Skip to main content
SpringerLink
Log in

Using trust assumptions with security requirements

  • Original Article
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

Assumptions are frequently made during requirements analysis of a system about the trustworthiness of its various components (including human components). These trust assumptions, whether implicit or explicit, affect the scope of the analysis, derivation of security requirements, and in some cases how functionality is realized. This paper presents trust assumptions in the context of analysis of security requirements. A running example shows how trust assumptions can be used by a requirements engineer to help define and limit the scope of analysis and to document the decisions made during the process. The paper concludes with a case study examining the impact of trust assumptions on software that uses the secure electronic transaction specification.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. For space reasons, we will not include any further long descriptions of the trust assumptions.

References

  1. ISO/IEC: Information Technology—Security Techniques—Evaluation Criteria for IT Security. Part 1: Introduction and general model. International Standard 15408–1, ISO/IEC, Geneva Switzerland, 1 Dec 1999

  2. Zave P (1997) Classification of research efforts in requirements engineering. Comput Survey 29(4):315–321

    Article  Google Scholar 

  3. van Lamsweerde A (2000) Requirements engineering in the year 00: a research perspective. In: Proceedings of the 22nd international conference on software engineering (ICSE’00), 4–11 June 2000. IEEE Computer Society Press

  4. Greenspan SJ, Mylopoulos J, Borgida A (1982) Capturing more world knowledge in the requirements specification. In: Proceedings of the 6th international conference on software engineering (ICSE’82), Tokyo, 13–16 September 1982, pp 225–234

  5. Devanbu P, Stubblebine S (2000) Software engineering for security: a roadmap. In: Finkelstein A (ed) The future of software engineering. ACM Press, New York

  6. Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. Technical Report CMU/SEI-2003-TN-033, Software Engineering Institute, Carnegie Mellon University, Pittsburgh

  7. Moffett JD, Haley CB, Nuseibeh B (2004) Core security requirements artefacts. Technical Report 2004/23, Department of Computing, The Open University, Milton Keynes

  8. Jackson M (1995) Software requirements and specifications. Addison Wesley, Reading

    Google Scholar 

  9. Jackson M (2001) Problem frames. Addison Wesley, Reading

    Google Scholar 

  10. Viega J, Kohno T, Potter B (2001) Trust (and mistrust) in secure applications. Commun ACM 44(2):31–36

    Article  Google Scholar 

  11. Thompson K (1984) Reflections on trusting trust. Commun ACM 27(8):761–763

    Article  Google Scholar 

  12. Haley CB, Laney RC, Nuseibeh B (2004) Deriving security requirements from crosscutting threat descriptions. In: Proceedings of the 3rd international conference on aspect-oriented software development (AOSD’04), Lancaster, 22–26 March 2004. ACM Press, New York, pp 112–121

  13. van Lamsweerde A (2001) Goal-oriented requirements engineering: a guided tour. In: Proceedings of the 5th IEEE international symposium on requirements engineering (RE’01), Toronto, 27–31 August 2001. IEEE Computer Society Press, pp 249–263

  14. Zave P, Jackson M (1997) Four dark corners of requirements engineering. Trans Softw Eng Method 6(1):1–30

    Article  MathSciNet  Google Scholar 

  15. Chung L, Nixon B, Yu E, Mylopoulos J (2000) Non-functional requirements in software engineering. Kluwer, Dordrecht

    MATH  Google Scholar 

  16. Gani A, Manson G, Giorgini P, Mouratidis H (2003) Analysing security requirements of information systems using Tropos. In: Proceedings of the 5th international conference on enterprise information systems (ICEIS’03), Angers, 23–26 April 2003

  17. Kotonya G, Sommerville I (1998) Requirements engineering: processes and techniques. Wiley, United Kingdom

    Google Scholar 

  18. Pfleeger CP, Pfleeger SL (2002) Security in computing. Prentice Hall, Englewood Cliffs

    Google Scholar 

  19. Grandison T, Sloman M (2003) Trust management tools for internet applications. In: Proceedings of the 1st international conference on trust management, vol 2692, Heraklion, Crete, 28–30 May 2003. Springer, Berlin Heidelberg New York

  20. Secure Electronic Transaction LLC: SET Secure Electronic Transaction Specification Book 1: Business description, version 1.0. Purchase NY, 31 May 1997

  21. Secure Electronic Transaction LLC: SET Secure Electronic Transaction Specification Book 2: Programmer’s guide, version 1.0. Purchase NY, 31 May 1997

  22. Secure Electronic Transaction LLC: SET Secure Electronic Transaction Specification Book 3: Formal protocol definition, version 1.0. Purchase NY, 31 May 1997

  23. Yu E (1997) Towards modelling and reasoning support for early-phase requirements engineering. In: Proceedings of the 3rd IEEE international symposium on requirements engineering (RE’97), Annapolis, 6–10 January 1997, pp 226–235

