Discovering "unknown known" security requirements

Awais Rashid; Syed Asad Ali Naqvi; Rajiv Ramdhany; Matthew Edwards; Ruzanna Chitchyan; M. Ali Babar

doi:10.1145/2884781.2884785

Discovering "unknown known" security requirements

Awais Rashid, Syed Asad Ali Naqvi, Rajiv Ramdhany, Matthew Edwards, Ruzanna Chitchyan, M. Ali Babar

Cabot Institute for the Environment

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

22 Citations (Scopus)

Abstract

Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

Original language	English
Title of host publication	Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016
Publisher	IEEE Computer Society
Pages	866-876
Number of pages	11
ISBN (Electronic)	9781450339001, 9781450342056
DOIs	https://doi.org/10.1145/2884781.2884785
Publication status	Published - 14 May 2016
Event	2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016 - Austin, United States Duration: 14 May 2016 → 22 May 2016

Publication series

Name	Proceedings - International Conference on Software Engineering
Volume	14-22-May-2016
ISSN (Print)	0270-5257

Conference

Conference	2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016
Country/Territory	United States
City	Austin
Period	14/05/16 → 22/05/16

Research Groups and Themes

Cyber Security
Bristol Interaction Group

Keywords

Grounded theory
Incident analysis
Security requirements

Access to Document

10.1145/2884781.2884785

Handle.net

Persistent link

Cite this

Rashid, A., Naqvi, S. A. A., Ramdhany, R., Edwards, M., Chitchyan, R., & Ali Babar, M. (2016). Discovering "unknown known" security requirements. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016 (pp. 866-876). (Proceedings - International Conference on Software Engineering; Vol. 14-22-May-2016). IEEE Computer Society. https://doi.org/10.1145/2884781.2884785

@inproceedings{295a9945754f4a079bc0b613a1786f32,

title = "Discovering {"}unknown known{"} security requirements",

abstract = "Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.",

keywords = "Grounded theory, Incident analysis, Security requirements",

author = "Awais Rashid and Naqvi, \{Syed Asad Ali\} and Rajiv Ramdhany and Matthew Edwards and Ruzanna Chitchyan and \{Ali Babar\}, M.",

year = "2016",

month = may,

day = "14",

doi = "10.1145/2884781.2884785",

language = "English",

series = "Proceedings - International Conference on Software Engineering",

publisher = "IEEE Computer Society",

pages = "866--876",

booktitle = "Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016",

address = "United States",

note = "2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016 ; Conference date: 14-05-2016 Through 22-05-2016",

}

Rashid, A, Naqvi, SAA, Ramdhany, R, Edwards, M , Chitchyan, R & Ali Babar, M 2016, Discovering "unknown known" security requirements. in Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016. Proceedings - International Conference on Software Engineering, vol. 14-22-May-2016, IEEE Computer Society, pp. 866-876, 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016, Austin, United States, 14/05/16. https://doi.org/10.1145/2884781.2884785

Discovering "unknown known" security requirements. / Rashid, Awais; Naqvi, Syed Asad Ali; Ramdhany, Rajiv et al.
Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016. IEEE Computer Society, 2016. p. 866-876 (Proceedings - International Conference on Software Engineering; Vol. 14-22-May-2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Discovering "unknown known" security requirements

AU - Rashid, Awais

AU - Naqvi, Syed Asad Ali

AU - Ramdhany, Rajiv

AU - Edwards, Matthew

AU - Chitchyan, Ruzanna

AU - Ali Babar, M.

PY - 2016/5/14

Y1 - 2016/5/14

N2 - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

AB - Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoret-ical security models are available that provide best practice security guidelines and are widely utilised as a basis to iden-tify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the var-ious concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the the-oretical security models underpinning security requirements. In this paper, we present an approach to discover such un-known knowns through multi-incident analysis. The ap-proach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.

KW - Grounded theory

KW - Incident analysis

KW - Security requirements

UR - https://www.scopus.com/pages/publications/84971483795

U2 - 10.1145/2884781.2884785

DO - 10.1145/2884781.2884785

M3 - Conference Contribution (Conference Proceeding)

T3 - Proceedings - International Conference on Software Engineering

SP - 866

EP - 876

BT - Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016

PB - IEEE Computer Society

T2 - 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering, ICSE 2016

Y2 - 14 May 2016 through 22 May 2016

ER -

Rashid A, Naqvi SAA, Ramdhany R, Edwards M , Chitchyan R, Ali Babar M. Discovering "unknown known" security requirements. In Proceedings of the 38th International Conference on Software Engineering, ICSE 2016, Austin, TX, USA, May 14-22, 2016. IEEE Computer Society. 2016. p. 866-876. (Proceedings - International Conference on Software Engineering). doi: 10.1145/2884781.2884785

Discovering "unknown known" security requirements

Abstract

Publication series

Conference

Research Groups and Themes

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Professor Ruzanna Chitchyan

Professor Awais Rashid

Cite this

Discovering "unknown known" security requirements

Abstract

Publication series

Conference

Research Groups and Themes

Keywords

Access to Document

Handle.net

Other files and links

Fingerprint

Profiles

Professor Ruzanna Chitchyan

Professor Awais Rashid

Cite this