Issue No.01 - January (2008 vol.34)
This paper presents a framework for security requirements elicitation and analysis, based upon the construction of a context for the system, representation of security requirements as constraints, and satisfaction arguments for the requirements in the system context. The system context is described using a problem-centered notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument is in two parts: a formal argument that the system can meet its security requirements, and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context, or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems. We evaluate the framework by applying it to a security requirements analysis within an air traffic control technology evaluation project.
Software/Software Engineering, Requirements/Specifications, Security
Robin Laney, Jonathan Moffett, Bashar Nuseibeh, "Security Requirements Engineering: A Framework for Representation and Analysis", IEEE Transactions on Software Engineering, vol.34, no. 1, pp. 133-153, January 2008, doi:10.1109/TSE.2007.70754