Skip to main content
SpringerLink
Log in

Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology

  • Chapter
Advances in Intelligent Information Systems

Part of the book series: Studies in Computational Intelligence ((SCI,volume 265))

Abstract

Security Requirements Engineering is an emerging field which lies at the crossroads of Security and Software Engineering. Much research has focused on this field in recent years, spurred by the realization that security must be dealt with in the earliest phases of the software development process as these phases cover a broader organizational perspective. Agent-oriented methodologies have proved to be especially useful in this setting as they support the modeling of the social context in which the system-to-be will operate. In our previous work, we proposed the SI* modeling language to deal with security and trust, and the Secure Tropos methodology for designing secure software systems. Since then, both have been revised and refined in light of experience gained from their application to several industry case studies. This chapter presents the consolidated versions of the SI* modeling language and the Secure Tropos methodology and recounts our experiences, explaining the practical and theoretical reasons behind each consolidation step.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 129.00
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 169.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 169.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. AMICE Consortium: Open System Architecture for CIM. Springer, Heidelberg (1993)

    Google Scholar 

  2. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Chichester (2001)

    Google Scholar 

  3. Ashley, P., Hada, S., Karjoth, G., Powers, C., Schunter, M.: Enterprise Privacy Authorization Language (EPAL 1.1). Research Report 3485, IBM Research (2003), http://www.zurich.ibm.com/security/enterprise-privacy/epal

  4. Asnar, Y., Bonato, R., Bryl, V., Compagna, L., Dolinar, K., Giorgini, P., Holtmanns, S., Klobucar, T., Lanzi, P., Latanicki, J., Massacci, F., Meduri, V., Porekar, J., Riccucci, C., Saidane, A., Seguran, M., Yautsiukhin, A., Zannone, N.: Security and privacy requirements at organizational level. Research report A1.D2.1, SERENITY consortium (2006)

    Google Scholar 

  5. Asnar, Y., Bonato, R., Giorgini, P., Massacci, F., Meduri, V., Riccucci, C., Saidane, A.: Secure and Dependable Patterns in Organizations: An Empirical Approach. In: Proc. of RE 2007, IEEE Press, Los Alamitos (2007)

    Google Scholar 

  6. Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From Trust to Dependability through Risk Analysis. In: Proc. of ARES 2007, pp. 19–26. IEEE Press, Los Alamitos (2007)

    Google Scholar 

  7. Association of Certified Fraud Examiners: The 2006 report to the nation (2006)

    Google Scholar 

  8. Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security: from UML Models to Access Control Infrastructures. TOSEM 15(1), 39–91 (2006)

    Article  Google Scholar 

  9. Bernus, P., Nemes, L.: A Framework to Define a Generic Enterprise Reference Architecture and Methodology. Computer Integrated Manufacturing Systems 9(3), 179–191 (1996)

    Article  Google Scholar 

  10. Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent-Oriented Software Development Methodology. JAAMAS 8(3), 203–236 (2004)

    Google Scholar 

  11. Bryce, M., Associates: PRIDE-EEM Enterprise Engineering Methodology (2006), http://www.phmainstreet.com/mba/pride/eemeth.htm

  12. Bryl, V., Massacci, F., Mylopoulos, J., Zannone, N.: Designing Security Requirements Models through Planning. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 33–47. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  13. Castelfranchi, C., Falcone, R.: Principles of trust for MAS: Cognitive anatomy, social importance and quantification. In: Proc. of ICMAS 1998, pp. 72–79. IEEE Press, Los Alamitos (1998)

    Google Scholar 

  14. Chung, L.K., Nixon, B.A., Yu, E.S.K., Mylopoulos, J.: Non-Functional Requirements in Software Engineering. Kluwer Publishing, Dordrecht (2000)

    MATH  Google Scholar 

  15. Compagna, L., El Khoury, P., Massacci, F., Thomas, R., Zannone, N.: How to capture, communicate, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In: ICAIL 2007, pp. 149–154. ACM Press, New York (2007)

    Google Scholar 

  16. Cranor, L., Langheinrich, M., Marchiori, M., Reagle, J.: The Platform for Privacy Preferences 1.0 (P3P1.0) Specification. W3C Recommendation (2002), http://www.w3.org/TR/P3P/

  17. Dardenne, A., van Lamsweerde, A., Fickas, S.: Goal-directed Requirements Acquisition. Sci. of Comp. Prog. 20, 3–50 (1993)

    Article  MATH  Google Scholar 

  18. Dignum, V.: A model for organizational interaction: based on agents, founded in logic. Ph.D. thesis, Universiteit Utrecht (2004)

    Google Scholar 

  19. Doan, T., Demurjian, S., Ting, T.C., Ketterl, A.: MAC and UML for secure software design. In: Proc. of FMSE 2004, pp. 75–85. ACM Press, New York (2004)

    Chapter  Google Scholar 

  20. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. In: Parent, C., Schewe, K.-D., Storey, V.C., Thalheim, B. (eds.) ER 2007. LNCS, vol. 4801, pp. 375–390. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  21. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Requirements Engineering for Trust Management: Model, Methodology, and Reasoning. Int. J. of Inform. Sec. 5(4), 257–274 (2006)

    Article  Google Scholar 

  22. Giorgini, P., Massacci, F., Zannone, N.: Security and Trust Requirements Engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  23. Guarda, P., Massacci, F., Zannone, N.: E-Government and On-line Services: Security and Legal Patterns. In: Proc. of MeTTeg 2007 (2007)

    Google Scholar 

  24. House of Lords: Prince Jefri Bolkiah vs KPMG. 1 All ER 517 (1999)

    Google Scholar 

  25. Hübner, J.F., Sichman, J.S., Boissier, O.: A Model for the Structural, Functional, and Deontic Specification of Organizations in Multiagent Systems. In: Bittencourt, G., Ramalho, G.L. (eds.) SBIA 2002. LNCS (LNAI), vol. 2507, pp. 118–128. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  26. Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)

    Google Scholar 

  27. Kiyavitskaya, N., Zannone, N.: Requirements Model Generation to Support Requirements Elicitation: The Secure Tropos Experience. In: ASE (2008)

    Google Scholar 

  28. Leone, N., Pfeifer, G., Faber, W., Eiter, T., Gottlob, G., Perri, S., Scarcello, F.: The DLV System for Knowledge Representation and Reasoning. TOCL 7(3), 499–562 (2006)

    Article  MathSciNet  Google Scholar 

  29. Li, N., Grosof, B.N., Feigenbaum, J.: Delegation logic: A logic-based approach to distributed authorization. TISSEC 6(1), 128–171 (2003)

    Article  Google Scholar 

  30. Liu, L., Yu, E., Mylopoulos, J.: Analyzing Security Requirements as Relationships Among Strategic Actors. In: Proc. of SREIS 2002 (2002)

    Google Scholar 

  31. Liu, L., Yu, E.S.K., Mylopoulos, J.: Security and Privacy Requirements Analysis within a Social Setting. In: Proc. of RE 2003, pp. 151–161. IEEE Press, Los Alamitos (2003)

    Google Scholar 

  32. Massacci, F., Mylopoulos, J., Zannone, N.: Computer-Aided Support for Secure Tropos. ASE 14(3), 341–364 (2007)

    Google Scholar 

  33. Massacci, F., Mylopoulos, J., Zannone, N.: An Ontology for Secure Socio-Technical Systems. In: Handbook of Ontologies for Business Interaction, ch. XI. The IDEA Group (2008)

    Google Scholar 

  34. Massacci, F., Prest, M., Zannone, N.: Using a Security Requirements Engineering Methodology in Practice: The compliance with the Italian Data Protection Legislation. CSI 27(5), 445–455 (2005)

    Google Scholar 

  35. Massacci, F., Zannone, N.: A Model-Driven Approach for the Specification and Analysis of Access Control Policies. In: Meersman, R., Tari, Z. (eds.) OTM 2008, Part II. LNCS, vol. 5332, pp. 1087–1103. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  36. Massacci, F., Zannone, N.: Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In: Social Modeling for Requirements Engineering. MIT Press, Cambridge (2008) (to appear)

    Google Scholar 

  37. Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Acad. Management Rev. 20(3), 709–734 (1995)

