Argumentation-Based Security Requirements Elicitation: The Next Round

Dan Ionita; Jan-Willem Bullee; Roelf J. Wieringa

doi:10.1109/ESPRE.2014.6890521

Argumentation-Based Security Requirements Elicitation: The Next Round

Dan Ionita, Jan-Willem Bullee, Roelf J. Wieringa

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

10 Citations (Scopus)

1 Downloads (Pure)

Abstract

Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.

Original language	Undefined
Title of host publication	Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)
Place of Publication	Piscataway, New Jersey
Publisher	IEEE Computer Society
Pages	7-12
Number of pages	7
ISBN (Print)	978-1-4799-6340-9
DOIs	https://doi.org/10.1109/ESPRE.2014.6890521
Publication status	Published - 25 Aug 2014
Event	IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014), Karlskrona, Sweden: Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) - Duration: 25 Aug 2014 → …

Publication series

Name
Publisher	IEEE Computer Society

Conference

Conference	IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014), Karlskrona, Sweden
Period	25/08/14 → …

Keywords

CR-D.2.1
EWI-25041
SCS-Cybersecurity
METIS-306018
EC Grant Agreement nr.: FP7/318003
IR-92050
EC Grant Agreement nr.: FP7/2007-2013

Access to Document

10.1109/ESPRE.2014.6890521

http://eprints.eemcs.utwente.nl/secure2/25041/01/Argumentations-support_for_Security_Requirements.pdf

Cite this

@inproceedings{caf42346b3ef44d69f7ecd72492a11f7,

title = "Argumentation-Based Security Requirements Elicitation: The Next Round",

abstract = "Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.",

keywords = "CR-D.2.1, EWI-25041, SCS-Cybersecurity, METIS-306018, EC Grant Agreement nr.: FP7/318003, IR-92050, EC Grant Agreement nr.: FP7/2007-2013",

author = "Dan Ionita and Jan-Willem Bullee and Wieringa, {Roelf J.}",

note = "Foreground = 90%; Type of activity = workshop; Main leader = UT; Type of audience = scientific community; Size of audience = 25; Countries addressed = international;; null ; Conference date: 25-08-2014",

year = "2014",

month = aug,

day = "25",

doi = "10.1109/ESPRE.2014.6890521",

language = "Undefined",

isbn = "978-1-4799-6340-9",

publisher = "IEEE Computer Society",

pages = "7--12",

booktitle = "Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)",

address = "United States",

}

Ionita, D, Bullee, J-W & Wieringa, RJ 2014, Argumentation-Based Security Requirements Elicitation: The Next Round. in Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE). IEEE Computer Society, Piscataway, New Jersey, pp. 7-12, IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014), Karlskrona, Sweden, 25/08/14. https://doi.org/10.1109/ESPRE.2014.6890521

Argumentation-Based Security Requirements Elicitation: The Next Round. / Ionita, Dan; Bullee, Jan-Willem; Wieringa, Roelf J.

Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE). Piscataway, New Jersey : IEEE Computer Society, 2014. p. 7-12.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Argumentation-Based Security Requirements Elicitation: The Next Round

AU - Ionita, Dan

AU - Bullee, Jan-Willem

AU - Wieringa, Roelf J.

N1 - Foreground = 90%; Type of activity = workshop; Main leader = UT; Type of audience = scientific community; Size of audience = 25; Countries addressed = international;

PY - 2014/8/25

Y1 - 2014/8/25

N2 - Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.

AB - Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.

KW - CR-D.2.1

KW - EWI-25041

KW - SCS-Cybersecurity

KW - METIS-306018

KW - EC Grant Agreement nr.: FP7/318003

KW - IR-92050

KW - EC Grant Agreement nr.: FP7/2007-2013

U2 - 10.1109/ESPRE.2014.6890521

DO - 10.1109/ESPRE.2014.6890521

M3 - Conference contribution

SN - 978-1-4799-6340-9

SP - 7

EP - 12

BT - Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)

PB - IEEE Computer Society

CY - Piscataway, New Jersey

Y2 - 25 August 2014

ER -