The Open UniversitySkip to content

Managing security control assumptions using causal traceability

Nhlabatsi, Armstrong; Yu, Yijun; Zisman, Andrea; Tun, Thein; Khan, Niamul; Bandara, Arosha; Khan, Khaled and Nuseibeh, Bashar (2015). Managing security control assumptions using causal traceability. In: 8th International Symposium on Software and Systems Traceability (SST 2015), 17 Jul 2015, Florence, Italy.

Full text available as:
PDF (Accepted Manuscript) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (465kB) | Preview
Google Scholar: Look up in Google Scholar


Security control specifications of software systems are designed to meet their security requirements. It is difficult to know both the value of assets and the malicious intention of attackers at design time, hence assumptions about the operational environment often reveal unexpected flaws. To diagnose the causes of violations in security requirements it is necessary to check these design-time assumptions. Otherwise, the system could be vulnerable to potential attacks. Addressing such vulnerabilities requires an explicit understanding of how the security control specifications were defined from the original security requirements. However, assumptions are rarely explicitly documented and monitored during system operation. This paper proposes a systematic approach to monitoring design-time assumptions explicitly as logs, by using traceability links from requirements to specifications. The work also helps identify which alternative specifications of security control can be used to satisfy a security requirement that has been violated based on the logs.
The work is illustrated by an example of an electronic patient record system.

Item Type: Conference or Workshop Item
Copyright Holders: 2015 The Authors
Project Funding Details:
Funded Project NameProject IDFunding Body
Adaptive Information Security: Relating Security Requirements to Design (XC-11-067-BN)NPRP 5-079-1-018Qatar National Research Fund
Keywords: traceability; assumptions; security
Academic Unit/School: Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
Faculty of Science, Technology, Engineering and Mathematics (STEM)
Research Group: Centre for Research in Computing (CRC)
International Development & Inclusive Innovation
Related URLs:
Item ID: 42451
Depositing User: Thein Tun
Date Deposited: 01 Apr 2015 08:09
Last Modified: 07 Dec 2018 22:57
Share this page:

Download history for this item

These details should be considered as only a guide to the number of downloads performed manually. Algorithmic methods have been applied in an attempt to remove automated downloads from the displayed statistics but no guarantee can be made as to the accuracy of the figures.

Actions (login may be required)

Policies | Disclaimer

© The Open University   contact the OU