01-12-2012, 11:53 AM
An Integrated Framework for Security and Dependability
An Integrated Framework.doc (Size: 25.5 KB / Downloads: 17)
Abstract:
This paper presents a framework for security requirements elicitation and analysis. The framework is based on constructing a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. The system context is described using a problem-oriented notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument consists of two parts: a formal argument that the system can meet its security requirements and a structured informal argument supporting the assumptions expressed in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems. We evaluate the framework by applying it to a security requirements analysis within an air traffic control technology evaluation project.
Existing System:
The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context or that the context does not contain sufficient information to develop the argument
In this case, designers and architects are asked to provide additional design information to resolve the problems
Proposed System:
We propose three contributions to assist with developing security requirements that satisfy these criteria
The first is a practical definition of security requirements, with yes/no satisfaction criteria within a system context.
The second is an explicit role for assumptions, concentrating on their place in security requirements satisfaction arguments.
The third is the use of formal and informal structured arguments to validate that a system can satisfy its security requirements.