Argumentation-Based Security Requirements Elicitation: The Next Round

Dan Ionita, Jan-Willem Bullee, Roelf J. Wieringa

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    11 Citations (Scopus)
    12 Downloads (Pure)

    Abstract

    Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.
    Original languageUndefined
    Title of host publicationProceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)
    Place of PublicationPiscataway, New Jersey
    PublisherIEEE
    Pages7-12
    Number of pages7
    ISBN (Print)978-1-4799-6340-9
    DOIs
    Publication statusPublished - 25 Aug 2014
    EventIEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014), Karlskrona, Sweden: Proceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) -
    Duration: 25 Aug 2014 → …

    Publication series

    Name
    PublisherIEEE Computer Society

    Conference

    ConferenceIEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE 2014), Karlskrona, Sweden
    Period25/08/14 → …

    Keywords

    • CR-D.2.1
    • EWI-25041
    • SCS-Cybersecurity
    • METIS-306018
    • EC Grant Agreement nr.: FP7/318003
    • IR-92050
    • EC Grant Agreement nr.: FP7/2007-2013

    Cite this