Home > Research > Publications & Outputs > Discovering “unknown known” security requirements

Electronic data

  • icse2016_rashid_etal

    Rights statement: © [Rashid et al.] [2016]. This is the authors' version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in {ICSE'16}, http://dx.doi.org/10.1145/2884781.2884785

    Accepted author manuscript, 2.65 MB, PDF document

    Available under license: CC BY: Creative Commons Attribution 4.0 International License

Links

Text available via DOI:

View graph of relations

Discovering “unknown known” security requirements

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paper

Published

Standard

Discovering “unknown known” security requirements. / Rashid, Awais; Naqvi, Asad; Ramdhany, Rajiv; Edwards, Matthew; Chitchyan, Ruzanna; Ali Babar, Muhammad.

ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016. New York : ACM, 2016. p. 866-876.

Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSNConference contribution/Paper

Harvard

Rashid, A, Naqvi, A, Ramdhany, R, Edwards, M, Chitchyan, R & Ali Babar, M 2016, Discovering “unknown known” security requirements. in ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016. ACM, New York, pp. 866-876. https://doi.org/10.1145/2884781.2884785

APA

Rashid, A., Naqvi, A., Ramdhany, R., Edwards, M., Chitchyan, R., & Ali Babar, M. (2016). Discovering “unknown known” security requirements. In ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016 (pp. 866-876). ACM. https://doi.org/10.1145/2884781.2884785

Vancouver

Rashid A, Naqvi A, Ramdhany R, Edwards M, Chitchyan R, Ali Babar M. Discovering “unknown known” security requirements. In ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016. New York: ACM. 2016. p. 866-876 https://doi.org/10.1145/2884781.2884785

Author

Rashid, Awais ; Naqvi, Asad ; Ramdhany, Rajiv ; Edwards, Matthew ; Chitchyan, Ruzanna ; Ali Babar, Muhammad. / Discovering “unknown known” security requirements. ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016. New York : ACM, 2016. pp. 866-876

Bibtex

@inproceedings{3b0a49bbe3df49e6908277dc782511ed,
title = "Discovering “unknown known” security requirements",
abstract = "Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.",
keywords = "Security requirements, incident analysis, grounded theory",
author = "Awais Rashid and Asad Naqvi and Rajiv Ramdhany and Matthew Edwards and Ruzanna Chitchyan and {Ali Babar}, Muhammad",
year = "2016",
month = may
day = "14",
doi = "10.1145/2884781.2884785",
language = "English",
isbn = "9781450339001",
pages = "866--876",
booktitle = "ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016",
publisher = "ACM",

}

RIS

TY - GEN

T1 - Discovering “unknown known” security requirements

AU - Rashid, Awais

AU - Naqvi, Asad

AU - Ramdhany, Rajiv

AU - Edwards, Matthew

AU - Chitchyan, Ruzanna

AU - Ali Babar, Muhammad

PY - 2016/5/14

Y1 - 2016/5/14

N2 - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

AB - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

KW - Security requirements

KW - incident analysis

KW - grounded theory

U2 - 10.1145/2884781.2884785

DO - 10.1145/2884781.2884785

M3 - Conference contribution/Paper

SN - 9781450339001

SP - 866

EP - 876

BT - ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016

PB - ACM

CY - New York

ER -