    Article  Google Scholar 

  38. McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proc. of ACSAC 1999, pp. 55–66. IEEE Press, Los Alamitos (1999)

    Google Scholar 

  39. Moffett, J.D.: Control principles and role hierarchies. In: Proc. of RBAC 1998, pp. 63–69. ACM Press, New York (1998)

    Chapter  Google Scholar 

  40. Mouratidis, H., Giorgini, P., Manson, G.: Integrating security and systems engineering: Towards the modelling of secure information systems. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681, pp. 63–78. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  41. OASIS: eXtensible Access Control Markup Language (XACML) Version 2.0. OASIS Standard (2005)

    Google Scholar 

  42. Promontory Financial Group, Wachtell, Lipton, Rosen, Katz: Report to the Board and Directors of Allied Irish Bank P.L.C., Allfirst Financial Inc., and Allfirst Bank Concerning Currency Trading Losses (2003)

    Google Scholar 

  43. Ray, I., Li, N., France, R., Kim, D.K.: Using UML to visualize role-based access control constraints. In: Proc. of SACMAT 2004, pp. 115–124. ACM Press, New York (2004)

    Chapter  Google Scholar 

  44. Robertson, S., Robertson, J.: Mastering the requirements process. ACM Press/Addison-Wesley Publishing Co. (1999)

    Google Scholar 

  45. Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-Based Access Control Models. IEEE Comp. 29(2), 38–47 (1996)

    Google Scholar 

  46. Schaad, A., Lotz, V., Sohr, K.: A model-checking approach to analysing organisational controls in a loan origination process. In: Proc. of SACMAT 2006, pp. 139–149. ACM Press, New York (2006)

    Chapter  Google Scholar 

  47. Schaad, A., Moffett, J.: Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles. In: Proc. of SAC 2004, pp. 1380–1384. ACM Press, New York (2004)

    Chapter  Google Scholar 

  48. Schumacher, M., Fernandez, E.B., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns - Integrating Security and Systems Engineering. John Wiley & Sons, Chichester (2005)

    Google Scholar 

  49. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. REJ 10(1), 34–44 (2005)

    Google Scholar 

  50. Stader, J.: Results of the Enterprise Project. In: Proc. of BSC SGES 1996 (1996)

    Google Scholar 

  51. van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models. In: Proc. of ICSE 2004, pp. 148–157. IEEE Press, Los Alamitos (2004)

    Google Scholar 

  52. van Lamsweerde, A., Letier, E.: Handling Obstacles in Goal-Oriented Requirements Engineering. TSE 26(10), 978–1005 (2000)

    Google Scholar 

  53. Yu, E., Cysneiros, L.: Designing for Privacy and Other Competing Requirements. In: Proc. of SREIS 2002 (2002)

    Google Scholar 

  54. Yu, E.S.K.: Modelling strategic relationships for process reengineering. Ph.D. thesis, University of Toronto (1995)

    Google Scholar 

  55. Zannone, N.: A Requirements Engineering Methodology for Trust, Security, and Privacy. Ph.D. thesis, University of Trento (2007)

    Google Scholar 

  56. Zave, P.: Classification of research efforts in requirements engineering. CSUR 29(4), 315–321 (1997)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Trento,  

    Fabio Massacci & John Mylopoulos

  2. Eindhoven University of Technology,  

    Nicola Zannone

Authors
  1. Fabio Massacci
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John Mylopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Nicola Zannone
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of North Carolina, N.C. 28223, Charlotte, USA

    Zbigniew W. Ras

  2. Department of Electronics, Computer & Information Technology, NC A &T State University, NC 27411, Greensboro, USA

    Li-Shiang Tsay

Rights and permissions

Reprints and permissions

Copyright information

© 2010 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Massacci, F., Mylopoulos, J., Zannone, N. (2010). Security Requirements Engineering: The SI* Modeling Language and the Secure Tropos Methodology. In: Ras, Z.W., Tsay, LS. (eds) Advances in Intelligent Information Systems. Studies in Computational Intelligence, vol 265. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05183-8_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05183-8_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05182-1

  • Online ISBN: 978-3-642-05183-8

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation