Hdl Handle:
http://hdl.handle.net/10545/555820
Title:
Automated analysis of security requirements through risk-based argumentation
Authors:
Yu, Yijun ( 0000-0002-7154-8570 ) ; Franqueira, Virginia N. L. ( 0000-0003-1332-9115 ) ; Than Tun, Thein; Wieringa, Roel J.; Nuseibeh, Bashar
Abstract:
Computer-based systems are increasingly being exposed to evolving security threats, which often reveal new vulnerabilities. A formal analysis of the evolving threats is difficult due to a number of practical considerations such as incomplete knowledge about the design, limited information about attacks, and constraints on organisational resources. In our earlier work on RISA (RIsk assessment in Security Argumentation), we showed that informal risk assessment can complement the formal analysis of security requirements. In this paper, we integrate the formal and informal assessment of security by proposing a unified meta-model and an automated tool for supporting security argumentation called OpenRISA. Using a uniform representation of risks and arguments, our automated checking of formal arguments can identify relevant risks as rebuttals to those arguments, and identify mitigations from publicly available security catalogues when possible. As a result, security engineers are able to make informed and traceable decisions about the security of their computer-based systems. The application of OpenRISA is illustrated with examples from a PIN Entry Device case study.
Affiliation:
University of Derby
Citation:
Yu, Y. et al (2015) 'Automated analysis of security requirements through risk-based argumentation', Journal of Systems and Software, 106, pp.102-116. DOI: 10.1016/j.jss.2015.04.065
Publisher:
Elsevier
Journal:
Journal of Systems and Software
Issue Date:
Aug-2015
URI:
http://hdl.handle.net/10545/555820
DOI:
10.1016/j.jss.2015.04.065
Additional Links:
http://linkinghub.elsevier.com/retrieve/pii/S0164121215000850; http://www.sciencedirect.com/science/article/pii/S0164121215000850
Type:
Article
Language:
en
ISSN:
01641212
Appears in Collections:
Department of Electronics, Computing & Maths

Full metadata record

DC FieldValue Language
dc.contributor.authorYu, Yijunen
dc.contributor.authorFranqueira, Virginia N. L.en
dc.contributor.authorThan Tun, Theinen
dc.contributor.authorWieringa, Roel J.en
dc.contributor.authorNuseibeh, Basharen
dc.date.accessioned2015-05-26T14:38:12Zen
dc.date.available2015-05-26T14:38:12Zen
dc.date.issued2015-08en
dc.identifier.citationYu, Y. et al (2015) 'Automated analysis of security requirements through risk-based argumentation', Journal of Systems and Software, 106, pp.102-116. DOI: 10.1016/j.jss.2015.04.065en
dc.identifier.issn01641212en
dc.identifier.doi10.1016/j.jss.2015.04.065en
dc.identifier.urihttp://hdl.handle.net/10545/555820en
dc.description.abstractComputer-based systems are increasingly being exposed to evolving security threats, which often reveal new vulnerabilities. A formal analysis of the evolving threats is difficult due to a number of practical considerations such as incomplete knowledge about the design, limited information about attacks, and constraints on organisational resources. In our earlier work on RISA (RIsk assessment in Security Argumentation), we showed that informal risk assessment can complement the formal analysis of security requirements. In this paper, we integrate the formal and informal assessment of security by proposing a unified meta-model and an automated tool for supporting security argumentation called OpenRISA. Using a uniform representation of risks and arguments, our automated checking of formal arguments can identify relevant risks as rebuttals to those arguments, and identify mitigations from publicly available security catalogues when possible. As a result, security engineers are able to make informed and traceable decisions about the security of their computer-based systems. The application of OpenRISA is illustrated with examples from a PIN Entry Device case study.en
dc.language.isoenen
dc.publisherElsevieren
dc.relation.urlhttp://linkinghub.elsevier.com/retrieve/pii/S0164121215000850en
dc.relation.urlhttp://www.sciencedirect.com/science/article/pii/S0164121215000850en
dc.rightsArchived with thanks to Journal of Systems and Softwareen
dc.subjectStructured argumentationen
dc.subjectRisk assessmenten
dc.subjectSecurity analysisen
dc.titleAutomated analysis of security requirements through risk-based argumentationen
dc.typeArticleen
dc.contributor.departmentUniversity of Derbyen
dc.identifier.journalJournal of Systems and Softwareen
All Items in UDORA are protected by copyright, with all rights reserved, unless otherwise indicated.