Risk and Argument: A Risk-based Argumentation Method for Practical Security

V. Nunes Leal Franqueira; Thein Tan Tun; Yijun Yu; Roelf J. Wieringa; Bashar Nuseibeh

doi:10.1109/RE.2011.6051659

Risk and Argument: A Risk-based Argumentation Method for Practical Security

V. Nunes Leal Franqueira, Thein Tan Tun, Yijun Yu, Roelf J. Wieringa, Bashar Nuseibeh

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

33 Citations (Scopus)

241 Downloads (Pure)

Abstract

When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.

Original language	Undefined
Title of host publication	Proceedings of the 19th IEEE International Requirements Engineering Conference
Place of Publication	USA
Publisher	IEEE
Pages	239-248
Number of pages	10
ISBN (Print)	978-1-4577-0924-1
DOIs	https://doi.org/10.1109/RE.2011.6051659
Publication status	Published - Jun 2011
Event	19th IEEE International Requirements Engineering Conference, RE 2011 - Trento, Italy Duration: 29 Aug 2011 → 2 Sept 2011

Publication series

Name
Publisher	IEEE Computer Society

Conference

Conference	19th IEEE International Requirements Engineering Conference, RE 2011
Country/Territory	Italy
City	Trento
Period	29/08/11 → 2/09/11

Keywords

SCS-Services
EWI-20128
RISK ASSESSMENT
Security Requirements
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Weakness Enumeration (CWE)
Argumentation
IR-77543
METIS-279152

Access to Document

10.1109/RE.2011.6051659

Cite this

@inproceedings{bd7d02367b6b4099bde578bdfa744f90,

title = "Risk and Argument: A Risk-based Argumentation Method for Practical Security",

abstract = "When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.",

keywords = "SCS-Services, EWI-20128, RISK ASSESSMENT, Security Requirements, Common Attack Pattern Enumeration and Classification (CAPEC), Common Weakness Enumeration (CWE), Argumentation, IR-77543, METIS-279152",

author = "{Nunes Leal Franqueira}, V. and Tun, {Thein Tan} and Yijun Yu and Wieringa, {Roelf J.} and Bashar Nuseibeh",

note = "Distinguished Paper Award; 19th IEEE International Requirements Engineering Conference, RE 2011 ; Conference date: 29-08-2011 Through 02-09-2011",

year = "2011",

month = jun,

doi = "10.1109/RE.2011.6051659",

language = "Undefined",

isbn = "978-1-4577-0924-1",

publisher = "IEEE",

pages = "239--248",

booktitle = "Proceedings of the 19th IEEE International Requirements Engineering Conference",

address = "United States",

}

Nunes Leal Franqueira, V, Tun, TT, Yu, Y, Wieringa, RJ & Nuseibeh, B 2011, Risk and Argument: A Risk-based Argumentation Method for Practical Security. in Proceedings of the 19th IEEE International Requirements Engineering Conference. IEEE, USA, pp. 239-248, 19th IEEE International Requirements Engineering Conference, RE 2011, Trento, Italy, 29/08/11. https://doi.org/10.1109/RE.2011.6051659

TY - GEN

T1 - Risk and Argument: A Risk-based Argumentation Method for Practical Security

AU - Nunes Leal Franqueira, V.

AU - Tun, Thein Tan

AU - Yu, Yijun

AU - Wieringa, Roelf J.

AU - Nuseibeh, Bashar

N1 - Distinguished Paper Award

PY - 2011/6

Y1 - 2011/6

N2 - When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.

AB - When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.

KW - SCS-Services

KW - EWI-20128

KW - RISK ASSESSMENT

KW - Security Requirements

KW - Common Attack Pattern Enumeration and Classification (CAPEC)

KW - Common Weakness Enumeration (CWE)

KW - Argumentation

KW - IR-77543

KW - METIS-279152

U2 - 10.1109/RE.2011.6051659

DO - 10.1109/RE.2011.6051659

M3 - Conference contribution

SN - 978-1-4577-0924-1

SP - 239

EP - 248

BT - Proceedings of the 19th IEEE International Requirements Engineering Conference

PB - IEEE

CY - USA

T2 - 19th IEEE International Requirements Engineering Conference, RE 2011

Y2 - 29 August 2011 through 2 September 2011

ER -