University of Limerick
Browse

Risk and arguments: a risk-based argumentation method for practical security

Download (339.39 kB)
conference contribution
posted on 2011-12-21, 15:59 authored by Virginia N.L. Franqueira, Thein Than Tun, Yijun Yu, Roel J. Wieringa, Bashar NuseibehBashar Nuseibeh
When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and the threats from potential attackers. In earlier work, Haley et al. [4] showed structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN entry device.

History

Publication

19TH IEEE International Requirements Engineering Conference (RE'11);08/2011

Publisher

IEEE Computer Society

Note

non-peer-reviewed

Other Funding information

SFI, Secure Change Project Microsoft Software Engineering Innovative Foundation

Rights

“© 2011 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Language

English

Usage metrics

    University of Limerick

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC