Problem-Based Security Requirements Elicitation and Refinement with PresSuRE. Faßbender, S., Heisel, M., & Meis, R. In Software Technologies - 9th International Joint Conference, ICSOFT 2014, Vienna, Austria, August 29-31, 2014, Revised Selected Papers, volume 555, of Communications in Computer and Information Science, pages 311–330. Springer, 2015.
Problem-Based Security Requirements Elicitation and Refinement with PresSuRE [link]Paper  doi  abstract   bibtex   
Recently published reports on cybercrime indicate an ever-increasing number of security incidents related to IT systems. Many attacks causing the incidents abuse (in)directly one or more security defects. Fixing the security defect once fielded is costly. To avoid the defects and the subsequent need to fix them, security has to be considered thoroughly when developing software. The earliest phase to do so is the requirements engineering, in which security threats should be identified early on and treated by defining sufficient security requirements. In a previous paper, we introduced a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE provides a computer-aided security threat identification. The identification is based on the functional requirements for a system-to-be. Still, there is a need for guidance on how to derive security requirements once the threats are identified. In this work, we provide such guidance extending PresSuRE and its tool support. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.
@INCOLLECTION{CCIS15b,
     author = {Fa{\ss}bender, Stephan and Heisel, Maritta and Meis, Rene},
   keywords = {Problem Frames, requirements elicitation, security analysis},
      title = {Problem-Based Security Requirements Elicitation and Refinement with PresSuRE},
  booktitle = {Software Technologies - 9th International Joint Conference, {ICSOFT} 2014, Vienna, Austria, August 29-31, 2014, Revised Selected Papers},
     series = {Communications in Computer and Information Science},
     volume = {555},
       year = {2015},
      pages = {311--330},
  publisher = {Springer},
        url = {http://dx.doi.org/10.1007/978-3-319-25579-8_18},
        doi = {10.1007/978-3-319-25579-8_18},
   abstract = {Recently published reports on cybercrime indicate an ever-increasing number of
security incidents related to IT systems. Many attacks causing the incidents
abuse (in)directly one or more security defects.
Fixing the security defect once fielded is costly. To avoid the defects and the
subsequent need to fix them, security has to be considered thoroughly when
developing software. The earliest phase to do so is the requirements
engineering, in which security threats should be identified early on and treated
by defining sufficient security requirements.
In a previous paper, we introduced a methodology for
Problem-based Security Requirements Elicitation (PresSuRE).
PresSuRE provides a computer-aided security threat identification. The
identification is based on the functional requirements for a system-to-be.
Still, there is a need for guidance on how to derive security requirements once
the threats are identified. In this work, we provide such guidance extending
PresSuRE and its tool support. We illustrate and validate  our approach using a
smart grid scenario provided by the industrial partners of the EU project
NESSoS.}
}

Downloads: 0