The Open UniversitySkip to content
 

Risk and argument: a risk-based argumentation method for practical security

Franqueira, Virginia Nunes Leas; Tun, Thein Than; Yu, Yijun; Wieringa, Roel and Nuseibeh, Bashar (2011). Risk and argument: a risk-based argumentation method for practical security. In: 19th IEEE International Conference on Requirements Engineering, 29 Aug - 2 Sep 2011, Trento, Italy, pp. 239–248.

Warning

This is the latest version of this eprint.

Full text available as:
[img]
Preview
PDF (Accepted Manuscript) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (350Kb)
URL: http://re11.fbk.eu/accepted
DOI (Digital Object Identifier) Link: http://dx.doi.org/10.1109/RE.2011.6051659
Google Scholar: Look up in Google Scholar

Abstract

When showing that a software system meets certain security requirements, it is often necessary to work with formal and informal descriptions of the system behavior, vulnerabilities, and threats from potential attackers. In earlier work, Haley et al. [1] showed that structured argumentation could deal with such mixed descriptions. However, incomplete and uncertain information, and limited resources force practitioners to settle for good-enough security. To deal with these conditions of practice, we extend the method of Haley et al. with risk assessment. The proposed method, RISA (RIsk assessment in Security Argumentation), uses public catalogs of security expertise to support the risk assessment, and to guide the security argumentation in identifying rebuttals and mitigations for security requirements satisfaction. We illustrate RISA with a realistic example of PIN Entry Device.

Item Type: Conference Item
Copyright Holders: 2011 IEEE
ISBN: 1-4577-0924-4, 978-1-4577-0924-1
ISSN: 1090-705X
Project Funding Details:
Funded Project NameProject IDFunding Body
SecureChangeNot SetEuropean Union
Not Set03/CE2/I303_1Science Foundation Ireland
Extra Information: Pages 239-248 in published proceedings
Distinguished Research Paper
Keywords: requirements engineering; argumentation; security engineering; risk assessment
Academic Unit/Department: Mathematics, Computing and Technology > Computing & Communications
Interdisciplinary Research Centre: Centre for Research in Computing (CRC)
Item ID: 28980
Depositing User: Yijun Yu
Date Deposited: 22 Jun 2011 15:22
Last Modified: 29 Oct 2013 19:38
URI: http://oro.open.ac.uk/id/eprint/28980
Share this page:

Available Versions of this Item

Actions (login may be required)

View Item
Report issue / request change

Policies | Disclaimer

© The Open University   + 44 (0)870 333 4340   general-enquiries@open.ac.uk