Discovering multidimensional correlations among regulatory requirements to understand risk

ACM Transactions on Software Engineering and Methodology

Volumn 20, Issue 4, 2011, Pages

  Gandhi, R A ^a   Lee, S W ^b  

^a UNIVERSITY OF NEBRASKA AT OMAHA   (United States)

^b UNIVERSITY OF NORTH CAROLINA AT CHARLOTTE   (United States)

Author keywords

Certification and accreditation; Knowledge engineering; Ontology based domain modeling; Requirements visualization; Risk; Software requirements engineering

Indexed keywords

ACCREDITATION PROCESS; CASCADING EFFECTS; CAUSAL CHAINS; CERTIFICATION AND ACCREDITATION; COMPUTATIONAL MODEL; DEPARTMENT OF DEFENSE; EMPIRICAL INVESTIGATION; MULTIPLE DIMENSIONS; NATURAL LANGUAGES; ONTOLOGY-BASED DOMAIN MODELING; PROBLEM DOMAIN; REGULATORY REQUIREMENTS; REQUIREMENTS VISUALIZATION; RISK-BASED; SECURE SYSTEM; SECURITY BREACHES; SECURITY CERTIFICATION; SECURITY CONSTRAINT; SOCIOTECHNICAL; SYSTEM OPERATION; VISUAL METAPHOR;

ACCREDITATION; INFORMATION TECHNOLOGY; KNOWLEDGE ENGINEERING; ONTOLOGY; REQUIREMENTS ENGINEERING; VISUALIZATION;

REGULATORY COMPLIANCE;

EID: 80053500161     PISSN: 1049331X     EISSN: 15577392     Source Type: Journal    
DOI: 10.1145/2000799.2000802     Document Type: Article

References (78)

