Risk and Argument: A Risk-based Argumentation Method for Practical Security

V. Nunes Leal Franqueira, Thein Tan Tun, Yijun Yu, Roelf J. Wieringa, Bashar Nuseibeh

    Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

    28 Citations (Scopus)
    186 Downloads (Pure)

    Abstract

    When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.
    Original languageUndefined
    Title of host publicationProceedings of the 19th IEEE International Requirements Engineering Conference
    Place of PublicationUSA
    PublisherIEEE Computer Society
    Pages239-248
    Number of pages10
    ISBN (Print)978-1-4577-0924-1
    DOIs
    Publication statusPublished - Jun 2011
    Event19th IEEE International Requirements Engineering Conference, RE 2011 - Trento, Italy
    Duration: 29 Aug 20112 Sep 2011

    Publication series

    Name
    PublisherIEEE Computer Society

    Conference

    Conference19th IEEE International Requirements Engineering Conference, RE 2011
    CountryItaly
    CityTrento
    Period29/08/112/09/11

    Keywords

    • SCS-Services
    • EWI-20128
    • RISK ASSESSMENT
    • Security Requirements
    • Common Attack Pattern Enumeration and Classification (CAPEC)
    • Common Weakness Enumeration (CWE)
    • Argumentation
    • IR-77543
    • METIS-279152

    Cite this