Security requirements engineering: The si*modeling language and the Secure Tropos methodology

Studies in Computational Intelligence

Volumn 265, Issue , 2010, Pages 147-174

  Massacci, Fabio ^a   Mylopoulos, John ^a   Zannone, Nicola ^b  

^a UNIVERSITY OF TRENTO   (Italy)

^b EINDHOVEN UNIVERSITY OF TECHNOLOGY   (Netherlands)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 73849097284     PISSN: 1860949X     EISSN: None     Source Type: Book Series    
DOI: 10.1007/978-3-642-05183-8_6     Document Type: Article

References (56)

1. AMICE Consortium: Open System Architecture for CIM. Springer, Heidelberg (1993)
2. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)
3. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.1). Research Report 3485, IBM Research (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal
4. Asnar, Y., Bonato, R., Bryl, V., Compagna, L., Dolinar, K., Giorgini, P., Holtmanns, S., Klobucar, T., Lanzi, P., Latanicki, J., Massacci, F., Meduri, V., Porekar, J., Riccucci, C., Saidane, A., Seguran, M., Yautsiukhin, A., Zannone, N.: Security and privacy requirements at organizational level. Research report A1.D2.1, SERENITY consortium (2006)
5. Asnar, Y., Bonato, R., Giorgini, P., Massacci, F., Meduri, V., Riccucci, C., Saidane, A.: Secure and Dependable Patterns in Organizations: An Empirical Approach. In: Proc. of RE 2007, IEEE Press, Los Alamitos (2007)
6. Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From Trust to Dependability through Risk Analysis. In: Proc. of ARES 2007, pp. 19-26. IEEE Press, Los Alamitos (2007)
7. Association of Certified Fraud Examiners: The 2006 report to the nation (2006)
8. Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: from UML Models to Access Control Infrastructures. TOSEM 15(1), 39-91 (2006)
9. Bernus, P., Nemes, L.: A Framework to Define a Generic Enterprise Reference Architecture and Methodology. Computer Integrated Manufacturing Systems 9(3), 179-191 (1996)
10. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent-Oriented Software Development Methodology. JAAMAS 8(3), 203-236 (2004)
11. Bryce, M., Associates: PRIDE-EEM Enterprise Engineering Methodology (2006), http://www.phmainstreet.com/mba/pride/eemeth.htm
12. Bryl, V., Massacci, F., Mylopoulos, J., Zannone, N.: Designing Security Requirements Models through Planning. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol.4001, pp. 33-47. Springer, Heidelberg (2006)
13. Castelfranchi, C., Falcone, R.: Principles of trust for MAS: Cognitive anatomy, social importance and quantification. In: Proc. of ICMAS 1998, pp. 72-79. IEEE Press, Los Alamitos (1998)
14. Chung, L.K., Nixon, B.A., Yu, E.S.K.,Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Kluwer Publishing, Dordrecht (2000)
15. Compagna, L., El Khoury, P., Massacci, F., Thomas, R., Zannone, N.: How to capture, communicate, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In: ICAIL 2007, pp. 149-154. ACM Press, New York (2007)
16. Cranor, L., Langheinrich, M., Marchiori, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation (2002), http://www.w3.org/TR/P3P/
17. Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed Requirements Acquisition. Sci. of Comp. Prog. 20, 3-50 (1993)
18. Dignum, V.: A model for organizational interaction: based on agents, founded in logic. Ph.D. thesis, Universiteit Utrecht (2004)
19. Doan, T., Demurjian, S., Ting, T.C., Ketterl, A.: MAC and UML for secure software design. In: Proc. of FMSE 2004, pp. 75-85. ACM Press, New York (2004)
20. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security tradeoffs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol.4801, pp. 375-390. Springer, Heidelberg (2007)
21. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements Engineering for Trust Management: Model, Methodology, and Reasoning. Int. J. of Inform. Sec. 5(4), 257-274 (2006)
22. Giorgini, P., Massacci, F., Zannone, N.: Security and Trust Requirements Engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol.3655, pp. 237-272. Springer, Heidelberg (2005)
23. Guarda, P., Massacci, F., Zannone, N.: E-Government and On-line Services: Security and Legal Patterns. In: Proc. of MeTTeg 2007 (2007)
24. House of Lords: Prince Jefri Bolkiah vs KPMG. 1 All ER 517 (1999)