1. AAGEDAL, J. O., DEN BRABER, F., DIMITRAKOS, T., GRAN, B. A., RAPTIS, D., AND STOLEN, K. 2002. Model-based risk assessment to improve enterprise security. In Proceedings of the 6th International Enterprise Distributed Object Computing Conference. 51-62.
2. ALBERTS, C. AND DOROFEE, A. 2001a. OCTAVE Criteria v2.0. Software Engineering Institute, Carnegie Mellon University.
3. ALBERTS, C. AND DOROFEE, A. 2001b. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVESM) Method Implementation Guide, v2.0. Software Engineering Institute, Carnegie Mellon University. http://www.cert.org/ octave/octavemethod.html.
4. ALEXANDER, I. 2003. Misuse cases: Use cases with hostile intent. IEEE Softw. 20, 1, 58-66.
5. ALSPAUGH, T. A. 2002. Scenario networks and formalization for scenario management. Ph.D. thesis, North Carolina State University.
6. ARMSTRONG, W.W., NAKAMURA, Y., AND RUDNICKI, P. 2002. Armstrong's axioms. J. Formaliz. Math. 14.
7. BAADER, F., CALVANESE, D., MCGUINESS, D., NARDI, D., AND PATEL-SCHNEIDER, P. 2002. The Description Logic Handbook: Theory, Implementation and Applications. Cambridge University Press, Cambridge, UK.
8. BASILI V. R., CALDIERA, G., AND ROMBACH, H. D. 1994. The goal question metric approach. http://wwwagse.informatik.uni-kl.de/pubs/repository/basili94b/ encyclo.gqm.pdf
9. BASKERVILLE, R. 1993. Information systems security design methods: Implications for information systems development. ACM Comput. Surv. 25, 4, 375-414.
10. BREAUX, T. D., VAIL, M. W., AND ANTON, A. I. 2006. Towards regulatory compliance: Extracting rights & obligations to align requirements with regulations. In Proceedings of the 14th International Conference on Requirements Engineering. 49-58.
11. BREAUX, T. D., ANTON, A. I., AND DOYLE, J. 2009. Semantic parameterization: A process for modeling domain descriptions. ACM Trans. Softw. Engin. Methodol.
12. BUCKSHAW, D. L., PARNELL, G. S., UNKENHOLZ, W. L., PARKS, D. L., WALLNER, J. M., AND SAYDJARI, O. S. 2005. Mission oriented risk and design analysis of critical information systems. Milit. Op. Resear. 10, 2.
13. BUTLER, S. A. 2002. Security attribute evaluation method: A cost benefit approach. In Proceedings of the 24th International Conference on Software Engineering. 232-240. (Pubitemid 35009113)
14. CHEW, E., SWANSON, M., STINE, K., BARTOL N., BROWN, A., AND ROBINSON, W. 2008. Performance Measurement Guide for Information Security. NIST Special Publication Series, SP 800-55 Rev 1.
15. CLEVELAND, W. S. 1985. The Elements of Graphing Data. Wadsworth Advanced Books and Software.
16. COMMON CRITERIA. 2006. Common criteria for information technology security evaluation: Part 1 Introduction and General Model, v3.1-rev 1.
17. CYSNEIROS, L. M. AND LEITE, J. C. S. P. 2004. Nonfunctional requirements: From elicitation to conceptual models. IEEE Trans. Softw. Engin. 30, 5.
18. DAVIS, T. 2005. Federal computer security report card grades of 2004. Press Release. Government Reform Committee.
19. DOD 5200.28-STD. 1985. Department of Defense trusted computer system evaluation criteria.
20. DOD 5200.40. 1997. Department of Defense information technology certification and accreditation (DITSCAP), 1997.
21. DOD 8510.01. 2007. Department of Defense information assurance certification and accreditation process (DIACAP) Instruction.
22. DODI 8500.2. 2003. IA implementation.
23. DONZELLI, P. AND BASILI, V. 2006. A practical framework for eliciting and modeling system dependability requirements: Experience from the NASA high dependability computing project. J. Syst. Softw. 79, 1, 107-119. (Pubitemid 43121112)
24. DUQUENNE, V. AND DAVIS, T. 2005. Duquenne, V. Contextual implications between attributes and some representational properties for finite lattices. Beitrage zur Begrisanalyse, B.I. Wissenschaftsverlag. 213-239.
25. EASTERBROOK, S. 1993. Domain modelling with hierarchies of alternative viewpoints. In Proceedings of the International Symposium on Requirements Engineering. 65-72.
26. ERNST AND YOUNG 2005. Report on the widening gap. 8th Annual Global Information Security Survey.
