Skip to main content
SpringerLink
Log in

Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Software systems are becoming more and more critical in every domain of human society. These systems are used not only by corporates and governments, but also by individuals and across networks of organizations. The wide use of software systems has resulted in the need to contain a large amount of critical information and processes, which certainly need to remain secure. As a consequence, it is important to ensure that the systems are secure by considering security requirements at the early phases of software development life cycle. In this paper, we propose to consider security requirements as functional requirements and apply model-oriented security requirements engineering framework as a systematic solution to elicit security requirements for e-governance software systems. As the result, high level of security can be achieved by more coverage of assets and threats, and identifying more traces of vulnerabilities in the early stages of requirements engineering. This in turn will help to elicit effective security requirements as countermeasures with business requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11

Similar content being viewed by others

References

  1. Balzarotti, D., Banks, G., Cova, M., Felmetsger, V., Kemmerer, R., Robertson, W., Valeur, F., Vigna, G.: Are your votes really counted? Testing the security of real-world electronic voting systems. In: ACM Proceedings of the international symposium on Software testing and analysis, pp. 237–248 (2008)

  2. Prosser, A., Kofler, R., Krimmer, R., Unger, M.K.: Security assets in E-voting. In: Proceedings of the 1st international workshop on electronic voting, pp. 171–180 (2004)

  3. Sindre, G., Firesmith, D.G., Opdahl, A.L.: A reuse-based approach to determining security requirements. In: Proceedings of 9th international workshop on requirements engineering: foundation for software quality, pp. 16–17 (2003)

  4. Viega, J., McGraw, G.: Building secure software. Addison-Wesley, Boston (2001)

    Google Scholar 

  5. Lipner, S., Howard, M.: The trustworthy computing security development life cycle. Microsoft Corporation. http://msdn.microsoft.com/en-us/library/ms995349.aspx (2005)

  6. Graham, D.: Introduction to the CLASP process. Build security. https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/requirements/548.html (2006)

  7. Mead, N.R., Houg, E.D., Stehney, T.R.: Security quality requirements engineering (SQUARE) methodology. Technical Report CMU/SEI-2005-TR-009, Software Engineering Institute, Carnegie Mellon University (2005)

  8. Haley, C.B., Laney, R., Moffett, J.D., Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–152 (2008)

    Article  Google Scholar 

  9. Mellado, D., Fernndez-Medina, E., Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 244–253 (2007)

    Article  Google Scholar 

  10. Mouratidis, H., Giorgini, P., Manson, G.: When security meets software engineering: a case of modeling secure information systems. J. Inf. Syst. 30(8), 609–629 (2005)

    Article  Google Scholar 

  11. Giorgini, P., Mouratidis, H., Zannone, N.: Modeling security and trust with secure tropos. Integrating security and software engineering: advances and future visions. IGI Global, Pennsylvania (2007)

    Google Scholar 

  12. Tndel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of US: a survey. IEEE Softw. 25(1), 20–27 (2008)

    Article  Google Scholar 

  13. Fernandez, E.B.: A methodology for secure software design. In: Proceedings of the international symposium, web services and applications. www.cse.fau.edu/~ed/EFLVSecSysDes1 (2004)

  14. Rosado, D.G., Gutirrez, C., Fernndez-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)

    Article  Google Scholar 

  15. Appel, A.W., Ginsburg, M., Hursti, H., Kernighan, B.W., Richards, C.D., Tan, G., Venetis, P.: The New Jersey voting-machine law suit and the AVC advantage DRE voting machine. EVT/WOTE09, Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (2009)

  16. Hursti, H.: Diebold TSx evaluation: critical security issues with diebold TSx. Black Box Voting. http://www.blackboxvoting.org/BBVtsxstudy.pdf (2006)

  17. Kohno, T., Stubbleeld, A., Rubin, A.D., Wallach, D.S.: Analysis of an electronic voting system. In: IEEE symposium on security and privacy. IEEE Computer Society, pp. 27–48 (2004)

  18. http://www.emarketer.com

  19. Mainichi newspaper. http://www.mainichi.co.jp (Japanese), June 24 (2002)

  20. A NASSCOM eGovernance study on issues, challenges and recommendations. www.egovreach.in/social/content/karnanataka-proposing-e-vote

  21. Caarls, S.: E-voting handbook: key steps in the implementation of E-enabled elections. Council of Europe, Strasbourg (2010)

