Abstract
Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.
Original language | English |
---|---|
Title of host publication | Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016 |
Publisher | IEEE Computer Society |
Pages | 866-876 |
Number of pages | 11 |
ISBN (Electronic) | 9781450339001, 9781450342056 |
DOIs | |
Publication status | Published - 14 May 2016 |
Event | 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016 - Austin, United States Duration: 14 May 2016 → 22 May 2016 |
Publication series
Name | Proceedings - International Conference on Software Engineering |
---|---|
Volume | 14-22-May-2016 |
ISSN (Print) | 0270-5257 |
Conference
Conference | 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016 |
---|---|
Country/Territory | United States |
City | Austin |
Period | 14/05/16 → 22/05/16 |
Research Groups and Themes
- Cyber Security
- Bristol Interaction Group
Keywords
- Grounded theory
- Incident analysis
- Security requirements
Fingerprint
Dive into the research topics of 'Discovering "unknown known" security requirements'. Together they form a unique fingerprint.Profiles
-
Professor Ruzanna Chitchyan
- School of Computer Science - Professor of Software Engineering for Sustainability
- Bristol Poverty Institute
- Cabot Institute for the Environment
Person: Academic , Member
-