Identifying security requirements using the security quality requirements engineering (SQUARE) method

Integrating Security and Software Engineering: Advances and Future Visions

Volumn , Issue , 2006, Pages 44-69

  Mead, N R ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

EID: 84899324292     PISSN: None     EISSN: None     Source Type: Book    
DOI: 10.4018/978-1-59904-147-6.ch003     Document Type: Chapter

References (48)

1. Alberts, C., Dorofee, A., & Woody, C. (2004). Considering operational security risks during systems development. Proceedings of the Software Engineering Process Group 2004 Conference. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
2. Alexander, I. (2003). Misuse cases: Use cases with hostile intent. IEEE Software, 20, 58-66.
3. American Supplier Institute. (1987). Quality function deployment: A collection of presentations and QFD case studies. Dearborn, MI: American Supplier.
4. Bharadwaj, R. (2003). How to fake a rational design process using the SCR method. SEHAS'03 International Workshop on Software Engineering for High Assurance Systems. Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University.
5. th International Conference on Software Engineering (pp. 232-240). New York: ACM Press.
6. Checkland, P. (1989). An application of soft systems methodology. In Rational Analysis for a Problematic World (pp. 101-119). New York: John Wiley & Sons.
7. Chen, P., Mead, N. R., Dean, M., Lopez, L., Ojoko-Adams, D., Osman, H., & Xie, N. (2004). SQUARE methodology: Case study on asset management system (Rep. No. CMU/SEI-2004-SR-015). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/04.reports/04sr015.html
8. Conklin, J., & Begeman, M. L. (1988). gIBIS: A hypertext tool for exploratory policy discussion. ACM Transactions on Office Information Systems, 6, 303-331.
9. Cornford, S. L., Feather, M. S., & Hicks, K. A. (2004). DDP: A tool for life-cycle risk management. Retrieved November 9, 2005, from http://ddptool.jpl.nasa.gov/docs/f344d-slc.pdf
10. Firesmith, D. G. (2003). Security use cases. Journal of Object Technology, 2, 53-64.
11. Goguen, J. A., & Linde, C. (1993). Techniques for requirements elicitation. Proceedings of IEEE Requirements Engineering '93 (pp. 152-164).
12. Gordon, D., Mead, N. R., Stehney, T., Wattas, N., & Yu, E. (2005). System quality requirements engineering (SQUARE) methodology: Case study on asset management system, Phase II (Rep. No. CMU/SEI-2005-SR-005). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/05.reports/05sr005.html
13. Haimes, Y. (2004). Risk modeling, assessment, and management (Rev. ed.). Hoboken, NJ: John Wiley & Sons.
14. Heninger, K. L. (1980). Specifying software requirements for complex systems: New techniques and their application. IEEE Transactions on Software Engineering SE-6, 2-13.
15. Hubbard, R., Schroeder, C. N., & Mead, N. (2000). An assessment of the relative efficiency of a facilitator-driven requirements collection process with respect to the conventional interview method. ICRE 2000, 178-188.
16. INFOSEC Assessment Methodology. (2004). INFOSEC assurance training and rating program. Retrieved November 9, 2005, from http://www.iatrp.com/iam.cfm
17. Kang, K. C., Cohen, S. G., Hess, J. A., Novak, W. E., & Peterson, A. S. (1990). Featureoriented domain analysis (FODA) feasibility study (Rep. No. CMU/SEI-90-TR-021, ADA235785). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/90.reports/90.tr.021.html
18. Kunz, W., & Rittel, H. (1970). Issues as elements of information systems. Retrieved November 9, 2005 from http://www-iurd.ced.berkeley.edu/pub/WP-131.pdf
19. th International Workshop on Database and Expert Systems Applications. Berlin: Springer-Verlag.
20. Leiwo, J., Gamage, C., & Zheng, Y. (1999b). Organizational modeling for efficient specification of information security requirements. Advances in Databases and Information Systems: Third East European Conference, ADBIS'99 (pp. 247-260). Berlin: Springer-Verlag.
21. Linger, R. C., Mead, N. R., & Lipson, H. F. (1998). Requirements definition for survivable systems. Third International Conference on Requirements Engineering (pp. 14-23). Los Alamitos: IEEE Computer Society.
22. Lipson, H. F., Mead, N. R., & Moore, A. P. (2001). A risk-management approach to the design of survivable cots-based systems. Retrieved November 9, 2005, from http://www.cert.org/research/isw/isw2001/papers/Lipson-29-08-a.pdf
23. th Annual Computer Security Applications Conference (pp. 366-374). Los Alamitos: IEEE Computer Society Press.
