research-article

Security tactics selection poker (TaSPeR): a card game to select security tactics to satisfy security requirements

Authors:

Gastón Márquez,

Mónica M. Villegas,

Cristian Orellana,

Marcello Visconti,

Hernán AstudilloAuthors Info & Claims

ECSA '18: Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings

Article No.: 54, Pages 1 - 7

https://doi.org/10.1145/3241403.3241459

Published: 24 September 2018 Publication History

Abstract

Building secure software architectures requires taking several design decisions to achieve security requirements; these decisions must be revised carefully before agreement given their impact on system vulnerability and mission-readiness. Architects customarily take these resolutions, drawing upon specialized knowledge like architectural tactics for security; developers also have key information on platforms and tools actual performance, but their input may not be systematically considered to this end. This article presents Security Tactics Selection Poker (TaSPeR), a card game-based technique and consensus-building technique (based on Planning Poker) that allows development team members to identify, argue for, and choose among architectural security tactics according to objectives and priorities. We conducted an experimental process involving twenty-one practitioners from a security software unit, to assess the technique effectiveness in several scenarios. Initial results show that TaSPeR (1) does support collaborative architectural decision-making, (2) encourages stakeholders participation, and (3) starts a group dynamics on how to act against threats. Thus, the use of gamification techniques for architectures evaluation seems to be a promising approach that deserves further exploration.

References

[1]

Len Bass, John Bergey, Paul Clements, Paulo Merson, Ipek Ozkaya, and Raghvinder Sangwan. 2006. A Comparison of Requirements Specification Methods from a Software Architecture Perspective. Software Engineering Institute August (2006). http://repository.cmu.edu/sei/389

[2]

Len Bass, Paul Clements, and Rick Kazman. 2013. Software Architecture in Practice (3rd Edition). SEI Series in Software Engineering.

[3]

Marouane Kessentini Bruce R. Maxim. 2015. An introduction to modern software quality assurance. Software quality assurance: in large scale and complex software-intensive systems. Morgan Kaufmann. (2015), 19 -- 46.

[4]

Humberto Cervantes, Serge Haziyev, Olha Hrytsay, and Rick Kazman. 2016. Smart Decisions: An Architectural Design Game. Proceedings of the 38th International Conference on Software Engineering Companion (2016), 327--335.

Digital Library

[5]

A. Chavarriaga, C. Noguera, R. Casallas, and V. Viviane Jonckers. 2014. Architectural tactics support in cloud computing providers: the jelastic case. Proceedings of the 10th international ACM Sigsoft conference on Quality of software architectures (QoSA '14). ACM, New York, NY, USA (2014), 13--22.

Digital Library

[6]

Mike Cohn. 2005. Agile estimating and planning. Pearson Education.

Digital Library

[7]

Eduardo B. Fernandez, Hernán Astudillo, and Gilberto Pedraza-García. 2015. Revisting architectural tactics for security. Software Architecture. Springer International Publishing (2015), 55--69.

[8]

Techniques for Estimating. 2005. Mike Cohn. "Agile Estimating and Planning (2005).

Digital Library

[9]

Jerome H. Friedman. 1997. On Bias, Variance, 0/1---Loss, and the Curse-of-Dimensionality. Data Mining and Knowledge Discovery 1, 1 (1997), 55--77.

Digital Library

[10]

IDEO. 2017. IDEO Method Cards. https://www.ideo.com/post/method-cards (2017).

[11]

Suntae Kim. 2015. A quantitative and knowledge-based approach to choosing security architectural tactics. Ad Hoc and Ubiquitous Computing 18, 1/2 (2015), 45--53.

Digital Library

[12]

Kubala F. Schwartz R. Makhoul, J. and R. Weischedel. 1999. Performance measures for information extraction. Proceedings of DARPA broadcast news workshop (1999), 249--252. ISBN:1-55860-638-6.

[13]

P. M. Morgan. 2010. Applicability of traditional deterrence concepts and theory to the cyber realm. Proceedings of a workshop on deterring cyberattacks: Informing strategies and developing options for US policy (2010), 56.

[14]

Rene Noel, Gilberto Pedraza-García, and Hernan Astudillo. 2014. An Exploratory Comparison of Security Patterns and Tactics to Harden Systems. Proceedings of the 11th Workshop on Experimental Software Engineering (ESELAW 2014), CibSE (2014).

[15]

Felipe Osses, Gastón Márquez, Cristian Orellana, and Hernán Astudillo. 2017. Towards the Selection of Security Tactics based on No-Functional Requirements: Security Tactic Planning Poker. In 36th International Conference of the Chilean Computer Science Society, SCCC.

[16]

Gilberto Pedraza-Garcia, Hernan Astudillo, and Dario Correal. 2014. A methodological approach to apply security tactics in software architecture design. 2014 IEEE Colombian Conference on Communications and Computing, COLCOM 2014 - Conference Proceedings (2014).

[17]

G. Pedraza-Garcia, H. Astudillo, and D. Correal. 2014. A methodological approach to apply security tactics in software architecture design. IEEE Colombian Conference on Communications and Computing (COLCOM) (2014), 1--8.

[18]

Jungwoo Ryoo, Bryan Malone, Phillip A. Laplante, and Priya Anand. 2015. The Use of Security Tactics in Open Source Software Projects. IEEE Transactions on Reliability PP, 99 (2015), 1 -- 10.

