Abstract
Risk management primarily targets the treatment of threats which might harm the assets of a system. Therefore, identifying such assets of a system and documenting them systematically in an asset model are the key activities in any risk management approach. Based on the ISO/IEC 27005 standard, the consideration of assets consists of two major activities: (i) asset identification, and (ii) asset valuation. However, despite the crucial role of asset identification and asset documentation, such documentation is often neglected during software development. In this paper, we aim to support security analysts in identifying and analyzing assets in the earliest stages of software development, i.e., during requirements engineering. Our contribution is two-fold: We first provide a conceptual model for assets that allows us to classify assets and to express the relations between assets. Second, we propose a method for a systematic identification of system assets and their documentation in an asset model. Our method is based on the functional requirements of software which are expressed by means of problem diagrams. We illustrate and evaluate our proposed approach by applying it to an application example from the smart home sector.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
ISO 27005:2011: Information technology – Security techniques – Information security risk management. Standard (2011)
Jackson, M.: Problem Frames: Analyzing and Structuring Software Development Problems. Addison-Wesley, Boston (2001)
Côté, I., Heisel, M., Schmidt, H., Hatebur, D.: UML4PF - a tool for problem-oriented requirements analysis. In: 19th IEEE International Conference on Requirements Engineering, pp. 349–350 (2011)
Meis, R.: Problem-based consideration of privacy-relevant domain knowledge. In: Hansen, M., Hoepman, J.-H., Leenes, R., Whitehouse, D. (eds.) Privacy and Identity 2013. IAICT, vol. 421, pp. 150–164. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55137-6_12
RestAssured Consortium: D7.1 - RestAssured Security and Privacy Engineering Methodology (2018). https://restassuredh2020.eu/wp-content/uploads/2018/07/D7.1.pdf
Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis - The CORAS Approach. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8
Faßbender, S., Heisel, M., Meis, R.: Functional requirements under security PresSuRE. In: 9th International Conference on Software Paradigm Trends, pp. 5–16 (2014)
Wirtz, R., Heisel, M., Meis, R., Omerovic, A., Stølen, K.: Problem-based elicitation of security requirements - the ProCOR method. In: 13th International Conference Evaluation of Novel Approaches to Software Engineering, pp. 26–38 (2018)
Surridge, M., Nasser, B., Chen, X., Chakravarthy, A., Melas, P.: Run-time risk management in adaptive ICT systems. In: International Conference on Availability, Reliability and Security, pp. 102–110 (2013)
Asnar, Y., Li, T., Massacci, F., Paci, F.: Computer aided threat identification. In: 13th IEEE Conference on Commerce and Enterprise Computing, pp. 145–152 (2011)
Asnar, Y., Giorgini, P., Mylopoulos, J.: Goal-driven risk assessment in requirements engineering. Requirements Engineering 16(2), 101–116 (2011)
Crook, R., Ince, D., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of the IEEE Joint International Conference on Requirements Engineering, pp. 203–205 (2002)
van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: 26th International Conference on Software Engineering, pp. 148–157 (2004)
Haley, C., Laney, R., Moffett, J., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)
Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)
Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: 11th IEEE International Conference on Requirements Engineering, pp. 151–161 (2003)
Matulevičius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and semantic extensions to secure tropos to support security risk management. J. Univ. Comput. Sci. 18(6), 816–844 (2012)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Salehie, M., Pasquale, L., Omoronyia, I., Ali, R., Nuseibeh, B.: Requirements-driven adaptive security: protecting variable assets at runtime. In: 20th IEEE International Conference Requirements Engineering, pp. 111–120 (2012)
Mann, Z.Á., et al.: Secure data processing in the cloud. In: Mann, Z., Stolz, V. (eds.) ESOCC 2017. CCIS, vol. 824, pp. 149–153. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-79090-9_10
Gol Mohammadi, N., Mann, Z.Á., Metzger, A., Heisel, M., Greig, J.: Towards an end-to-end architecture for run-time data protection in the cloud. In: 44th Euromicro Conference on Software Engineering and Advanced Applications, pp. 514–518 (2018)
Cheng, P., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, pp. 222–230 (2007)
Covington, M.J., Long, W., Srinivasan, S., Dey, A.K., Ahamad, M., Abowd, G.D.: Securing context-aware applications using environment roles. In: 6th ACM Symposium on Access Control Models and Technologies, pp. 10–20 (2001)
Acknowledgment
This work received funding from the EU’s Horizon 2020 research and innovation programme under grant agreement 731678 (RestAssured).
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Gol Mohammadi, N., Wirtz, R., Heisel, M. (2020). Systematic Asset Identification and Modeling During Requirements Engineering. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-41568-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41567-9
Online ISBN: 978-3-030-41568-6
eBook Packages: Computer ScienceComputer Science (R0)