nach oben

Erschienen in:

20.07.2019 | Regular Paper

Modelling the interplay of security, privacy and trust in sociotechnical systems: a computer-aided design approach

verfasst von: Mattia Salnitri, Konstantinos Angelopoulos, Michalis Pavlidis, Vasiliki Diamantopoulou, Haralambos Mouratidis, Paolo Giorgini

Erschienen in: Software and Systems Modeling | Ausgabe 2/2020

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Personal data have become a central asset for multiple enterprise applications and online services offered by private companies, public organisations or a combination of both. The sensitivity of such data and the continuously growing legislation that accompanies their management dictate the development of methods that allow the development of more secure, trustworthy software systems with focus on privacy protection. The contribution of this paper is the definition of a novel requirements engineering method that supports both early and late requirements specification, giving emphasis on security, privacy and trust. The novelty of our work is that it provides the means for software designers and security experts to analyse the system-to-be from multiple aspects, starting from identifying high-level goals to the definition of business process composition, and elicitation of mechanisms to fortify the system from external threats. The method is supported by two CASE tools. To demonstrate the applicability and usefulness of our work, the paper shows its applications to a real-world case study.

Vorheriger Artikel Comparing and classifying model transformation reuse approaches across metamodels

Nächster Artikel ExpRunA : a domain-specific approach for technology-oriented experiments

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Ahmed, N., Matulevicius, R.: A method for eliciting security requirements from the business process models. In: CAiSE (Forum/Doctoral Consortium), pp. 57–64 (2014)

Alexander, I.: Misuse cases: use cases with hostile intent. IEEE Softw. 20(1), 58–66 (2003)

Ali, R., Dalpiaz, F., Giorgini, P.: A goal modeling framework for self-contextualizable software. BMMDS/EMMSAD 9, 326–338 (2009)

Angelopoulos, K., Souza, V.E.S., Mylopoulos, J.: Capturing variability in adaptation spaces: a three-peaks approach. In: International Conference on Conceptual Modeling, pp. 384–398. Springer (2015)

Bijwe, A., Mead, N.R.: Adapting the Square Process for Privacy Requirements Engineering. Technical report. Software Engineering Institute (2010)

Bimrah, K.K.: A Framework for Modelling Trust During Information Systems Development. PhD thesis, University of East London (2009)

Bittner, K.: Use Case Modeling. Addison-Wesley Longman Publishing Co., Inc, Boston (2002)

Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi Agent Syst. 8(3), 203–236 (2004)MATH

Chopra, A.K., Dalpiaz, F., Giorgini, P., Mylopoulos, J.: Reasoning about agents and protocols via goals and commitments. In: Proceedings of the 9th International Conference on Autonomous Agents and Multiagent Systems, Vol. 1, pp. 457–464. International Foundation for Autonomous Agents and Multiagent Systems (2010)

10.

Chung, L., Nixon, B.A., Yu, E., Mylopoulos, J.: Non-functional Requirements in Software Engineering. Springer, Berlin/Heidelberg, Germany (2012)MATH

11.

Dalpiaz, F., Paja, E., Giorgini, P.: Security Requirements Engineering: Designing Secure Socio-Technical Systems. MIT Press, Cambridge (2016)

12.

Dardenne, A., Van Lamsweerde, A., Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Program. 20(1–2), 3–50 (1993)MATH

13.

Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 3–32 (2011)

14.

Diamantopoulou, V., Kalloniatis, C., Gritzalis, S., Mouratidis, H.: Supporting Privacy by Design Using Privacy Process Patterns, pp. 491–505. Springer International Publishing, Cham (2017)

15.

Diamantopoulou, V., Mouratidis, H.: Applying the physics of notation to the evaluation of a security and privacy requirements engineering methodology. Inf. Comput. Secur. 26(4), 382–400 (2018)

16.

Diamantopoulou, V., Mouratidis, H.: Evaluating a reference architecture for privacy level agreements management. In: 12th Mediterranean Conference on Information Systems (MCIS 2018). AIS (2018)

17.

Elahi, G., Yu, E.: Trust trade-off analysis for security requirements engineering. In: Requirements Engineering Conference, 2009. RE’09. 17th IEEE International, pp. 243–248. IEEE (2009)

18.

European Union. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation). Official Journal of the European Union, L119/59, May (2016)

19.

Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security pressure. In: 2014 9th International Conference on Software Paradigm Trends (ICSOFT-PT), pp. 5–16. IEEE (2014)

20.

Faßbender, S., Heisel, M., Meis, R.: Problem-based security requirements elicitation and refinement with pressure. In: International Conference on Software Technologies, pp. 311–330. Springer (2014)

21.

