University of Leicester
Browse
icse2016_rashid_etal.pdf (2.65 MB)

Discovering "unknown known" security requirements

Download (2.65 MB)
conference contribution
posted on 2016-08-09, 13:41 authored by Awais Rashid, Syed Asad Ali Naqvi, Rajiv Ramdhany, Matthew Edwards, Ruzanna Chitchyan, M. Ali Babar
Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

History

Citation

Proceedings of the 38th International Conference on Software Engineering, Austin, TX, USA, May 2016, pp. 866-876

Author affiliation

/Organisation/COLLEGE OF SCIENCE AND ENGINEERING/Department of Computer Science

Source

ICSE '16 38th International Conference on Software Engineering, Austin, TX, USA — May 14 - 22, 2016

Version

  • AM (Accepted Manuscript)

Published in

Proceedings of the 38th International Conference on Software Engineering

Publisher

Association for Computing Machinery (ACM)

isbn

978-1-4503-3900-1

Copyright date

2016

Available date

2016-08-09

Publisher version

http://dl.acm.org/citation.cfm?id=2884785&CFID=653626562&CFTOKEN=74503377

Temporal coverage: start date

2016-05-14

Temporal coverage: end date

2016-05-22

Language

en

Usage metrics

    University of Leicester Publications

    Categories

    Keywords

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC