Discovering "unknown known" security requirements

Awais Rashid, Syed Asad Ali Naqvi, Rajiv Ramdhany, Matthew Edwards, Ruzanna Chitchyan, M. Ali Babar

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

20 Citations (Scopus)


Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

Original languageEnglish
Title of host publicationProceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016
PublisherIEEE Computer Society
Number of pages11
ISBN (Electronic)9781450339001, 9781450342056
Publication statusPublished - 14 May 2016
Event2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016 - Austin, United States
Duration: 14 May 201622 May 2016

Publication series

NameProceedings - International Conference on Software Engineering
ISSN (Print)0270-5257


Conference2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016
Country/TerritoryUnited States

Structured keywords

  • Cyber Security


  • Grounded theory
  • Incident analysis
  • Security requirements


Dive into the research topics of 'Discovering "unknown known" security requirements'. Together they form a unique fingerprint.

Cite this