Gharib, M., Salnitri, M., Paja, E., Giorgini, P., Mouratidis, H., Pavlidis, M., Ruiz, J.F., Fernandez, S., and Andrea Della Siria. Privacy requirements: Findings and lessons learned in developing a privacy platform. In: 2016 IEEE 24th International Requirements Engineering Conference (RE), pp. 256–265. IEEE (2016)

22.

Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: 13th IEEE International Conference on Requirements Engineering, 2005. Proceedings, pp. 167–176 (2005)

23.

Gorski, J., Jarzkebowicz, A., Leszczyna, R., Miler, J., Olszewski, M.: Trust case: justifying trust in an it solution. Reliab. Eng. Syst. Saf. 89(1), 33–47 (2005)

24.

Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)

25.

Hevner, A.R., March, S.T., Park, J., Ram, S.: Design science in information systems research. Manag. Inf. Syst. Q. 28(1), 6 (2008)

26.

Horkoff, J., Yu, Y., Eric, S.K.: Openome: an open-source goal and agent-oriented model drawing and analysis tool. iStar 766, 154–156 (2011)

27.

Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PRiS method. Requir. Eng. 13(3), 241–255 (2008)

28.

Lambrinoudakis, C., Gritzalis, S., Dridi, F., Pernul, G.: Security requirements for e-government services: a methodological approach for developing a common pki-based security policy. Comput. Commun. 26(16), 1873–1883 (2003)

29.

Lee, W.-S., Grosh, D.L., Tillman, F.A., Lie, C.H.: Fault tree analysis, methods, and applications a review. IEEE Trans. Reliab. 34(3), 194–203 (1985)MATH

30.

Martínez, A., Pastor López, O., Estrada, H.: A pattern language to join early and late requirements. J. Comput. Sci. Technol. 5, 64–70 (2005)

31.

Massacci, F., Mylopoulos, J., Zannone, N.: Security requirements engineering: the si* modeling language and the secure tropos methodology. In: Advances in Intelligent Information Systems, pp. 147–174. Springer, Berlin, Heidelberg (2010)

32.

Mauw, S., Oostdijk, M.: Foundations of attack trees. In: International Conference on Information Security and Cryptology, pp. 186–198. Springer (2005)

33.

Mead, N.R., Stehney, T.: Security Quality Requirements Engineering (SQUARE) Methodology, vol. 30. ACM, New York (2005)

34.

Miyazaki, S., Mead, N., Zhan, J.: Computer-aided privacy requirements elicitation technique. In: Asia-Pacific Services Computing Conference, 2008. APSCC’08. pp. 367–372. IEEE (2008)

35.

Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the secure tropos approach. In: Domain-Specific Conceptual Modeling, pp. 357–380. Springer (2016)

36.

Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)

37.

Mylopoulos, J., Chung, L., Yu, E.: From object-oriented to goal-oriented requirements analysis. Commun. ACM 42(1), 31–37 (1999)

38.

Mllering, G.: The trust/control duality. Int. Sociol. 20(3), 283–305 (2005)

39.

Nguyen, C.M., Sebastiani, R., Giorgini, P., Mylopoulos, J.: Multi-objective reasoning with constrained goal models. Requir. Eng. 23, 189–225 (2016)

40.

Nhlabatsi, A., Bandara, A., Hayashi, S., Haley, C., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nuseibeh, B et al.: Security patterns: comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives, pp. 75–111. IGI Global (2011)

41.

OMG. Bpmn 2.0. Technical report, OMG (2011)

42.

OMG. Uml 2.5.1. Technical report, OMG (2017)

43.

Paja, E., Dalpiaz, F., Giorgini, P.: Modelling and reasoning about security requirements in socio-technical systems. Data Knowl. Eng. 98, 123–143 (2015)

44.

Pavlidis, M., Islam, S., Mouratidis, H., Kearney, P.: Modeling trust relationships for developing trustworthy information systems. Int. J. Inf. Syst. Model. Des.: IJISMD 5(1), 25–48 (2014)

45.

Pavlidis, M., Mouratidis, H., Islam, S.: Modelling security using trust based concepts. Int. J. Secure Softw. Eng.: IJSSE 3(2), 36–53 (2012)

46.

Pavlidis, M., Mouratidis, H., Islam, S., Kearney, P.: Dealing with trust and control: a meta-model for trustworthy information systems development. In: 2012 Sixth International Conference on Research Challenges in Information Science (RCIS), pp. 1–9 (2012)

47.

Pfitzmann, A., Hansen, M.: A Terminology for Talking About Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management (2010)

48.

