Abstract
Software systems are becoming more and more critical in every domain of human society. These systems are used not only by corporates and governments, but also by individuals and across networks of organizations. The wide use of software systems has resulted in the need to contain a large amount of critical information and processes, which certainly need to remain secure. As a consequence, it is important to ensure that the systems are secure by considering security requirements at the early phases of software development life cycle. In this paper, we propose to consider security requirements as functional requirements and apply model-oriented security requirements engineering framework as a systematic solution to elicit security requirements for e-governance software systems. As the result, high level of security can be achieved by more coverage of assets and threats, and identifying more traces of vulnerabilities in the early stages of requirements engineering. This in turn will help to elicit effective security requirements as countermeasures with business requirements.
Similar content being viewed by others
References
Balzarotti, D., Banks, G., Cova, M., Felmetsger, V., Kemmerer, R., Robertson, W., Valeur, F., Vigna, G.: Are your votes really counted? Testing the security of real-world electronic voting systems. In: ACM Proceedings of the international symposium on Software testing and analysis, pp. 237–248 (2008)
Prosser, A., Kofler, R., Krimmer, R., Unger, M.K.: Security assets in E-voting. In: Proceedings of the 1st international workshop on electronic voting, pp. 171–180 (2004)
Sindre, G., Firesmith, D.G., Opdahl, A.L.: A reuse-based approach to determining security requirements. In: Proceedings of 9th international workshop on requirements engineering: foundation for software quality, pp. 16–17 (2003)
Viega, J., McGraw, G.: Building secure software. Addison-Wesley, Boston (2001)
Lipner, S., Howard, M.: The trustworthy computing security development life cycle. Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms995349.aspx (2005)
Graham, D.: Introduction to the CLASP process. Build security. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/548.html (2006)
Mead, N.R., Houg, E.D., Stehney, T.R.: Security quality requirements engineering (SQUARE) methodology. Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University (2005)
Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–152 (2008)
Mellado, D., Fernndez-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 244–253 (2007)
Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modeling secure information systems. J. Inf. Syst. 30(8), 609–629 (2005)
Giorgini, P., Mouratidis, H., Zannone, N.: Modeling security and trust with secure tropos. Integrating security and software engineering: advances and future visions. IGI Global, Pennsylvania (2007)
Tndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of US: a survey. IEEE Softw. 25(1), 20–27 (2008)
Fernandez, E.B.: A methodology for secure software design. In: Proceedings of the international symposium, web services and applications. www.cse.fau.edu/~ed/EFLVSecSysDes1 (2004)
Rosado, D.G., Gutirrez, C., Fernndez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)
Appel, A.W., Ginsburg, M., Hursti, H., Kernighan, B.W., Richards, C.D., Tan, G., Venetis, P.: The New Jersey voting-machine law suit and the AVC advantage DRE voting machine. EVT/WOTE09, Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (2009)
Hursti, H.: Diebold TSx evaluation: critical security issues with diebold TSx. Black Box Voting. http://www.blackboxvoting.org/BBVtsxstudy.pdf (2006)
Kohno, T., Stubbleeld, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: IEEE symposium on security and privacy. IEEE Computer Society, pp. 27–48 (2004)
Mainichi newspaper. http://www.mainichi.co.jp (Japanese), June 24 (2002)
A NASSCOM eGovernance study on issues, challenges and recommendations. www.egovreach.in/social/content/karnanataka-proposing-e-vote
Caarls, S.: E-voting handbook: key steps in the implementation of E-enabled elections. Council of Europe, Strasbourg (2010)
Jefferson, D., Rubin, A.D., Simons, B., Wagner, D.: A security analysis of the secure electronic registration and voting experiment (SERVE). http://www.servesecurityreport.org/paper.pdf (2004)
Feldman, A., Halderman, J., Felten, E.: Security analysis of the diebold AccuVote-TS voting machine. In: Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (2007)
Lambrinoudakis, C., Kokolakis, S., Karyda, M., Tsoumas, V., Gritzalis, D., Katsikas, S.: Electronic voting systems: security implications of the administrative workow. In: Mark, V., Stepankova, O., Retschitzegger, W. (eds.) DEXA2003. LNCS, vol. 2736, p. 467. Springer, Heidelberg (2003)
Xenakis, A., Macintosh, A.: Procedural security analysis of electronic voting. In: Rauterberg, M. (ed.) ICEC2004. LNCS. Springer, Heidelberg (2004)
Xenakis, A., Macintosh, A.: Procedural security and social acceptance in E-voting. In: HICSS2005: Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS2005)-Track5, p. 118.1. IEEE Computer Society, Washington, DC, USA (2005)
Manadhata, P., Wing, J., Flynn, M., McQueen, M.: Measuring the attack surfaces of two FTP daemons. In: QoP2006: Proceedings of the 2nd ACM workshop on Quality of protection, pp. 3–10. ACM Press, New York (2006)
Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. Computer Security in the 21st Century, pp. 109–137, Springer, US (2005)
Swiderski, F., Snyder, W.: Threat modeling. Microsoft Press, US (2004)
Suleiman, H., Svetinovic, D.: Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure. Requirements engineering. Springer, Berlin (2012)
Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Int. J. Comput. Electr. Eng. 38(3), 1785–1797 (2012)
Salini, P., Kanmani, S.: A model based security requirements engineering framework. Int. J. Comput. Eng. Technol. 1(1), 180–195 (2010)
Salini, P., Kanmani, S.: A model based security requirements engineering framework applied for online trading system. In: Proceedings of IEEE international conference on recent trends in information technology, pp. 1195–1202 (2011)
Salini, P., Kanmani, S.: Application of model oriented security requirements engineering framework for secure E-voting. In: Proceedings of CSI 6th international conference on software engineering, IEEE, pp. 1–6 (2012)
Salini, P., Kanmani, S.: Security requirements engineering for specifying security requirements of an e-voting system as a legitimate solution to e-governance. Int. J. Wirel. Mobile Comput. 7(4), 400–413 (2014)
Rubin, A.D.: Security considerations for remote electronic voting. Commun. ACM 45, 39–44 (2002)
Smith, R.G.: The risks and benefits of electronic voting. In: 15th Australian Forum—Melbourne (2001)
Weiss, M.: Modeling security patterns using NFR analysis. Information security and ethics: concepts, methodologies, tools, and applications. Idea Group Publishing, Pennsylvania (2008)
OWASP. https://www.owasp.org
CVSS. http://www.rst.org/cvss
Acknowledgments
We would like to acknowledge and thank the reviewers and the editors for their valuable comments and suggestions to improve our paper.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Salini, P., Kanmani, S. Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems. Int. J. Inf. Secur. 15, 319–334 (2016). https://doi.org/10.1007/s10207-015-0305-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-015-0305-x