Welcome to the InfoSci Platform
Reference Hub2
Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment

Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment

Haruhiko Kaiya, Junya Sakai, Shinpei Ogata, Kenji Kaijiri
Copyright: © 2013 |Volume: 4 |Issue: 3 |Pages: 22
ISSN: 1947-3036|EISSN: 1947-3044|EISBN13: 9781466633919|DOI: 10.4018/jsse.2013070103
Cite Article Cite Article

MLA

Kaiya, Haruhiko, et al. "Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment." IJSSE vol.4, no.3 2013: pp.42-63. http://doi.org/10.4018/jsse.2013070103

APA

Kaiya, H., Sakai, J., Ogata, S., & Kaijiri, K. (2013). Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment. International Journal of Secure Software Engineering (IJSSE), 4(3), 42-63. http://doi.org/10.4018/jsse.2013070103

Chicago

Kaiya, Haruhiko, et al. "Eliciting Security Requirements for an Information System using Asset Flows and Processor Deployment," International Journal of Secure Software Engineering (IJSSE) 4, no.3: 42-63. http://doi.org/10.4018/jsse.2013070103

Export Reference

Mendeley
Favorite Full-Issue Download

Abstract

The authors cannot comprehensively determine all of the vulnerabilities to an attack only from requirements descriptions. To resolve the problem, the authors propose a method for eliciting security requirements using the information about system architecture. The authors convert a use-case description into a variation of a data flow diagram called an asset-flow diagram (AFD). The authors then refine the AFDs based on a processor deployment diagram (PDD), which gives information about a system architecture. By using vulnerabilities patterns to an attack, the authors distinguish vulnerabilities to the attack that can be identifiable in AFDs from remaining vulnerabilities to the attack. To prohibit the former vulnerabilities, security requirements are defined as countermeasures and/or modification of existing requirements. To prevent the latter vulnerabilities, security requirements are defined as design and implementation constraints. Through an evaluation of a web application, the authors show that our method enables us to elicit security requirements against several different attacks in different system architectures.

Request Access

You do not own this content. Please login to recommend this title to your institution's librarian or purchase it from the IGI Global bookstore.