    Google Scholar 

  22. Jefferson, D., Rubin, A.D., Simons, B., Wagner, D.: A security analysis of the secure electronic registration and voting experiment (SERVE). http://www.servesecurityreport.org/paper.pdf (2004)

  23. Feldman, A., Halderman, J., Felten, E.: Security analysis of the diebold AccuVote-TS voting machine. In: Proceedings of the USENIX/ACCURATE Electronic Voting Technology Workshop (2007)

  24. Lambrinoudakis, C., Kokolakis, S., Karyda, M., Tsoumas, V., Gritzalis, D., Katsikas, S.: Electronic voting systems: security implications of the administrative workow. In: Mark, V., Stepankova, O., Retschitzegger, W. (eds.) DEXA2003. LNCS, vol. 2736, p. 467. Springer, Heidelberg (2003)

    Google Scholar 

  25. Xenakis, A., Macintosh, A.: Procedural security analysis of electronic voting. In: Rauterberg, M. (ed.) ICEC2004. LNCS. Springer, Heidelberg (2004)

    Google Scholar 

  26. Xenakis, A., Macintosh, A.: Procedural security and social acceptance in E-voting. In: HICSS2005: Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS2005)-Track5, p. 118.1. IEEE Computer Society, Washington, DC, USA (2005)

  27. Manadhata, P., Wing, J., Flynn, M., McQueen, M.: Measuring the attack surfaces of two FTP daemons. In: QoP2006: Proceedings of the 2nd ACM workshop on Quality of protection, pp. 3–10. ACM Press, New York (2006)

  28. Howard, M., Pincus, J., Wing, J.: Measuring relative attack surfaces. Computer Security in the 21st Century, pp. 109–137, Springer, US (2005)

  29. Swiderski, F., Snyder, W.: Threat modeling. Microsoft Press, US (2004)

  30. Suleiman, H., Svetinovic, D.: Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure. Requirements engineering. Springer, Berlin (2012)

    Google Scholar 

  31. Salini, P., Kanmani, S.: Survey and analysis on security requirements engineering. Int. J. Comput. Electr. Eng. 38(3), 1785–1797 (2012)

    Article  Google Scholar 

  32. Salini, P., Kanmani, S.: A model based security requirements engineering framework. Int. J. Comput. Eng. Technol. 1(1), 180–195 (2010)

    Google Scholar 

  33. Salini, P., Kanmani, S.: A model based security requirements engineering framework applied for online trading system. In: Proceedings of IEEE international conference on recent trends in information technology, pp. 1195–1202 (2011)

  34. Salini, P., Kanmani, S.: Application of model oriented security requirements engineering framework for secure E-voting. In: Proceedings of CSI 6th international conference on software engineering, IEEE, pp. 1–6 (2012)

  35. Salini, P., Kanmani, S.: Security requirements engineering for specifying security requirements of an e-voting system as a legitimate solution to e-governance. Int. J. Wirel. Mobile Comput. 7(4), 400–413 (2014)

    Article  Google Scholar 

  36. Rubin, A.D.: Security considerations for remote electronic voting. Commun. ACM 45, 39–44 (2002)

    Article  Google Scholar 

  37. Smith, R.G.: The risks and benefits of electronic voting. In: 15th Australian Forum—Melbourne (2001)

  38. Weiss, M.: Modeling security patterns using NFR analysis. Information security and ethics: concepts, methodologies, tools, and applications. Idea Group Publishing, Pennsylvania (2008)

    Google Scholar 

  39. OWASP. https://www.owasp.org

  40. NVD. http://nvd.nist.gov/scap.cfm

  41. WASC. http://www.webappsec.org/

  42. CVSS. http://www.rst.org/cvss

Download references

Acknowledgments

We would like to acknowledge and thank the reviewers and the editors for their valuable comments and suggestions to improve our paper.

Author information

Authors and Affiliations

  1. Department of Computer Science and Engineering, Pondicherry Engineering College, Puducherry, India

    P. Salini

  2. Department of Information Technology, Pondicherry Engineering College, Puducherry, India

    S. Kanmani

Authors
  1. P. Salini
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. S. Kanmani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to P. Salini.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Salini, P., Kanmani, S. Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems. Int. J. Inf. Secur. 15, 319–334 (2016). https://doi.org/10.1007/s10207-015-0305-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-015-0305-x

Keywords

Search

Navigation