Please use this identifier to cite or link to this item:
Title: Discovering “unknown known” security requirements
Authors: Rashid, Awais
Naqvi, Syed Asad Ali
Ramdhany, Rajiv
Edwards, Matthew
Chitchyan, Ruzanna
Babar, M. Ali
First Published: 1-Jun-2016
Presented at: 2016 IEEE/ACM 38th IEEE International Conference on Software Engineering (ICSE) , 14-22 May 2016, Austin, TX, USA
Publisher: Institute of Electrical and Electronics Engineers (IEEE), United States
Citation: ICSE '16 Proceedings of the 38th International Conference on Software Engineering, pp. 866-876
Abstract: Security is one of the biggest challenges facing organisations in the modern hyper-connected world. A number of theoretical security models are available that provide best practice security guidelines and are widely utilised as a basis to identify and operationalise security requirements. Such models often capture high-level security concepts (e.g., whitelisting, secure configurations, wireless access control, data recovery, etc.), strategies for operationalising such concepts through specific security controls, and relationships between the various concepts and controls. The threat landscape, however, evolves leading to new tacit knowledge that is embedded in or across a variety of security incidents. These unknown knowns alter, or at least demand reconsideration of the theoretical security models underpinning security requirements. In this paper, we present an approach to discover such unknown knowns through multi-incident analysis. The approach is based on a novel combination of grounded theory and incident fault trees. We demonstrate the effectiveness of the approach through its application to identify revisions to a theoretical security model widely used in industry.
DOI Link: 10.1145/2884781.2884785
ISBN: 978-1-4503-3900-1
Version: Post-print
Status: Peer-reviewed
Type: Conference Paper
Rights: Copyright © 2016, IEEE. All rights reserved. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.
Appears in Collections:Conference Papers & Presentations, Dept. of Computer Science

Files in This Item:
File Description SizeFormat 
icse2016_rashid_etal.pdfPost-review (final submitted)2.71 MBAdobe PDFView/Open

Items in LRA are protected by copyright, with all rights reserved, unless otherwise indicated.