TY - GEN
T1 - Argumentation-based security requirements analysis
T2 - 2014 IEEE International Conference on Internet of Things, iThings 2014, Collocated with 2014 IEEE International Conference on Cyber, Physical and Social Computing, CPSCom 2014 and 2014 IEEE International Conference on Green Computing and Communications, GreenCom 2014
AU - Kovacs, Andor
AU - Karakatsanis, Ioannis
AU - Svetinovic, Davor
N1 - Publisher Copyright:
© 2014 IEEE.
PY - 2014/3/12
Y1 - 2014/3/12
N2 - Developers have to ensure that their systems meet certain security requirements. Structured argumentation can be a powerful tool for developers to deal with system behavior, vulnerabilities, and threats. Haley's framework is based on construction of a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. Incomplete and uncertain information and limited resources force the developers to settle for good-enough security. Risk assessment in Security Argumentation (RISA) extends Haley's method with risk assessment. RISA uses publicly available catalogs of security expertise and most common attack patterns to support risk assessment. These catalogs provide valuable information to the assessment process and help the developers identify mitigations for security requirements satisfaction. RISA developers stated the most pressing issue of their future work is the validation of RISA. In previous studies, no validation of RISA framework has been done on a complex system. Hence, this work evaluates RISA framework by applying it to the security requirements analysis of the address generation module of the decentralized, peer-to-peer communication protocol Bit Message. In addition, based on this analysis, we suggest a new set of requirements to improve the security of the current Bit Message client version.
AB - Developers have to ensure that their systems meet certain security requirements. Structured argumentation can be a powerful tool for developers to deal with system behavior, vulnerabilities, and threats. Haley's framework is based on construction of a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. Incomplete and uncertain information and limited resources force the developers to settle for good-enough security. Risk assessment in Security Argumentation (RISA) extends Haley's method with risk assessment. RISA uses publicly available catalogs of security expertise and most common attack patterns to support risk assessment. These catalogs provide valuable information to the assessment process and help the developers identify mitigations for security requirements satisfaction. RISA developers stated the most pressing issue of their future work is the validation of RISA. In previous studies, no validation of RISA framework has been done on a complex system. Hence, this work evaluates RISA framework by applying it to the security requirements analysis of the address generation module of the decentralized, peer-to-peer communication protocol Bit Message. In addition, based on this analysis, we suggest a new set of requirements to improve the security of the current Bit Message client version.
KW - Requirements engineering
KW - Risk-based argumentation
KW - Security requirements
UR - http://www.scopus.com/inward/record.url?scp=84946693108&partnerID=8YFLogxK
U2 - 10.1109/iThings.2014.74
DO - 10.1109/iThings.2014.74
M3 - Conference contribution
AN - SCOPUS:84946693108
T3 - Proceedings - 2014 IEEE International Conference on Internet of Things, iThings 2014, 2014 IEEE International Conference on Green Computing and Communications, GreenCom 2014 and 2014 IEEE International Conference on Cyber-Physical-Social Computing, CPS 2014
SP - 408
EP - 414
BT - Proceedings - 2014 IEEE International Conference on Internet of Things, iThings 2014, 2014 IEEE International Conference on Green Computing and Communications, GreenCom 2014 and 2014 IEEE International Conference on Cyber-Physical-Social Computing, CPS 2014
PB - Institute of Electrical and Electronics Engineers Inc.
Y2 - 1 September 2014 through 3 September 2014
ER -