Skip to main content
SpringerLink
Log in

Systematic Asset Identification and Modeling During Requirements Engineering

  • Conference paper
  • First Online:
Risks and Security of Internet and Systems (CRiSIS 2019)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 12026))

Included in the following conference series:

  • 787 Accesses

Abstract

Risk management primarily targets the treatment of threats which might harm the assets of a system. Therefore, identifying such assets of a system and documenting them systematically in an asset model are the key activities in any risk management approach. Based on the ISO/IEC 27005 standard, the consideration of assets consists of two major activities: (i) asset identification, and (ii) asset valuation. However, despite the crucial role of asset identification and asset documentation, such documentation is often neglected during software development. In this paper, we aim to support security analysts in identifying and analyzing assets in the earliest stages of software development, i.e., during requirements engineering. Our contribution is two-fold: We first provide a conceptual model for assets that allows us to classify assets and to express the relations between assets. Second, we propose a method for a systematic identification of system assets and their documentation in an asset model. Our method is based on the functional requirements of software which are expressed by means of problem diagrams. We illustrate and evaluate our proposed approach by applying it to an application example from the smart home sector.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. ISO 27005:2011: Information technology – Security techniques – Information security risk management. Standard (2011)

    Google Scholar 

  2. Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)

    Google Scholar 

  3. Côté, I., Heisel, M., Schmidt, H., Hatebur, D.: UML4PF - a tool for problem-oriented requirements analysis. In: 19th IEEE International Conference on Requirements Engineering, pp. 349–350 (2011)

    Google Scholar 

  4. Meis, R.: Problem-based consideration of privacy-relevant domain knowledge. In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 150–164. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55137-6_12

    Chapter  Google Scholar 

  5. RestAssured Consortium: D7.1 - RestAssured Security and Privacy Engineering Methodology (2018). https://restassuredh2020.eu/wp-content/uploads/2018/07/D7.1.pdf

  6. Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8

  7. Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security PresSuRE. In: 9th International Conference on Software Paradigm Trends, pp. 5–16 (2014)

    Google Scholar 

  8. Wirtz, R., Heisel, M., Meis, R., Omerovic, A., Stølen, K.: Problem-based elicitation of security requirements - the ProCOR method. In: 13th International Conference Evaluation of Novel Approaches to Software Engineering, pp. 26–38 (2018)

    Google Scholar 

  9. Surridge, M., Nasser, B., Chen, X., Chakravarthy, A., Melas, P.: Run-time risk management in adaptive ICT systems. In: International Conference on Availability, Reliability and Security, pp. 102–110 (2013)

    Google Scholar 

  10. Asnar, Y., Li, T., Massacci, F., Paci, F.: Computer aided threat identification. In: 13th IEEE Conference on Commerce and Enterprise Computing, pp. 145–152 (2011)

    Google Scholar 

  11. Asnar, Y., Giorgini, P., Mylopoulos, J.: Goal-driven risk assessment in requirements engineering. Requirements Engineering 16(2), 101–116 (2011)

    Article  Google Scholar 

  12. Crook, R., Ince, D., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of the IEEE Joint International Conference on Requirements Engineering, pp. 203–205 (2002)

    Google Scholar 

  13. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: 26th International Conference on Software Engineering, pp. 148–157 (2004)

    Google Scholar 

  14. Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)

    Article  Google Scholar 

  15. Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)

    Article  Google Scholar 

  16. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th IEEE International Conference on Requirements Engineering, pp. 151–161 (2003)

    Google Scholar 

  17. Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and semantic extensions to secure tropos to support security risk management. J. Univ. Comput. Sci. 18(6), 816–844 (2012)

    Google Scholar 

  18. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Google Scholar 

  19. Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: 20th IEEE International Conference Requirements Engineering, pp. 111–120 (2012)

    Google Scholar 

  20. Mann, Z.Á., et al.: Secure data processing in the cloud. In: Mann, Z., Stolz, V. (eds.) ESOCC 2017. CCIS, vol. 824, pp. 149–153. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-79090-9_10

  21. Gol Mohammadi, N., Mann, Z.Á., Metzger, A., Heisel, M., Greig, J.: Towards an end-to-end architecture for run-time data protection in the cloud. In: 44th Euromicro Conference on Software Engineering and Advanced Applications, pp. 514–518 (2018)

    Google Scholar 

  22. Cheng, P., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230 (2007)

    Google Scholar 

  23. Covington, M.J., Long, W., Srinivasan, S., Dey, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: 6th ACM Symposium on Access Control Models and Technologies, pp. 10–20 (2001)

    Google Scholar 

Download references

Acknowledgment

This work received funding from the EU’s Horizon 2020 research and innovation programme under grant agreement 731678 (RestAssured).

Author information

Authors and Affiliations

  1. University of Duisburg-Essen, Duisburg, Germany

    Nazila Gol Mohammadi, Roman Wirtz & Maritta Heisel

Authors
  1. Nazila Gol Mohammadi
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Roman Wirtz
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Nazila Gol Mohammadi or Roman Wirtz .

Editor information

Editors and Affiliations

  1. ReDCAD, University of Sfax, Sfax, Tunisia

    Slim Kallel

  2. IMT Atlantique, Lab-STICC, Université Bretagne Loire, Rennes, France

    Frédéric Cuppens

  3. IMT Atlantique, Lab-STICC, Université Bretagne Loire, Rennes, France

    Nora Cuppens-Boulahia

  4. ReDCAD, University of Sfax, Sfax, Tunisia

    Ahmed Hadj Kacem

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gol Mohammadi, N., Wirtz, R., Heisel, M. (2020). Systematic Asset Identification and Modeling During Requirements Engineering. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41568-6_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41567-9

  • Online ISBN: 978-3-030-41568-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation