User Tools

Site Tools


evolving_security_requirements

Evolving Security Requirements

Requirements evolution are unavoidable for any life-long system due to changes in business objectives, regulations, standards, environment or threats. In many cases, these changes are not completely unknown. For instance, the ongoing discussion in a standard body might feature two or three proposals, albeit might not be clear which one will finally win. A possible solution to the challenges of requirements evolution is to choose a good design alternative that could still work when evolution happens to minimize the risk and maximize the benefit.

While many approaches have been proposed to perform the management or consistency checking on requirements evolution, there has been less effort on delivering an explicit modeling and reasoning framework to assist decision managers select a good design alternative. We need to capture what Loucopoulous and Kavakli [ER-99] identified as the knowledge about “what the current state is”, “where the desired state to-be is in the future”, and “alternative designs” for the desired future state. In this respect it is important to provide a sound quantitative analysis, which is one of the current weaknesses identified by Dalal et al. [CACM-04] of many existing approaches.

The Proposed Approach

We are working on a generic approach which tackles the fundamental issue of modeling and reasoning about requirements evolution to aid such decision making. The modeling support represents requirements evolution in terms of controllable and observable rules in which probability estimates can be accounted by using game-theoretic semantics. The reasoning support provides three quantitative metrics to identify which requirements must be implemented to guarantee the best chances of success (Max Belief) or minimize the risk of wasting money (Deferral Risk and Max Disbelief).

CASE Tool

We implement our approach in a CASE tool, called UNICORN. UNICORN is an Eclipse-based tool that aims to supports the modeling and reasoning on the uncertainty of requirements evolution. The tool provides graphical constructs as well as different views of requirements evolution to assist users to model requirements evolution. The reasoning facilitates the selection of design alternative. A technical overview of the tool can be found here.

People

The following is a list of people that has been involved in the project at some point in time.

Projects

This activity was supported by a number of project

  • NESSOS
  • SECURECHANGE

Publications

2012

  • Fabio Massacci, Deepa Nagaraj, Federica Paci, Le Minh Sang Tran and Alessandra Tedeschi. Assessing a Requirements Evolution Approach: Empirical Studies in the Air Traffic Management Domain. In Proceeding of the International Workshop on Empirical Requirements Engineering (EmpiRE 2012), co-located with RE 2012, September 25, 2012, Chicago, Illinois, USA.PDF

2011

  • L.M.S.Tran and F.Massacci. Dealing with Known Unknowns: Towards a Game-Theoretic Foundation for Software Requirement Evolution. In Proceeding of the 23rd International Conference on Advanced Information Systems Engineering (CAiSE'11) London, June 2011.PDF
  • L.M.S.Tran. Requirement Evolution: Towards a Methodology and Framework. In the CAiSE Doctoral Consortium 2011. London, June 2011. PDF

Talks and Tutorials

Software

evolving_security_requirements.txt · Last modified: 2021/01/29 10:58 (external edit)