Arguing Security: A Framework for Analyzing Security Requirements

This book presents a framework for security requirements elicitation and analysis. The framework is based on constructing a context for the system, representing security requirements as constraints, and developing satisfaction arguments for the security requirements. The system context is described using a problem–oriented notation, then is validated against the security requirements through construction of a satisfaction argument. The satisfaction argument consists of two parts: a formal argument that the system can meet its security requirements, and a structured informal argument challenging the assumptions in the formal argument. The construction of the satisfaction argument may fail, revealing either that the security requirement cannot be satisfied in the context, or that the context does not contain sufficient information to develop the argument. In this case, designers and architects are asked to provide additional design information to resolve the problems. The framework is evaluated by applying it to an analysis of security requirements within an air traffic control technology evaluation project.

About the Author:

Professor Haley holds a PhD from the Open University, and MS and BA degrees in computer science from the University of California at Berkeley. Before reentering the academic community in 1999, he worked in the software industry at companies including Bell Laboratories, Rational Software, Bell Northern Research, and Sun Microsystems.