Abstract
In order to develop secure information systems with less development cost, it is important to elicit the requirements to security functions (simply security requirements) as early in their development process as possible. To achieve it, accumulated knowledge of threats and their objectives obtained from practical experiences is useful, and the technique to support the elicitation of security requirements utilizing this knowledge should be developed. In this paper, we present the technique for security requirements elicitation using practical knowledge of threats, their objectives and security functions realizing the objectives, which is extracted from Security Target documents compliant to the standard Common Criteria. We show the usefulness of our approach with several case studies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
References
Common Criteria : New CC Portal. http://www.commoncriteriaportal.org/
Abe, T., Hayashi, S., Saeki, M.: Modeling security threat patterns to derive negative scenarios. In: Proceedings APSEC, pp. 58–66 (2013)
Elahi, G., Yu, E., Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: Proceeding of the ER, pp. 99–114 (2009)
Hernan, S., Lambert, S., Ostwald, T., Shostack, A.: Threat modeling: Uncover security design flaws using the STRIDE approach (2006). http://msdn.microsoft.com/en-us/magazine/cc163519.aspx
Kaiya, H., Sakai, J., Ogata, S., Kaijiri, K.: Eliciting security requirements for an information system using asset flows and processor deployment. IJSSE 4(3), 42–63 (2013)
Saeki, M., Kaiya, H.: Security requirements elicitation using method weaving and common criteria. In: Chaudron, M.R.V. (ed.) MODELS 2008. LNCS, vol. 5421, pp. 185–196. Springer, Heidelberg (2009)
Saeki, M., Hayashi, S., Kaiya, H.: Enhancing goal-oriented security requirements analysis using common criteria-based knowledge. IJSEKE 23(5), 695–720 (2013)
Taentzer, G.: AGG: A graph transformation environment for modeling and validation of software. In: Pfaltz, J.L., Nagl, M., Böhlen, B. (eds.) AGTIVE 2003. LNCS, vol. 3062, pp. 446–453. Springer, Heidelberg (2004)
Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Prog. Inform. 5, 35–47 (2008)
Acknowledgments
This work was partly supported by JSPS Grants-in-Aid for Scientific Research (#15K00088).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Abe, T., Hayashi, S., Saeki, M. (2015). Modeling and Utilizing Security Knowledge for Eliciting Security Requirements. In: Jeusfeld, M., Karlapalem, K. (eds) Advances in Conceptual Modeling. ER 2015. Lecture Notes in Computer Science(), vol 9382. Springer, Cham. https://doi.org/10.1007/978-3-319-25747-1_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-25747-1_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25746-4
Online ISBN: 978-3-319-25747-1
eBook Packages: Computer ScienceComputer Science (R0)