nach oben

Erschienen in:

2020 | OriginalPaper | Buchkapitel

Systematic Asset Identification and Modeling During Requirements Engineering

verfasst von : Nazila Gol Mohammadi, Roman Wirtz, Maritta Heisel

Erschienen in: Risks and Security of Internet and Systems

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Risk management primarily targets the treatment of threats which might harm the assets of a system. Therefore, identifying such assets of a system and documenting them systematically in an asset model are the key activities in any risk management approach. Based on the ISO/IEC 27005 standard, the consideration of assets consists of two major activities: (i) asset identification, and (ii) asset valuation. However, despite the crucial role of asset identification and asset documentation, such documentation is often neglected during software development. In this paper, we aim to support security analysts in identifying and analyzing assets in the earliest stages of software development, i.e., during requirements engineering. Our contribution is two-fold: We first provide a conceptual model for assets that allows us to classify assets and to express the relations between assets. Second, we propose a method for a systematic identification of system assets and their documentation in an asset model. Our method is based on the functional requirements of software which are expressed by means of problem diagrams. We illustrate and evaluate our proposed approach by applying it to an application example from the smart home sector.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Continuous Risk Management for Industrial IoT: A Methodological View

Nächstes Kapitel Inference Control in Distributed Environment: A Comparison Study

ISO 27005:2011: Information technology – Security techniques – Information security risk management. Standard (2011)

Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)

Côté, I., Heisel, M., Schmidt, H., Hatebur, D.: UML4PF - a tool for problem-oriented requirements analysis. In: 19th IEEE International Conference on Requirements Engineering, pp. 349–350 (2011)

Meis, R.: Problem-based consideration of privacy-relevant domain knowledge. In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 150–164. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55137-6_12CrossRef

RestAssured Consortium: D7.1 - RestAssured Security and Privacy Engineering Methodology (2018). https://restassuredh2020.eu/wp-content/uploads/2018/07/D7.1.pdf

Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8

Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security PresSuRE. In: 9th International Conference on Software Paradigm Trends, pp. 5–16 (2014)

Wirtz, R., Heisel, M., Meis, R., Omerovic, A., Stølen, K.: Problem-based elicitation of security requirements - the ProCOR method. In: 13th International Conference Evaluation of Novel Approaches to Software Engineering, pp. 26–38 (2018)

Surridge, M., Nasser, B., Chen, X., Chakravarthy, A., Melas, P.: Run-time risk management in adaptive ICT systems. In: International Conference on Availability, Reliability and Security, pp. 102–110 (2013)

10.

Asnar, Y., Li, T., Massacci, F., Paci, F.: Computer aided threat identification. In: 13th IEEE Conference on Commerce and Enterprise Computing, pp. 145–152 (2011)

11.

Asnar, Y., Giorgini, P., Mylopoulos, J.: Goal-driven risk assessment in requirements engineering. Requirements Engineering 16(2), 101–116 (2011)CrossRef

12.

Crook, R., Ince, D., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of the IEEE Joint International Conference on Requirements Engineering, pp. 203–205 (2002)

13.

van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: 26th International Conference on Software Engineering, pp. 148–157 (2004)

14.

Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)CrossRef

15.

Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)CrossRef

16.

Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th IEEE International Conference on Requirements Engineering, pp. 151–161 (2003)

17.

Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and semantic extensions to secure tropos to support security risk management. J. Univ. Comput. Sci. 18(6), 816–844 (2012)

18.

Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

19.

Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: 20th IEEE International Conference Requirements Engineering, pp. 111–120 (2012)

20.

Mann, Z.Á., et al.: Secure data processing in the cloud. In: Mann, Z., Stolz, V. (eds.) ESOCC 2017. CCIS, vol. 824, pp. 149–153. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-79090-9_10

21.

Gol Mohammadi, N., Mann, Z.Á., Metzger, A., Heisel, M., Greig, J.: Towards an end-to-end architecture for run-time data protection in the cloud. In: 44th Euromicro Conference on Software Engineering and Advanced Applications, pp. 514–518 (2018)

22.

Cheng, P., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230 (2007)

23.

Covington, M.J., Long, W., Srinivasan, S., Dey, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: 6th ACM Symposium on Access Control Models and Technologies, pp. 10–20 (2001)

Titel: Systematic Asset Identification and Modeling During Requirements Engineering
verfasst von: Nazila Gol Mohammadi
Roman Wirtz
Maritta Heisel
Verlag: Springer International Publishing
Buch: Risks and Security of Internet and Systems
Print ISBN: 978-3-030-41567-9

Electronic ISBN: 978-3-030-41568-6

Copyright-Jahr: 2020
DOI: https://doi.org/10.1007/978-3-030-41568-6_4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"