Reference : Modeling Security and Privacy Requirements: a Use Case-Driven Approach
Scientific journals : Article
Engineering, computing & technology : Computer science
http://hdl.handle.net/10993/35498
Modeling Security and Privacy Requirements: a Use Case-Driven Approach
English
Mai, Xuan Phu mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Göknil, Arda [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Shar, Lwin Khin [Nanyang Technological University > School of Computer Science and Engineering]
Pastore, Fabrizio mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Briand, Lionel mailto [University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > >]
Shaame, Shaban [Everdream Soft]
2018
Information and Software Technology
Elsevier Science
100
165-182
Yes (verified by ORBilu)
International
0950-5849
1873-6025
Amsterdam
Netherlands
[en] Context: Modern internet-based services, ranging from food-delivery to home-caring, leverage
the availability of multiple programmable devices to provide handy services tailored to end-user needs. These services are delivered through an ecosystem of device-specific software components and interfaces (e.g., mobile and wearable device applications). Since they often handle private information (e.g., location and health status), their security and privacy requirements are of crucial importance. Defining and analyzing those requirements is a significant challenge due to the multiple types of software components and devices integrated into software ecosystems. Each software component presents peculiarities that often depend on the context and the devices the component interact with, and that must be considered when dealing with security and privacy requirements. Objective: In this paper, we propose, apply, and assess a modeling method that supports the specification of security and privacy requirements in a structured and analyzable form. Our motivation is that, in many contexts, use cases are common practice for the elicitation of functional requirements and should also be adapted for describing security requirements. Method: We integrate an existing approach for modeling security and privacy requirements in terms of security threats, their mitigations, and their relations to use cases in a misuse case diagram. We introduce new security-related templates, i.e., a mitigation template and a misuse case template for specifying mitigation schemes and misuse case specifications in a structured and analyzable manner. Natural language processing can then be used to automatically report inconsistencies among artifacts and between the templates and specifications. Results: We successfully applied our approach to an industrial healthcare project and report lessons learned and results from structured interviews with engineers. Conclusion: Since our approach supports the precise specification and analysis of security threats, threat scenarios and their mitigations, it also supports decision making and the analysis of compliance to standards.
Fonds National de la Recherche - FnR ; European Research Council
Researchers ; Professionals ; Students ; General public ; Others
http://hdl.handle.net/10993/35498
10.1016/j.infsof.2018.04.007
https://www.sciencedirect.com/science/article/abs/pii/S0950584918300703
H2020 ; 694277 - TUNE - Testing the Untestable: Model Testing of Complex Software-Intensive Systems
FnR ; FNR11213850 > Lionel Briand > EDLAH 2 > Enhanced Daily Living and Health 2 – an incentive basedservice > 01/06/2016 > 30/11/2018 > 2015

File(s) associated to this reference

Fulltext file(s):

FileCommentaryVersionSizeAccess
Open access
Mai-IST-2018.pdfPublisher postprint2.01 MBView/Open

Bookmark and Share SFX Query

All documents in ORBilu are protected by a user license.