Goal-Oriented Security Requirements Analysis for a System used in Several Different Activities

paper index | HOME

Title: Goal-Oriented Security Requirements Analysis for a System used in Several Different Activities
Author(s): Haruhiko Kaiya, Takao Okubo, Nobuyuki Kanaya, Yuji Suzuki, Shinpei Ogata, Kenji Kaijiri and Nobukazu Yoshioka.
Source: In Xavier Franch and Pnina Soffer, editors, Advanced Information Systems Engineering Workshops, Vol. 148 of Lecture Notes in Business Information Processing (LNBIP), pp. 478-489. Springer, The Third International Workshop on Information Systems Security Engineering - WISSE'13, June 18 2013, Valencia, Spain, in conjunction with the 25th International Conference on Advanced Information Systems Engineering (CAiSE'13).

Abstract:
Because an information system is used in different activities simultaneously today, we have to analyze usages of the system in the existing activities and to-be usages in an intended activity together. Especially, security aspects should be carefully analyzed because existing activities are not always secure. We propose a security requirements analysis method for resolving this problem. To take both existing and intended activities into account together, we integrate them on the basis of the unification of common actors. To explore possible attacks under integrated activities, we enumerate achievable attacks on the basis of the possible means in each actor with the help of security knowledge. To avoid or mitigate the attacks and to achieve fundamental goals, we disable some means or narrow down the means to be monitored with the help of propositional logic formulae. Through case studies on insurance business, we illustrated our idea.