Presti, S.L., Butler, M., Leuschel, M., Booth, C.: Holistic trust design of e-services. Trust in E-Services: Technologies. Practices and Challenges, pp. 113–139. IGI Global, Hershey, Pennsylvania, USA (2006)

49.

Rumbaugh, J., Jacobson, I., Booch, G.: Unified Modeling Language Reference Manual. Pearson Higher Education, Upper Saddle River (2004)

50.

Salini, P., Kanmani, S.: Model oriented security requirements engineering (mosre) framework for web applications. In: Advances in Computing and Information Technology, pp. 341–353. Springer, Berlin, Heidelberg (2013)

51.

Salnitri, M., Giorgini, P.: Transforming socio-technical security requirements in secbpmn security policies. In: iStar. CEUR Workshop Proceedings (2014)

52.

Salnitri, M., Paja, E., Giorgini, P.: Preserving compliance with security requirements in socio-technical systems. In: Cyber Security and Privacy Forum, pp. 49–61. Springer, Cham (2014)

53.

Salnitri, M., Paja, E., Giorgini, P.: Maintaining secure business processes in light of socio-technical systems’ evolution. In: IEEE International Requirements Engineering Conference Workshops (REW), pp. 155–164. IEEE (2016)

54.

Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. Wiley, Hoboken (2013)

55.

Shostack, A.: Threat Modeling: Designing for Security. Wiley, Hoboken (2014)

56.

Steinberg, D., Budinsky, F., Merks, E., Paternostro, M.: EMF: Eclipse Modeling Framework. Pearson Education, London (2008)

57.

Van Lamsweerde, A.: Goal-oriented requirements engineering: a guided tour. In: Fifth IEEE International Symposium on Requirements Engineering, 2001. Proceedings, pp. 249–262. IEEE (2001)

58.

Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, pp. 148–157 (2004)

59.

Van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software (2009)

60.

Van Lamsweerde, A., Letier, E.: Handling obstacles in goal-oriented requirements engineering. IEEE Trans. Softw. Eng. 26(10), 978–1005 (2000)

61.

VisiOn-Consortium. D6.3 Training Activities Manual. Technical report, VisiOn (2017)

62.

VisiOn European project consortium: VisiOn Pilots Report—Final Version. Technical report, VisiOn (2017). https://www.visioneuproject.eu/wp-content/uploads/2018/11/2017-VSN-RP-145-D5.2-VisiOn-Pilots-Report-final.pdf

63.

Wieringa, R., Daneva, M.: Six strategies for generalizing software engineering theories. Sci. Comput. Program. 101, 136–152 (2015)

64.

Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation in Software Engineering: An Introduction. Springer, Berlin (2000)MATH

65.

Yin, R.K.: Case Study Research and Applications: Design and Methods. Sage, Thousand Oaks (2017)

66.

Yu, E.: Modelling Strategic Relationships for Process Reengineering. PhD thesis, University of Toronto (1995)

67.

Yu, E.: Modelling strategic relationships for process reengineering. Soc. Model. Requir. Eng. 11, 2011 (2011)

68.

Yu, E., Liu, L.: Modelling trust for system design using the i * strategic actors framework. In: Falcone, R., Singh, M., Tan, Y.-H. (eds.) Trust in Cyber-Societies. Lecture Notes in Computer Science, vol. 2246, pp. 175–194. Springer, Berlin (2001)

69.

Yu, E.S.K.: Towards modelling and reasoning support for early-phase requirements engineering. In: Proceedings of the Third IEEE International Symposium on Requirements Engineering, 1997, pp. 226–235. IEEE (1997)

70.

Zainal, Z.: Case study as a research method. J. Kemanus. 5(1), 1–6 (2007)

71.

Zave, P.: Classification of research efforts in requirements engineering. ACM Comput. Surv: CSUR 29(4), 315–321 (1997)

Titel: Modelling the interplay of security, privacy and trust in sociotechnical systems: a computer-aided design approach
verfasst von: Mattia Salnitri
Konstantinos Angelopoulos
Michalis Pavlidis
Vasiliki Diamantopoulou
Haralambos Mouratidis
Paolo Giorgini
Publikationsdatum: 20.07.2019
Verlag: Springer Berlin Heidelberg
Erschienen in: Software and Systems Modeling / Ausgabe 2/2020
Print ISSN: 1619-1366
Elektronische ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-019-00744-x

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Weitere Artikel der Ausgabe 2/2020

Understanding MDE projects: megamodels to the rescue for architecture recovery

CoqTL: a Coq DSL for rule-based model transformation

ExpRunA : a domain-specific approach for technology-oriented experiments

The Software Language Extension Problem

Design methods for the new database era: a systematic literature review

Guest editorial for EMMSAD’2018 special section