[19]

Pfleeger S. L. Travassos, G. H. and V. R. Basili. 2004. Experimental Software Engineering: an Introduction. 1st Experimental Software Engineering Latin American Workshop-ESELAW (2004).

[20]

C. Wohlin, P. Runeson, M. Höst, M. C. Ohlsson, B. Regnell, and A. WesslÃl'n. 2012. Experimentation in software engineering. Springer Science and Business Media (2012).

Digital Library

Cited By

Orellana CCereceda-Balic FSolar MAstudillo H(2024)Enabling Design of Secure IoT Systems with Trade-Off-Aware Architectural TacticsSensors10.3390/s2422731424:22(7314)Online publication date: 15-Nov-2024
https://doi.org/10.3390/s24227314
Nkongolo M(2024)Gamified Security Tactics Through Digital Card Game Models2024 4th International Multidisciplinary Information Technology and Engineering Conference (IMITEC)10.1109/IMITEC60221.2024.10850994(48-55)Online publication date: 27-Nov-2024
https://doi.org/10.1109/IMITEC60221.2024.10850994
Márquez GAstudillo HKazman R(2023)Architectural tactics in software architectureJournal of Systems and Software10.1016/j.jss.2022.111558197:COnline publication date: 13-Feb-2023
https://dl.acm.org/doi/10.1016/j.jss.2022.111558
Show More Cited By

Index Terms

Security tactics selection poker (TaSPeR): a card game to select security tactics to satisfy security requirements
1. Software and its engineering
  1. Software organization and properties
    1. Software system structures
      1. Software architectures

Recommendations

Catalog of security tactics linked to common criteria requirements
PLoP '12: Proceedings of the 19th Conference on Pattern Languages of Programs

Security tactics describe security design decisions in a very general, abstract, and implementation-independent way and provide basic security design guidance. Tactics directly address system quality attributes and can be seen as building blocks for ...
Mitigating security threats using tactics and patterns: a controlled experiment
ECSAW '16: Proccedings of the 10th European Conference on Software Architecture Workshops

Security Patterns and Architectural Tactics are two well-known techniques for designing secure software systems. There is little or no empirical evidence on their relative effectiveness for security threats mitigation. This study presents MUA (Misuse ...
Mitigating security threats through the use of security tactics to design secure cyber-physical systems (CPS)
ECSA '19: Proceedings of the 13th European Conference on Software Architecture - Volume 2

Cyber-Physical Systems (CPS) attract growing interest from architects and attackers, given their potential effect on privacy and safety of ecosystems and users. Architectural tactics have been proposed as a design-time abstraction useful to guide and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ECSA '18: Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings

September 2018

325 pages

ISBN:9781450364836

DOI:10.1145/3241403

General Chair:
Jennifer Pérez
Universidad Politécnica de Madrid, Spain
,
Program Chairs:
Raffaela Mirandola
Politecnico di Milano, Italy
,
Hong-Mei Chen
University of Hawaii at Manoa, USA

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 September 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ECSA '18

ECSA '18: 12th European Conference on Software Architecture

September 24 - 28, 2018

Madrid, Spain

Acceptance Rates

Overall Acceptance Rate 48 of 72 submissions, 67%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
124
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)1

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Orellana CCereceda-Balic FSolar MAstudillo H(2024)Enabling Design of Secure IoT Systems with Trade-Off-Aware Architectural TacticsSensors10.3390/s2422731424:22(7314)Online publication date: 15-Nov-2024
https://doi.org/10.3390/s24227314
Nkongolo M(2024)Gamified Security Tactics Through Digital Card Game Models2024 4th International Multidisciplinary Information Technology and Engineering Conference (IMITEC)10.1109/IMITEC60221.2024.10850994(48-55)Online publication date: 27-Nov-2024
https://doi.org/10.1109/IMITEC60221.2024.10850994
Márquez GAstudillo HKazman R(2023)Architectural tactics in software architectureJournal of Systems and Software10.1016/j.jss.2022.111558197:COnline publication date: 13-Feb-2023
https://dl.acm.org/doi/10.1016/j.jss.2022.111558
Agrawal ASeh ABaz AAlhakami HAlhakami WBaz MKumar RKhan R(2020)Software Security Estimation Using the Hybrid Fuzzy ANP-TOPSIS Approach: Design Tactics PerspectiveSymmetry10.3390/sym1204059812:4(598)Online publication date: 9-Apr-2020
https://doi.org/10.3390/sym12040598
Orellana CVillegas MAstudillo H(2019)Mitigating security threats through the use of security tactics to design secure cyber-physical systems (CPS)Proceedings of the 13th European Conference on Software Architecture - Volume 210.1145/3344948.3344994(109-115)Online publication date: 9-Sep-2019
https://dl.acm.org/doi/10.1145/3344948.3344994
Brito JBeroiza FMarquez GVisconti MAstudillo H(2019)Evaluating Impact of Experience in Architectural Design Decision-Making Techniques: An Experimental Study2019 38th International Conference of the Chilean Computer Science Society (SCCC)10.1109/SCCC49216.2019.8966395(1-8)Online publication date: Nov-2019
https://doi.org/10.1109/SCCC49216.2019.8966395

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten