| ||||||||||||||||||||||||||||||||||||
[SSC13] Security requirements analysis based on security and domain ontologiesAtelier, Poster ou Démonstration dans une Conférence Internationale : Requirements Engineering: Foundation for Software Quality, April 2013, pp.1-3, Essen, Germany,
motcle:
Résumé:
Security is the discipline concerned with protecting systems from a wide range of threats (malice, error or mischief) that break the system by exploiting a vulnerability, i.e. a property of the system or its environment that, when faced with particular threats, can lead to failure[5] . Security is a multi-faceted problem; it is as much about understanding the domain in which systems operate as it is about the systems themselves. While developing security facilities such as encryption,identity control, or specific architectures is important, our attention should be drawn at looking into the sociotechnical context in which target systems will operate and threats that may arise and their potential harm, so as to uncover security requirements. Recent research has argued about the importance of considering security at the early stages of the information systems development process, and especially the need to consider security during RE. An ontology, in the field of knowledge representation, is most often defined as "a representation of a conceptualization". It should represent a shared conceptualization in order to have any useful purpose. Ontologies are useful for representing and interrelating many types of knowledge. Several security ontologies have been proposed. Domain ontologies are formal descriptions of classes of concepts and relationships between these concepts that describe a given domain. Our previous experience with RITA, a requirements elicitation method that exploits a just one threat ontology, was that "being generic, the threats in the RITA ontology are not specific to the target [bank] industry" (the case study was in the banking sector). Experts involved in the evaluation complained about "the lack of specificity of the types of threats to the industry sector and the problem domain at hand". The problem that remains open is therefore that we need to exploit both security knowledge and domain knowledge to guide the elicitation of domain-specific security requirements. Our research question is "how to combine the use of security ontologies and domain ontologies to guide requirements elicitation efficiently?" This paper presents an ongoing research project that aims to develop a method that explores the use of security and domain ontologies for SRE.
Equipe:
isid
Collaboration:
CRI
BibTeX
|
||||||||||||||||||||||||||||||||||||