Systematic Treatment of Security Risks during Requirements Engineering

Roman Wirtz, Maritta Heisel

Abstract

In recent years, a significant number of security breaches have been reported. A security breach can lead to value loss for stakeholders, not only financially but also in terms of reputation loss. The likelihood and consequnce of a scenario, impacting security of software, constitute a risk level. Risk management describes coordinated activities to identify, evaluate, and treat risks. Following the principle of security-by-design and treating risks as early as possible during software development, the costs can be reduced significantly. Based on our previous work to identify and evaluate risks, we aim to assist developers in treating risks in one of the earliest phases, i.e. during requirements engineering. To do so, we propose a stepwise method that allows selecting and documenting suitable countermeasures, i.e. controls. As input, it takes a requirements model and a CORAS security model. A distinguishing feature of our method is that we use patterns in the form of templates to evaluate the effectiveness of controls. Furthermore, we integrate the selected controls into the requirements model following an aspect-oriented approach. The resulting model can be used as input for the design phase, thus helping to create an architecture that considers security right from the beginning.

Download


Paper Citation


in Harvard Style

Wirtz R. and Heisel M. (2020). Systematic Treatment of Security Risks during Requirements Engineering.In Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE, ISBN 978-989-758-421-3, pages 132-143. DOI: 10.5220/0009397001320143


in Bibtex Style

@conference{enase20,
author={Roman Wirtz and Maritta Heisel},
title={Systematic Treatment of Security Risks during Requirements Engineering},
booktitle={Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,},
year={2020},
pages={132-143},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0009397001320143},
isbn={978-989-758-421-3},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 15th International Conference on Evaluation of Novel Approaches to Software Engineering - Volume 1: ENASE,
TI - Systematic Treatment of Security Risks during Requirements Engineering
SN - 978-989-758-421-3
AU - Wirtz R.
AU - Heisel M.
PY - 2020
SP - 132
EP - 143
DO - 10.5220/0009397001320143