Abstract
Modeling results from risk assessment and the selection of safeguards is an important activity in information security management. Many approaches for this activity focus on an organizational perspective, are embedded in heavyweight processes and tooling and require extensive preliminaries. We propose a lightweight approach introducing SeCoML – a readable language on top of an established methodology within an open framework. Utilizing standard tooling for creation, management and analysis of SeCoML models our approach supports security engineering and integrates well in different environments. Also, we report on early experiences of the language’s use.
The work presented in this paper was partly developed in the context of the project Alliance Digital Product Flow (ADiWa) that is funded by the German Federal Ministry of Education and Research. Support code: 01IA08006F.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: OCTAVE®-S implementation guide, version 1.0 (2005), http://www.sei.cmu.edu/reports/04hb003.pdf
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley & Sons, Chichester (2001)
Bartels, C., Kelter, H., Oberweis, R., Rosenberg, B.: Technical guidelines for the secure use of RFID – application area trade logistics. Tech. Rep. TR 03126-4, Bundesamt für Sicherheit in der Informationstechnik (2009)
Bartsch, S., Sohr, K., Bormann, C.: Supporting agile development of authorization rules for SME applications. In: Bertino, E., Joshi, J.B.D. (eds.) CollaborateCom 2008. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 10, pp. 461–471. Springer, Heidelberg (2009)
Basin, D., Clavel, M., Doser, J., Egea, M.: Automated analysis of security-design models. Information and Software Technology 51(5), 815–831 (2009)
Basin, D., Doser, J., Lodderstedt, T.: Model driven security: From UML models to access control infrastructures. ACM Transactions on Software Engineering and Methodology 15(1), 39–91 (2006)
den Braber, F., Hogganvik, I., Lund, M., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps – a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)
Bundesamt für Sicherheit in der Informationstechnik: BSI-Standard 100-2: IT-Grundschutz methodology (2008), https://www.bsi.bund.de/cae/servlet/contentblob/471430/publicationFile/27993/standard_100-2_e_pdf.pdf
Österreich, B.: Österreichisches Informationssicherheitshandbuch (2007), http://www.a-sit.at/pdfs/OE-SIHA_I_II_V2-3_2007-05-23.pdf
Chivers, H., Paige, R., Ge, X.: Agile security using an incremental security architecture. In: Baumeister, H., Marchesi, M., Holcombe, M. (eds.) XP 2005. LNCS, vol. 3556, pp. 57–65. Springer, Heidelberg (2005)
Club de la Sécurité Informatique Français (CLUSIF): Méthodologie d’Analyse des Risques Informatiques et d’Optimisation par Niveau, MEHARI (2010)
Direction Centrale de la Sécurité des Systèmes d’Information, Premier Ministre: Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) - Méthode de Gestion des Risques (2010), http://www.ssi.gouv.fr/IMG/pdf/EBIOS-1-GuideMethodologique-2010-01-25.pdf
Ekelhart, A., Fenz, S., Neubauer, T.: AURUM: A framework for supporting information security risk management. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (2009)
European Network and Information Security Agency: Risk assessment and risk management methods: Information packages for small and medium sized enterprises, SMEs (2006), http://www.enisa.europa.eu/act/rm/files/deliverables/information-packages-for-small-and-medium-sized-enterprises-smes/at_download/fullReport
Evans, R., Tsohou, A., Tryfonas, T., Morgan, T.: Engineering secure systems with ISO 26702 and 27001. In: 5th International Conference on System of Systems Engineering (2010)
Gesellschaft für Telematikanwendungen der Gesundheitskarte mbH: Übergreifendes Sicherheitskonzept der Telematikinfrastruktur (2008), http://www.gematik.de/upload/gematik_DS_Sicherheitskonzept_V2.4.0_4493.zip
Houmb, S., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec. Requirements Engineering 15(1), 63–93 (2009)
ISO/IEC: ISO/IEC 13335-1: Information technology – security techniques – management of information and communications technology security – part 1: Concepts and models for information and communications technology security management (2004)
ISO/IEC: ISO/IEC 27001: Information technology – security techniques – information security management systems – requirements (2005)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Kleppe, A.: Software Language Engineering: Creating Domain-Specific Languages Using Metamodels. Addison-Wesley Professional, Reading (2008)
Laforet, S., Tann, J.: Innovative characteristics of small manufacturing firms. Journal of Small Business and Enterprise Development 13(3), 363–380 (2006)
Mayer, N., Heymans, P., Matulevicius, R.: Design of a modelling language for information system security risk management. In: Proceedings of the 1st International Conference on Research Challenges in Information Science, pp. 121–131 (2007)
Ministerie van Binnenlandse Zaken en Koninkrijksrelaties: Afhankelijkheids- en kwetsbaarheidsanalyse (1996)
Normand, V., Félix, E.: Toward model-based security engineering: developing a security analysis DSML. In: Proceedings of the First International Workshop on Security in Model Driven Architecture, SEC-MDA (2009)
Object Management Group: Object constraint language (OCL) specification (2006), http://www.omg.org/spec/OCL/2.0/
Rodríguez, A., Fernández-Medina, E., Piattini, M.: Towards CIM to PIM transformation: From secure business processes defined in BPMN to use-cases. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 408–415. Springer, Heidelberg (2007)
Standards Australia/Standards New Zealand: AS/NZS 4360:2004: Risk management (2004)
Talhi, C., Mouheb, D., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Usability of security specification approaches for UML design: A survey. Journal of Object Technology 8(6), 103–122 (2009)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture 55(4), 211–223 (2009)
Zambon, E., Etalle, S., Wieringa, R., Hartel, P.: Model-based qualitative risk assessment for availability of IT infrastructures. In: Software and Systems Modeling, pp. 1–28 (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Eichler, J. (2011). Lightweight Modeling and Analysis of Security Concepts. In: Erlingsson, Ú., Wieringa, R., Zannone, N. (eds) Engineering Secure Software and Systems. ESSoS 2011. Lecture Notes in Computer Science, vol 6542. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19125-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-19125-1_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19124-4
Online ISBN: 978-3-642-19125-1
eBook Packages: Computer ScienceComputer Science (R0)