The Use and Usefulness of Threats in Goal-Oriented Modelling
- 1 September 2013
- conference paper
- conference paper
- Published by Institute of Electrical and Electronics Engineers (IEEE) in 2013 International Conference on Availability, Reliability and Security
- p. 428-436
- https://doi.org/10.1109/ares.2013.57
Abstract
Both goal and threat modelling are well-known activities related to high-level requirements engineering. While goals express why a system is needed, threats tell us why security for our system is needed. Still, you will often find that goals and threats are treated in separate modelling processes, perhaps not being influenced by each other at all. The research question we try to address in here is to what extent should we include threats in goal-oriented modelling? There is for instance a trade-off between expressiveness, usability and usefulness that must be considered. To improve this situation we believe that a well-defined methodology with good tool support will make the modelling process easier, and give a more useful result. In this paper we first give an overview of previous work on the use of threats within goal-modelling. We explain the use of threats within a goal-oriented socio-technical security modelling language and how tool support enables reuse of threats and automatic analysis of threat propagation in the models. This is exemplified with a case study from Air Traffic Management (ATM) from which we extract some of the the practical challenges that we have. We are able to conclude that threats provide a useful foundation and justification for the security requirements we derive from goal modelling, but this should not be considered to be a replacement for risk assessment methods. Having goals and threats before thinking of the technical solutions of a system allows us to raise awareness on situations that are not just exceptions from regular execution flow.Keywords
This publication has 12 references indexed in Scilit:
- Requirements-driven adaptive security: Protecting variable assets at runtimePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- Representing Threats in BPMN 2.0Published by Institute of Electrical and Electronics Engineers (IEEE) ,2012
- STS-Tool: Using Commitments to Specify Socio-Technical Security RequirementsLecture Notes in Computer Science, 2012
- Foundations of Attack–Defense TreesLecture Notes in Computer Science, 2011
- Idea: Reusability of Threat Models – Two Approaches with an Experimental EvaluationLecture Notes in Computer Science, 2010
- A Goal-Oriented Requirements Modelling Language for Enterprise ArchitecturePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- On Non-Functional Requirements in Software EngineeringLecture Notes in Computer Science, 2009
- An Architectural Foundation for Security Model Sharing and ReusePublished by Institute of Electrical and Electronics Engineers (IEEE) ,2009
- Using abuse case models for security requirements analysisPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2003
- Eliciting security requirements by misuse casesPublished by Institute of Electrical and Electronics Engineers (IEEE) ,2002