Modeling security and privacy requirements: A use case-driven approach

Modeling security and privacy requirements: A use case-driven approach

Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces...

Full description

Saved in:
Bibliographic Details
Main Authors: MAI, Phu Xuan, GOKNIL, Arda, SHAR, Lwin Khin, PASTORE, Fabrizio, BRIAND, Lionel, SHAAME, Shaban
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2018
Subjects:
Information Security
Software Engineering
Online Access:https://ink.library.smu.edu.sg/sis_research/4893
https://ink.library.smu.edu.sg/context/sis_research/article/5896/viewcontent/Modeling___PV.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-5896
record_format dspace
spelling sg-smu-ink.sis_research-58962020-02-13T08:19:02Z Modeling security and privacy requirements: A use case-driven approach MAI, Phu Xuan GOKNIL, Arda SHAR, Lwin Khin PASTORE, Fabrizio BRIAND, Lionel SHAAME, Shaban Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards. 2018-04-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/4893 info:doi/10.1016/j.infsof.2018.04.007 https://ink.library.smu.edu.sg/context/sis_research/article/5896/viewcontent/Modeling___PV.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Information Security
Software Engineering
spellingShingle Information Security
Software Engineering
MAI, Phu Xuan
GOKNIL, Arda
SHAR, Lwin Khin
PASTORE, Fabrizio
BRIAND, Lionel
SHAAME, Shaban
Modeling security and privacy requirements: A use case-driven approach
description Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards.
format text
author MAI, Phu Xuan
GOKNIL, Arda
SHAR, Lwin Khin
PASTORE, Fabrizio
BRIAND, Lionel
SHAAME, Shaban
author_facet MAI, Phu Xuan
GOKNIL, Arda
SHAR, Lwin Khin
PASTORE, Fabrizio
BRIAND, Lionel
SHAAME, Shaban
author_sort MAI, Phu Xuan
title Modeling security and privacy requirements: A use case-driven approach
title_short Modeling security and privacy requirements: A use case-driven approach
title_full Modeling security and privacy requirements: A use case-driven approach
title_fullStr Modeling security and privacy requirements: A use case-driven approach
title_full_unstemmed Modeling security and privacy requirements: A use case-driven approach
title_sort modeling security and privacy requirements: a use case-driven approach
publisher Institutional Knowledge at Singapore Management University
publishDate 2018
url https://ink.library.smu.edu.sg/sis_research/4893
https://ink.library.smu.edu.sg/context/sis_research/article/5896/viewcontent/Modeling___PV.pdf
_version_ 1770575088222994432

Similar Items