Abstract
Traditionally, a security policy is defined from an informal set of requirements, generally written using natural language. It is then difficult to appreciate the compatibility degree of the manually generated security policy with the informal requirements definition. The idea of this paper is to automate the process of deriving the formal security policy, using a more structured specification of the security objectives issued by the administrator of the information system to be secured. We chose the goal-oriented methodology KAOS to express the functional objectives, then based on the results of a risk analysis, we integrate the security objectives to the obtained KAOS framework. Finally, through a process of transformation applied to this structured security objectives specification, we automatically generate the corresponding security policy. This policy is consistent with the access control model OrBAC (Organization Access Control).
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Alexander, I.: Misuse cases help to elicit non-functional requirements. Computing and Control Engineering Journal 14(1), 40–45 (2003)
Card, I., Profile, P.: Common Criteria for Information Technology Security Evaluation (2001)
Coatrieux, G., Maitre, H., Sankur, B.: Strict integrity control of biomedical images. In: Proceedings of SPIE
Cuppens, F., Cuppens-Boulahia, N.: Modeling contextual security policies. International Journal of Information Security 7(4), 285–305 (2008)
Cuppens, F., Cuppens-Boulahia, N., Miège, A.: Inheritance hierarchies in the Or-BAC model and application in a network environment. In: Second Foundations of Computer Security Workshop (FCS 2004), Turku, Finland (2004)
Cuppens, F., Miège, A.: Modelling contexts in the Or-BAC model. In: 19th Annual Computer Security Applications Conference, Las Vegas (2003)
Darimont, R., Van Lamsweerde, A.: Formal refinement patterns for goal-driven requirements elaboration. ACM SIGSOFT Software Engineering Notes 21
DCSSI: Expression des Besoins et Identification des Objectifs de Securite (February 2004), http://www.ssi.gouv.fr/IMG/pdf/ebiosv2-section1-introduction-2004-02-05.pdf (Online; accessed April 20, 2011)
Autrel, F., Cuppens, F., Cuppens-Boulahia, N., Coma, C.: Motorbac 2: a security policy tool. In: Third Joint Conference on Security in Networks Architectures and Security of Information Systems (SARSSI), Loctudy, France (2008)
Finkelstein, A., Dowell, J.: A Comedy of Errors: the London Ambulance Service case study. In: Proceedings of 8th International Workshop on Software Specification and Design (IWSSD-8),
Firesmith, D.: Security use cases. Technology 2
Herrmann, A., Paech, B.: Quality Misuse. In: Proceedings of the Fourteenth International Workshop on Requirements Engineering: Foundation of Software Quality
Johnson, J.: Chaos: The dollar drain of IT project failures. Application Development Trends 2
Jonker, W., Linnartz, J.: Digital rights management in consumer electronics products. IEEE Signal Processing Magazine 21
Laleau, R., Semmak, F., Matoussi, A., Petit, D., Hammad, A., Tatibouet, B.: A first attempt to combine SysML requirements diagrams and B. Innovations in Systems and Software Engineering (2010)
Letier, E.: Reasoning about agents in goal-oriented requirements engineering (2001)
Miller, M., Cox, I., Linnartz, J., Kalker, T.: A review of watermarking principles and practices. Digital Signal Processing for Multimedia Systems, 461–485 (1999)
Sa, R.I.: Objectiver: un atelier de gnie logiciel pour l’ingnierie des exigences (2004), http://www.objectiver.com
Sindre, G., Opdahl, A.: Templates for misuse case description. In: Proc. of the 7th International Workshop on Requirements Engineering, Foundation for Software Quality (REFSQ 2001), Citeseer (2001)
Ullman, J.D.: Principles of database and knowledge-base systems. Computer Science Press (1989)
Van Lamsweerde, A.: Elaborating security requirements by construction of intentional anti-models
Van Lamsweerde, A.: Goal-oriented requirements engineering: From system objectives to UML models to precise software specifications. In: Proceedings of the 25th International Conference on Software Engineering
Van Lamsweerde, A.: Goal-oriented requirements engineering: A guided tour. In: Proceedings of the 5th IEEE International Symposium on Requirements Engineering, p. 0249 (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Graa, M. et al. (2012). Using Requirements Engineering in an Automatic Security Policy Derivation Process. In: Garcia-Alfaro, J., Navarro-Arribas, G., Cuppens-Boulahia, N., de Capitani di Vimercati, S. (eds) Data Privacy Management and Autonomous Spontaneus Security. DPM SETOP 2011 2011. Lecture Notes in Computer Science, vol 7122. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28879-1_11
Download citation
DOI: https://doi.org/10.1007/978-3-642-28879-1_11
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28878-4
Online ISBN: 978-3-642-28879-1
eBook Packages: Computer ScienceComputer Science (R0)