27. FEATHER, M. S. AND CORNFORD, S. L. 2003. Quantitative risk-based requirements reasoning. Require. Engin. J. 8, 4, 248-265. (Pubitemid 37554177)
28. GANTER, B. AND WILLE, R. 1996. Formal Concept Analysis. Springer.
29. GEER, D. 2003. Risk management is still where the money is. IEEE Computer 36, 12, 129-131.
30. GENTNER, D. 1983. Structure-mapping: A theoretical framework for analogy. Cogn. Sci. 7, 155-170.
31. GOOD, P. I. AND HARDIN, J. W. 2006. Common Errors in Statistics (and How to Avoid Them) 2nd Ed., Chapter 9, Page 135, Wiley-Interscience.
32. JACKSON, M. 1995. Software Requirements and Specifications: A Lexicon of Practice, Principles and Prejudices. Addison, Wesley.
33. JILANI, L. L., DESHARNAIS, J., AND MILI, A. 2001. Defining and applying measures of distance between specifications. IEEE Trans. Softw. Engin. 27, 8, 673-703. (Pubitemid 32829710)
34. JOHANSSON, E. AND JOHNSON, P. 2005. Assessment of enterprise information security: Estimating the credibility of the results. In Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS) at RE'05.
35. KALFOGLOU, Y., DASMAHAPATRA, S., AND CHEN-BURGER, J. 2004. FCA in knowledge technologies: Experiences and opportunities. In Proceedings of the 2nd International Conference on FCA. 252-260. (Pubitemid 38271480)
36. KIMBELL, J. AND WALRATH, M. 2001. Life Cycle Security and DITSCAP. In IANewsletter 4, 2. http://iac.dtic.mil/iatac.
37. KOTONYA, G. AND SOMMERVILLE, I. 1996. Requirements engineering with viewpoints. Softw. Engin. J. 11, 1, 5-18. (Pubitemid 126797083)
38. KRAMER, J. AND HAZZAN, O. 2006. The role of abstraction in software engineering. In Proceedings of the International Workshop on Role of Abstraction in Software Engineering at the 28th International Conference on Software Engineering, Shanghai. ACM, New York, NY, 1-2.
39. LEE S. W. AND GANDHI, R. A. 2005. Ontology-based active requirements engineering framework. In Proceedings of 12th Asia-Pacific Software Engineering Conference (APSEC'05), IEEE, 481-490.
40. LEE S. W. AND GANDHI, R. A. 2006. Requirements as enablers for software assurance. CrossTalk J. Def. Softw. Engin. 19, 12, 20-24. (Pubitemid 44878659)
41. LEE S. W. AND RINE, D. C. 2004a. Missing requirements and relationship discovery through proxy viewpoints model. Int. J. Informatics 3, 3, 315-342.
42. LEE S. W. AND RINE, D. C. 2004b. Case study methodology designed research in software engineering methodology validation. In Proceedings of 16th International Conference on Software Engineering and Knowledge Engineering. 117-122.
43. LEE S.W., MUTHURAJAN, D., GANDHI, R. A., YVAGAL, D., AND AHN, G. J. 2006. Building decision support problem domain ontology from natural language requirements for software assurance. Int. J. Engin 16, 6, 851-884. (Pubitemid 46181435)
44. LEE S. W., GANDHI, R. A., AND AHN, G. J. 2007a. certification process artifacts defined as measurable units for software assurance. Soft. Process: Improv. Pract. 12, 2, 165-189. (Pubitemid 46659453)
45. LEE S. W., GANDHI, R. A., WAGLE, S. J., AND MURTY, A. B. 2007b. r-AnalytiCA: Requirements analytics for certification & accreditation. In Proceedings of 15th IEEE International Requirements Engineering Conference Posters, Demos and Exhibits Session. 383-384.
46. LIN, L., YU, E., AND MYLOPOULOS, J. 2003. Security and privacy requirements analysis within a social setting. In Proceedings of the 11th International Conference on Requirements Engineering. 151-161.
47. LIN, L., NUSEIBEH, B., INCE, D., AND JACKSON, M. 2004. Using abuse frames to bound the scope of security problems. In Proceedings of the 12th International Conference on Requirements Engineering. 354-355. (Pubitemid 40498805)
48. MCDERMID, J. A. 2001. Software safety: Where's the evidence? In Proceedings of the 6th Australian Workshop on Safety Critical Systems and Software. Australia, 1-6.
49. MCDERMOTT, J. 2001. Abuse-case-based assurance arguments. In Proceedings of the 17th Computer Security Applications Conference. IEEE, 366-374.
50. MCGRAW, G. 2006. Software Security: Building Security. Addison-Wesley.
51. MEAD, N. R., HOUGH, E., AND STEHNEY, T. 2005. Security quality requirements Engineering (SQUARE) methodology. Tech. rep. (CMU/SEI-2005-TR-009), Software Engineering Institute, CarnegieMellonUniversity, Pittsburgh, PA.
