Abstract
Requirements are inherently prone to conflicts, for they originate from stakeholders with different, often opposite, needs. Security requirements are no exception. Importantly, their violation leads to severe effects, including privacy infringement, legal sanctions, and exposure to security attacks. Today’s systems are Socio-Technical Systems (STSs): they consist of autonomous participants (humans, organisations, software) that interact to get things done. In STSs, security is not just a technical challenge, but it needs to consider the social components of STSs too. We have previously proposed STS-ml, a security requirements modelling language for STSs that expresses security requirements as contractual constraints over the interactions among STS participants. In this paper, we build on top of STS-ml and propose a framework that, via automated reasoning techniques, supports the identification and management of conflicts in security requirements models. We apply our framework to a case study about e-Government, and report on promising scalability results of our implementation.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Bertino, E., Jajodia, S., Samarati, P.: A flexible authorization mechanism for relational data management systems. ACM Transactions on Information Systems 17(2), 101–140 (1999)
Dalpiaz, F., Paja, E., Giorgini, P.: Security requirements engineering via commitments. In: Proc. of STAST 2011, pp. 1–8 (2011)
De Landtsheer, R., van Lamsweerde, A.: Reasoning about confidentiality at requirements engineering time. In: Proc. of FSE 2005, pp. 41–49 (2005)
Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 375–390. Springer, Heidelberg (2007)
Finkelstein, A., Gabbay, D., Hunter, A., Kramer, J., Nuseibeh, B.: Inconsistency handling in multiperspective specifications. IEEE TSE 20(8), 569–578 (1994)
Fuxman, A., Pistore, M., Mylopoulos, J., Traverso, P.: Model checking early requirements specifications in tropos. In: Proc. of RE 2001, pp. 174–181 (2001)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proc. of RE 2005, pp. 167–176 (2005)
Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Reasoning with goal models. In: Spaccapietra, S., March, S.T., Kambayashi, Y. (eds.) ER 2002. LNCS, vol. 2503, pp. 167–181. Springer, Heidelberg (2002)
Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: A framework for representation and analysis. IEEE TSE 34(1), 133–153 (2008)
Horkoff, J., Yu, E.: Finding solutions in goal models: An interactive backward reasoning approach. In: Parsons, J., Saeki, M., Shoval, P., Woo, C., Wand, Y. (eds.) ER 2010. LNCS, vol. 6412, pp. 59–75. Springer, Heidelberg (2010)
Kissel, R.: Glossary of key information security terms. Technical Report IR 7298 Rev 1, NIST (2011)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proc. of RE 2003, pp. 151–161 (2003)
Mouratidis, H., Giorgini, P.: Secure Tropos: A security-oriented extension of the tropos methodology. IJSEKE 17(2), 285–309 (2007)
Paja, E., Dalpiaz, F., Giorgini, P.: Identifying conflicts in security requirements with STS-ml. Technical Report DISI-12-041, University of Trento (2012)
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-Tool: socio-technical security requirements through social commitments. In: Proc. of RE 2012, pp. 331–332 (2012)
Shvaiko, P., Mion, L., Dalpiaz, F., Angelini, G.: The TasLab portal for collaborative innovation. In: Proc. of ICE 2010 (2010)
Trösterer, S., Beck, E., Dalpiaz, F., Paja, E., Giorgini, P., Tscheligi, M.: Formative user-centered evaluation of security modeling: Results from a case study. IJSSE 3(1), 1–19 (2012)
van Lamsweerde, A., Darimont, R., Letier, E.: Managing conflicts in goal-driven requirements engineering. IEEE TSE 24(11), 908–926 (1998)
Whitman, M.E., Mattord, H.J.: Principles of Information Security, 4th edn. Course Technology Press (2011)
Yu, E.: Modelling strategic relationships for process reengineering. PhD thesis, University of Toronto, Canada (1996)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Paja, E., Dalpiaz, F., Giorgini, P. (2013). Managing Security Requirements Conflicts in Socio-Technical Systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds) Conceptual Modeling. ER 2013. Lecture Notes in Computer Science, vol 8217. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41924-9_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-41924-9_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-41923-2
Online ISBN: 978-3-642-41924-9
eBook Packages: Computer ScienceComputer Science (R0)