Decision-making in security requirements engineering with constrained goal models

Nikolaos Argyropoulos, Konstantinos Angelopoulos, Haralambos Mouratidis, Andrew Fish

Research output: Chapter in Book/Conference proceeding with ISSN or ISBN › Conference contribution with ISSN or ISBN › peer-review

Abstract

Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

Original language	English
Title of host publication	Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers
Publisher	Springer-Verlag
Pages	262-280
Number of pages	19
ISBN (Electronic)	9783319728179
ISBN (Print)	9783319728162
DOIs	https://doi.org/10.1007/978-3-319-72817-9_17
Publication status	Published - 22 Dec 2017
Event	3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017 - Oslo, Norway Duration: 14 Sep 2017 → 15 Sep 2017

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10683 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Workshop

Workshop	3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017
Country	Norway
City	Oslo
Period	14/09/17 → 15/09/17

Keywords

Constraint goal models
Decision making
Information security
Security requirements

Access to Document

10.1007/978-3-319-72817-9_17

Link to publication in Scopus

Andrew Fish
- Andrew.Fish@brighton.ac.uk
Person: Academic
Haris Mouratidis
- H.Mouratidis@brighton.ac.uk
- School of Arch, Tech and Eng - Prof of Software Systems Engineering
- Centre for Secure, Intelligent and Usable Systems
Person: Academic

Cite this

Argyropoulos, N., Angelopoulos, K., Mouratidis, H., & Fish, A. (2017). Decision-making in security requirements engineering with constrained goal models. In Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers (pp. 262-280). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10683 LNCS). Springer-Verlag. https://doi.org/10.1007/978-3-319-72817-9_17

Argyropoulos, Nikolaos ; Angelopoulos, Konstantinos ; Mouratidis, Haralambos ; Fish, Andrew. / Decision-making in security requirements engineering with constrained goal models. Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. Springer-Verlag, 2017. pp. 262-280 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{dc0604a14df0478f914160ddf948163d,

title = "Decision-making in security requirements engineering with constrained goal models",

abstract = "Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system{\textquoteright}s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system{\textquoteright}s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system{\textquoteright}s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.",

keywords = "Constraint goal models, Decision making, Information security, Security requirements",

author = "Nikolaos Argyropoulos and Konstantinos Angelopoulos and Haralambos Mouratidis and Andrew Fish",

year = "2017",

month = dec,

day = "22",

doi = "10.1007/978-3-319-72817-9_17",

language = "English",

isbn = "9783319728162",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer-Verlag",

pages = "262--280",

booktitle = "Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers",

note = "3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017 ; Conference date: 14-09-2017 Through 15-09-2017",

}

Argyropoulos, N, Angelopoulos, K, Mouratidis, H & Fish, A 2017, Decision-making in security requirements engineering with constrained goal models. in Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10683 LNCS, Springer-Verlag, pp. 262-280, 3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017, Oslo, Norway, 14/09/17. https://doi.org/10.1007/978-3-319-72817-9_17

Decision-making in security requirements engineering with constrained goal models. / Argyropoulos, Nikolaos; Angelopoulos, Konstantinos; Mouratidis, Haralambos ; Fish, Andrew.

Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. Springer-Verlag, 2017. p. 262-280 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10683 LNCS).

Research output: Chapter in Book/Conference proceeding with ISSN or ISBN › Conference contribution with ISSN or ISBN › peer-review

TY - GEN

T1 - Decision-making in security requirements engineering with constrained goal models

AU - Argyropoulos, Nikolaos

AU - Angelopoulos, Konstantinos

AU - Mouratidis, Haralambos

AU - Fish, Andrew

PY - 2017/12/22

Y1 - 2017/12/22

N2 - Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

AB - Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system’s design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system’s design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system’s stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.

KW - Constraint goal models

KW - Decision making

KW - Information security

KW - Security requirements

UR - http://www.scopus.com/inward/record.url?scp=85041501444&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-72817-9_17

DO - 10.1007/978-3-319-72817-9_17

M3 - Conference contribution with ISSN or ISBN

AN - SCOPUS:85041501444

SN - 9783319728162

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 262

EP - 280

BT - Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers

PB - Springer-Verlag

T2 - 3rd Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2017, 1st International Workshop on Security and Privacy Requirements Engineering, SECPRE 2017, Both workshops were co-located with 22nd European Symposium on Research in Computer Security, ESORICS 2017

Y2 - 14 September 2017 through 15 September 2017

ER -

Argyropoulos N, Angelopoulos K, Mouratidis H , Fish A. Decision-making in security requirements engineering with constrained goal models. In Computer Security - ESORICS 2017 International Workshops, CyberICPS 2017 and SECPRE 2017, Revised Selected Papers. Springer-Verlag. 2017. p. 262-280. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-72817-9_17

Decision-making in security requirements engineering with constrained goal models

Abstract

Publication series

Workshop

Keywords

Access to Document

Fingerprint

Profiles

Andrew Fish

Haris Mouratidis

Cite this