24. th Annual Computer Security Applications Conference (pp. 55-64). Los Alamitos, CA: IEEE Computer Society Press.
25. th International Workshop on Requirements for High Assurance Systems, Kyoto, Japan.
26. Mead, N. R. (2002). Survivable systems analysis method. Retrieved November 9, 2005, from http://www.cert.org/archive/html/analysis-method.html
27. Mead, N. R. (2003). Requirements engineering for survivable systems (Rep. No. CMU/SEI-2003-TN-013). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/03.reports/03tn013.html
28. Mead, N. R., Hough, E., & Stehney, T. (2005a). Security quality requirements engineering (SQUARE) methodology (Rep. No. CMU/SEI-2005-TR-009). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/05.reports/05tr009.html
29. Mead, N. R., & Stehney, T. (2005b). Security quality requirements engineering (SQUARE) methodology. Paper presented at the meeting of the Software Engineering for Secure Systems (SESS05), ICSE 2005 International Workshop on Requirements for High Assurance Systems, St. Louis, MO.
30. Moore, A. P., Ellison, R. J., & Linger, R. C. (2001). Attack modeling for information security and survivability (Rep. No. CMU/SEI-2001-TN-001, ADA388771). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/01.reports/01tn001.html
31. th International Conference on Software Engineering. Los Alamitos: IEEE Computer Society Press.
32. National Institute of Standards and Technology (NIST). (2002). Software errors cost U.S. economy $59.5 billion annually (Rep. No. NIST 2002-10). Gaithersburg: National Institute of Standards and Technology. Retrieved November 9, 2005, from http://www.nist.gov/public_affairs/releases/n02-10.htm
33. th European Symposium on Research in Computer Security (pp. 67-84). Berlin: Springer-Verlag.
34. QFD Institute. (2005). Frequently asked questions about QFD. Retrieved November 9, 2005, from http://www.qfdi.org/what_is_qfd/faqs_about_qfd.htm
35. Sabatier, D., & Lartigue, P. (1999). The use of the B formal method for the design and validation of the transaction mechanism for smart card applications. In FM '99: World Congress on Formal Methods (Vol. 1, pp. 348-368). Berlin: Springer-Verlag.
36. Schiffrin, D. (1994). Approaches to discourse. Oxford: Blackwell.
37. Schneier, B. (2000). Secrets and lies: Digital security in a networked world. New York: John Wiley & Sons.
38. Sindre, G., & Opdahl, A. (2000). Eliciting security requirements by misuse cases. Proceedings of TOOLS Pacific 2000 (pp. 120-130). Los Alamitos: IEEE Computer Society Press.
39. Sindre, G., Opdahl, S., & Brevik, G. (2002). Generalization/specialization as a structuring mechanism for misuse cases. In SREIS 2002, Second Symposium on Requirements Engineering for Information Security. Lafayette: CERIAS.
40. Software Engineering Institute. (2004). International Workshop on Requirements for High Assurance Systems. Pittsburgh, PA: Carnegie Mellon University.
41. Soo Hoo, K., Sudbury, A. W., & Jaquith, A. R. (2001). Tangible ROI through secure software engineering. Secure Business Quarterly, 1.
42. Stoneburner, G., Goguen, A., & Feringa, A. (2002). Risk management guide for information technology systems (Rep. No. 800-30). Gaithersburg: National Institute of Standards and Technology. Retrieved November 9, 2005, from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
43. Systems Designers Scientific. (1985). CORE: The method. In CORE Manual, 1.0. Camberley: Pembroke House.
44. U.S. General Accounting Office. (1999). Information security risk assessment: Practices of leading organizations, a supplement to GAO's May 1998 executive guide on information security management. Washington, DC: U.S. General Accounting Office.
45. Wood, J., & Silver, D. (1989). Joint application design: How to design quality systems in 40% less time. New York: Wiley.
46. Woody, C. (2005). Eliciting and analyzing quality requirements: Management influences on software quality requirements (Rep. No. CMU/SEI-2005-TN-010). Pittsburgh, PA: Software Engineering Inst., Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/05.reports/05tn010.html
47. Woody, C, Hall, A., & Clark, J. (2004). Can secure systems be built using today's development processes? Panel presented at the European SEPG, London.
48. Xie, N., Mead, N. R., Chen, P., Dean, M., Lopez, L., Ojoko-Adams, D., & Osman, H. (2004). SQUARE project: Cost/benefit analysis framework for information security improvement projects in small companies (Rep. No. CMU/SEI-2004-TN-045). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University. Retrieved from http://www.sei.cmu.edu/publications/documents/04.reports/04tn045.html