52. MITCHELL, R. N. 2005. Using DITSCAP regulations to address HIPAA. Advance for Health Information Executives. http://health-information.advanceweb.com/ Editorial/Content/Editorial.aspx?CC=57412.
53. MOFFETT, J. D., HALEY, C. B., AND NUSEIBEH, B. A. 2004. Core security requirements artefacts. Tech. rep. 2004/23, Open University.
54. PELTIER, T. Facilitated Risk Assessment Process (FRAP). http://www.peltierassociates.com/.
55. PFLEEGER, C. P. AND PFLEEGER, S. L. 2003. Security in Computing 3rd Ed. Prentice-Hall.
56. PRUD'HOMMEAUX, E. AND SEABORNE, A. 2006. SPARQL Query Language for RDF. W3C Working Draft.
57. ROBINSON, W. N. AND PAWLOWSKI, S. 1998. Surfacing root requirements interactions from inquiry cycle requirements. In Proceedings of the 6th International Conference on Requirements Engineering. 82-89.
58. SALTER, C., SAYDJARI, O., SCHNEIER, B., AND WALLNER. J. 1998. Towards a secure system engineering methodology. In Proceedings of the New Security Paradigms Workshop.
59. SCHEDL, M., KNEES, P., AND WIDMER, G. 2005. Interactive poster: Using CoMIRVA for visualizing similarities between music artists. In Proceedings of the 16th IEEE Visualization Conference. 89.
60. SCHNEIER, B. 2000. Secrets and Lies: Digital Security in a Networked World. John Wiley & Sons, NY.
61. SIEMENS UK. 2005. Central Communication and Telecommunication Agency (CCTA) risk analysis and management method (CRAMM) Toolkit, Version 5.1. http://www.cramm.com/.
62. SINDRE, G. AND OPDAHL, A. 2000. Eliciting security requirements by misuse cases. In Proceedings of TOOLS Pacific. 120-130.
63. SOOHOO, K. J. 2000. How much is enough? A risk-management apporach to computer security. Tech. rep. Consortium for Research on Information Security and Policy (CRISP).
64. STONEBURNER, G., GOGUEN, A., AND FERINGA, A. 2002. Risk Management Guide for Information Technology Systems. NIST Special Publication Series, SP 800-30.
65. TONELLA, P. 2003. Using a concept lattice of decomposition slices for program understanding and impact analysis. IEEE Trans. Softw. Engin. 29, 6.
66. TONELLA, P. 2005. Reverse engineering of object-oriented code. In Proceedings of the 27th International Conference on Software Engineering.
67. US GAO 04-376. 2004. Agencies need to implement consistent processes in authorizing systems for operation. Report from The US Government Accountability Office.
68. US GAO 05-700. 2005. Department of homeland security needs to fully implement its security program. Report from The US Government Accountability Office.
69. US GAO 07-837. 2007. Despite reported progress, federal agencies need to address persistent weaknesses. Report from The US Government Accountability Office.
70. VAN LAMSWEERDE. 2004. Elaborating security requirements by construction of intentional anti-models. In Proceedings of the 26th International Conference on Software Engineering, 148-157.
71. VAUGHN, R. B., HENNING, R., AND SIRAJ, A. 2002. Information assurance measures and metrics - state of practice and proposed taxonomy. In Proceedings of the 36th Annual Hawaii International Conference on System Sciences. 331-340.
72. VERDON, D. AND MCGRAW, G. 2004. Risk analysis in software design. IEEE Secur. Priv. Mag. 2, 4, 79-84.
73. VOAS, J. 1999. Certifying software for high-assurance environments. IEEE Software 16, 4, 48-54.
74. WASSON, K. S. 2006. A case study in systematic improvement of language for requirements. In Proceedings of the 14th International Requirements Engineering Conference. 6-15. (Pubitemid 351424195)
75. WILLE, R. 1997. Conceptual graphs and formal concept analysis. In Proceedings of the International Conference on Conceptual Structures. 290-303. (Pubitemid 127103229)
76. WONG, P. C. AND THOMAS, J. 2004. Visual analytics. IEEE Comput. Graph. Appl. 24, 5, 20-21.
77. YIN, R. K. 1994. Case Study Research: Design andMethods 2nd Ed. Applied Social ResearchMethods Series, 5, Sage Publications.
78. YUDISTIRA, A., GIORGINI, P., AND MYLOPOULOS, J. 2006. Risk modelling and reasoning in goal models. DIT-06-008, University of Trento.