Franqueira, Virginia Nunes Leas; Tun, Thein Than; Yu, Yijun; Wieringa, Roel and Nuseibeh, Bashar
Risk and argument: a risk-based argumentation method for practical security.
In: 19th IEEE International Conference on Requirements Engineering, 29 Aug - 2 Sep 2011, Trento, Italy, pp. 239–248.
This is the latest version of this eprint.
Full text available as:
When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al.  showed that structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.
|External Project Funding Details:
|Funded Project Name||Project ID||Funding Body|
|SecureChange||Not Set||European Union|
|Not Set||03/CE2/I303_1||Science Foundation Ireland|
||Pages 239-248 in published proceedings
Distinguished Research Paper
||requirements engineering; argumentation; security engineering; risk assessment
||Mathematics, Computing and Technology > Computing & Communications
|Interdisciplinary Research Centre:
||Centre for Research in Computing (CRC)
||22 Jun 2011 15:22
||29 Oct 2013 19:38
Available Versions of this Item
Actions (login may be required)