25. Hübner, J.F., Sichman, J.S., Boissier, O.: A Model for the Structural, Functional, and Deontic Specification of Organizations in Multiagent Systems. In: Bittencourt, G., Ramalho, G.L. (eds.) SBIA 2002. LNCS (LNAI), vol.2507, pp. 118-128. Springer, Heidelberg (2002)
26. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)
27. Kiyavitskaya, N., Zannone, N.: Requirements Model Generation to Support Requirements Elicitation: The Secure Tropos Experience. In: ASE (2008)
28. Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., Scarcello, F.: The DLV System for Knowledge Representation and Reasoning. TOCL 7(3), 499-562 (2006)
29. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. TISSEC 6(1), 128-171 (2003)
30. Liu, L., Yu, E., Mylopoulos, J.: Analyzing Security Requirements as Relationships Among Strategic Actors. In: Proc. of SREIS 2002 (2002)
31. Liu, L., Yu, E.S.K., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proc. of RE 2003, pp. 151-161. IEEE Press, Los Alamitos (2003)
32. Massacci, F., Mylopoulos, J., Zannone, N.: Computer-Aided Support for Secure Tropos. ASE 14(3), 341-364 (2007)
33. Massacci, F., Mylopoulos, J., Zannone, N.: An Ontology for Secure Socio-Technical Systems. In: Handbook of Ontologies for Business Interaction, ch. XI. The IDEA Group (2008)
34. Massacci, F., Prest, M., Zannone, N.: Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation. CSI 27(5), 445-455 (2005)
35. Massacci, F., Zannone, N.: AModel-Driven Approach for the Specification and Analysis of Access Control Policies. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol.5332, pp. 1087-1103. Springer, Heidelberg (2008)
36. Massacci, F., Zannone, N.: Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In: Social Modeling for Requirements Engineering. MIT Press, Cambridge (2008) (to appear)
37. Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Acad. Management Rev. 20(3), 709-734 (1995)
38. McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proc. of ACSAC 1999, pp. 55-66. IEEE Press, Los Alamitos (1999)
39. Moffett, J.D.: Control principles and role hierarchies. In: Proc. of RBAC 1998, pp. 63-69. ACM Press, New York (1998)
40. Mouratidis, H., Giorgini, P., Manson, G.: Integrating security and systems engineering: Towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol.2681, pp. 63-78. Springer, Heidelberg (2003)
41. OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard (2005)
42. Promontory Financial Group, Wachtell, Lipton, Rosen, Katz: Report to the Board and Directors of Allied Irish Bank P.L.C., Allfirst Financial Inc., and Allfirst Bank Concerning Currency Trading Losses (2003)
43. Ray, I., Li, N., France, R., Kim, D.K.: Using UML to visualize role-based access control constraints. In: Proc. of SACMAT 2004, pp. 115-124. ACM Press, New York (2004)
44. Robertson, S., Robertson, J.: Mastering the requirements process. ACM Press/Addison- Wesley Publishing Co. (1999)
45. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Comp. 29(2), 38-47 (1996)
46. Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: Proc. of SACMAT 2006, pp. 139-149. ACM Press, New York (2006)
47. Schaad, A., Moffett, J.: Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles. In: Proc. of SAC 2004, pp. 1380-1384. ACM Press, New York (2004)
48. Schumacher, M., Fernandez, E.B., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns - Integrating Security and Systems Engineering. JohnWiley & Sons, Chichester (2005)
49. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. REJ 10(1), 34-44 (2005)
50. Stader, J.: Results of the Enterprise Project. In: Proc. of BSC SGES 1996 (1996)
51. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE 2004, pp. 148-157. IEEE Press, Los Alamitos (2004)
52. van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. TSE 26(10), 978-1005 (2000)
53. Yu, E., Cysneiros, L.: Designing for Privacy and Other Competing Requirements. In: Proc. of SREIS 2002 (2002)
54. Yu, E.S.K.: Modelling strategic relationships for process reengineering. Ph.D. thesis, University of Toronto (1995)
55. Zannone, N.: A Requirements EngineeringMethodology for Trust, Security, and Privacy. Ph.D. thesis, University of Trento (2007)
56. Zave, P.: Classification of research efforts in requirements engineering. CSUR 29(4), 315-321 (1997).