Rights statement: © [Rashid et al.] [2016]. This is the authors' version of the work. It is posted here for your personal use. Not for redistribution. The definitive version was published in {ICSE'16}, http://dx.doi.org/10.1145/2884781.2884785
Accepted author manuscript, 2.65 MB, PDF document
Available under license: CC BY: Creative Commons Attribution 4.0 International License
Final published version
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
Research output: Contribution in Book/Report/Proceedings - With ISBN/ISSN › Conference contribution/Paper › peer-review
}
TY - GEN
T1 - Discovering “unknown known” security requirements
AU - Rashid, Awais
AU - Naqvi, Asad
AU - Ramdhany, Rajiv
AU - Edwards, Matthew
AU - Chitchyan, Ruzanna
AU - Ali Babar, Muhammad
PY - 2016/5/14
Y1 - 2016/5/14
N2 - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.
AB - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.
KW - Security requirements
KW - incident analysis
KW - grounded theory
U2 - 10.1145/2884781.2884785
DO - 10.1145/2884781.2884785
M3 - Conference contribution/Paper
SN - 9781450339001
SP - 866
EP - 876
BT - ICSE '16 Proceedings of the 38th International Conference on Software Engineering Austin, TX, May 14 - 22, 2016
PB - ACM
CY - New York
ER -