  24. Yu E, Liu L (2001) Modelling trust for system design using the i* strategic actors framework. In: Falcone R, Singh MP, Tan YH (eds) Trust in cyber-societies, integrating the human and artificial perspectives Springer, Berlin Heidelberg New York, 15–16 October 2002, pp 175–194

  25. Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE international requirements engineering conference (RE’03), Monteray Bay, 8–12 September 2003

  26. Castro J, Kolp M, Mylopoulos J (2001) A requirements-driven development methodology. In: Proceedings of the 13th conference on advanced information systems engineering (CAiSE’01), Interlaken, Switzerland, 4–8 June 2001, pp 108–123

  27. Fuxman A, Pistore M, Mylopoulos J, Traverso P (2001) Model checking early requirements specifications in Tropos. In: Proceedings of the 5th IEEE international symposium on requirements engineering, Toronto, pp 174–181

  28. Giorgini P, Massacci F, Mylopoulos J (2003) Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and Mastercard. In: Proceedings of the 22nd international conference on conceptual modeling, Chicago, 13–16 October 2003. Springer, Berlin Heidelberg New York, pp 263–276

  29. Giorgini P, Massacci F, Mylopoulos J, Zannone N (2004) Requirements engineering meets trust management: model, method, and reasoning. In: Proceedings of the 2nd international conference on trust management, Oxford, 28 March–1 April 2004. Lecture notes in computer science. Springer, Berlin Heidelberg New York

  30. Mouratidis H, Giorgini P, Manson G (2003) Integrating security and systems engineering: toward the modelling of secure information systems. In: Proceedings of the 15th conference on advanced information systems engineering (CAiSE’03), Klagenfurt/Velden, 6–10 June 2003. Springer, Berlin Heidelberg New York

  31. Gans G, Jarke M, Kethers S, Lakemeyer G, Ellrich L, Funken C, Meister M (2001) Requirements modeling for organization networks: a (dis)trust-based approach. In: Proceedings of the 5th IEEE international symposium on requirements engineering (RE’01), 27–31 August 2001. IEEE Computer Society Press, Toronto, pp 154–165

  32. Yu E, Cysneiros LM (2002) Designing for privacy and other competing requirements. In: Proceedings of the 2nd symposium on requirements engineering for information security (SREIS’02), Raleigh

  33. Dardenne A, van Lamsweerde A, Fickas S (1993) Goal-directed requirements acquisition. Sci Comput Program 20(1–2):3–50

    Article  MATH  Google Scholar 

  34. van Lamsweerde A, Letier E (2000) Handling obstacles in goal-oriented requirements engineering. Transact Softw Eng (IEEE) 26(10):978–1005

    Article  Google Scholar 

  35. van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th international conference on software engineering (ICSE’04), Edinburgh, 26–28 May 2004, pp 148–157

  36. van Lamsweerde A, Brohez S, De Landtsheer R, Janssens D (2003) From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering. In: Requirements for high assurance systems workshop (RHAS’03), 11th international requirements engineering conference (RE’03), Monterey, 8 September 2003

  37. He Q, Antón AI (2003) A framework for modeling privacy requirements in role engineering. In: Proceedings of the 9th international workshop on requirements engineering: foundation for software quality, the 15th conference on advanced information systems engineering (CAiSE’03), Klagenfurt/Velden, 16 June 2003

  38. Heitmeyer CL (2001) Applying ‘practical’ formal methods to the specification and analysis of security properties. In: Proceedings of the international workshop on information assurance in computer networks: methods, models, and architectures for network computer security (MMM ACNS 2001), vol 2052, St. Petersburg, 21–23 May 2001. Springer, Berlin Heidelberg New York, pp 84–89

  39. In H, Boehm BW (2001) Using WinWin quality requirements management tools: a case study. Ann Softw Eng 11(1):141–174

    Article  MATH  Google Scholar 

  40. Alexander I (2002) Initial industrial experience of misuse cases in trade-off analysis. In: Proceedings of the IEEE joint international conference on requirements engineering (RE’02), Essen, pp 61–68

  41. Alexander I (2002) Modelling the interplay of conflicting goals with use and misuse cases. In: Proceedings of 8th international workshop on requirements engineering: foundation for software quality (REFSQ’02), Essen, 9–10 September 2002, pp 145–152

  42. Sindre G, Opdahl AL (2000) Eliciting security requirements by misuse cases. In: Proceedings of the 37th international conference on technology of object-oriented languages and systems (TOOLS-Pacific’00), Sydney, 20–23 November 2000, pp 120–131

  43. McDermott J (2001) Abuse-case-based assurance arguments. In: Proceedings of the 17th computer security applications conference (ACSAC’01), New Orleans, 10–14 December 2001. IEEE Computer Society Press, pp 366–374

  44. McDermott J, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th computer security applications conference (ACSAC’99), Phoenix, 6–10 December 1999. IEEE Computer Society Press, pp 55–64

  45. Srivatanakul T, Clark JA, Polack F (2004) Writing effective security abuse cases. Technical Report YCS-2004–375, Department of Computer Science, University of York, York, 11 May 2004

  46. Lin L, Nuseibeh B, Ince D, Jackson M, Moffett J (2003) Introducing abuse frames for analyzing security requirements. In: Proceedings of the 11th IEEE international requirements engineering conference (RE’03), Monterey, 8–12 September 2003, pp 371–372

  47. Rashid A, Moreira AMD, Araújo J (2003) Modularisation and composition of aspectual requirements. In: Proceedings of the 2nd international conference on aspect-oriented software development (AOSD’03), Boston, 17–21 March 2003. ACM Press, New York, pp 11–20

  48. Rashid A, Sawyer P, Moreira AMD, Araújo J (2002) Early aspects: a model for aspect-oriented requirements engineering. In: Proceedings of the IEEE joint international conference on requirements engineering (RE’02), Essen, 9–13 September 2002, pp 199–202

  49. Brito I, Moreira A (2004) Integrating the NFR framework in a RE model. Presented at Early aspects 2004: aspect-oriented requirements engineering and architecture design (AORE’04), with the 3rd international conference on aspect-oriented software development (AOSD’04), Lancaster University, UK

  50. Lee J, Lai KY (1991) What’s in design rationale? Hum Comput Interact Spec Issue Design Rationale 6(3–4):251–280

    Google Scholar 

  51. Backingham Shum SJ (2003) The roots of computer supported argument visualization. In: Kirschner PA, Buckingham Shum SJ, Carr CS (eds) Visualizing argumentation: software tools for collaborative, educational sense-making. Springer, London, pp 3–24

    Google Scholar 

  52. Potts C, Bruns G (1988) Recording the reasons for design decisions. In: Proceedings of the 10th international conference on software engineering (ICSE’88), Singapore. IEEE Computer Society, pp 418–427

  53. Burge JE, Brown DC (2004) An integrated approach for software design checking using design rationale. In: Gero JS (ed) Proceedings of the 1st international conference on design computing and cognition. Kluwer, Cambridge, pp 557–576

  54. Mylopoulos J, Borgida A, Jarke M, Koubarakis M (1990) Telos: representing knowledge about information systems. ACM Trans Inf Syst (TOIS) 8(4):325–362

    Article  Google Scholar 

  55. Ramesh B, Dhar V (1992) Supporting systems development by capturing deliberations during requirements engineering. IEEE Trans Softw Eng 18(6):498–510

    Article  Google Scholar 

  56. Fischer G, Lemke AC, McCall R, Morch A (1996) Making argumentation serve design. In: Moran T, Carrol J (Eds) Design rationale concepts, techniques, and use. Lawrence Erlbaum and Associates, Mahwah, pp 267–293

  57. Finkelstein A, Fuks H (1989) Multiparty specification. In: Proceedings of the 5th international workshop on software specification and design, Pittsburgh, pp 185–195

  58. Haley CB, Laney RC, Nuseibeh B (2005) Arguing security: validating security requirements using structured argumentation. Technical Report 2005/04, Department of Computing, The Open University, Milton Keynes, 21 March 2005

  59. Haley CB, Laney RC, Moffett JD, Nuseibeh B (2004) The effect of trust assumptions on the elaboration of security requirements. In: Proceedings of the 12th international requirements engineering conference (RE’04), Kyoto, 6–10 September 2004. IEEE Computer Society Press, pp 102–111

  60. Haley CB, Laney RC, Moffett JD, Nuseibeh B (2004) Picking battles: the impact of trust assumptions on the elaboration of security requirements. In: Proceedings of the 2nd international conference on trust management (iTrust’04), vol 2995, St Anne’s College, Oxford, 29 March–1April 2004. Lecture notes in computer science. Springer, Berlin Heidelberg New York, pp 347–354

Download references

Acknowledgements

The financial support of the Royal Academy of Engineering and the Leverhulme Trust is gratefully acknowledged, as is the EU for supporting the E-LeGI project, number IST-002205. Thanks also go to Michael Jackson for many insights about problem frames and requirements. This paper is a revised and extended version of [59] and [60].

Author information

Authors and Affiliations

  1. Department of Computing, The Open University, Walton Hall, MK7 6AA, Milton Keynes, UK

    Charles B. Haley, Robin C. Laney, Jonathan D. Moffett & Bashar Nuseibeh

Authors
  1. Charles B. Haley
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Robin C. Laney
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jonathan D. Moffett
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Bashar Nuseibeh
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Charles B. Haley.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Haley, C.B., Laney, R.C., Moffett, J.D. et al. Using trust assumptions with security requirements. Requirements Eng 11, 138–151 (2006). https://doi.org/10.1007/s00766-005-0023-4

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-005-0023-4

Keywords

Search

Navigation