D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
the risk analyst identifies treatments that aim to reduce the risk to an acceptable level.<br />
The requirement analyst has to be notified about the new treatments, so that he/she can<br />
decide whether to implement the treatments or not. If the treatments provide sufficient<br />
risk reduction and are cost effective, the requirement analyst updates the requirement<br />
model with new tasks linked to the soft goal protecting the asset harmed by the threat<br />
mitigated by the treatments.<br />
Example 5. Due to space constraints we do not show the modeling of this example,<br />
which in any case should be straightforward. A risk assessment is conducted that identifies<br />
the new threat scenario Eavesdropping on ADS-B communication. The risk of<br />
leakage of critical A/C position data due to ADS-B eavesdropping is considered as<br />
very unlikely since this kind of data is not sensitive, but the consequence of leakage<br />
of critical data is considered as a major consequence. The resulting risk level is therefore<br />
unacceptable. The treatment Implement encryption of ADS-B signal is identified<br />
for the threat scenario Eavesdropping on ADS-B communication. The addition of the<br />
treatment Implement encryption of ADS-B signal leads to the addition of a) a new soft<br />
goal Confidentiality of ADS-B signal which protects the resource ADS-B signal, b) a<br />
task Encryption of ADS-B signal which contributes to the fulfillment of the soft goal<br />
Confidentiality of ADS-B signal.<br />
With these examples we see how the change-driven interplay works in practice. It<br />
supports the underlying idea of separation of concern between the two domains where<br />
the respective processes are conducted separately, yet sufficiently orchestrated to manage<br />
the changes in a coherent way. Moreover, the interplay ensures that consistency is<br />
maintained between the two domains and that none of the models become obsolete with<br />
respect to the other under change.<br />
5 Related Work<br />
The approach presented in this paper is related to works that have investigated the problems<br />
of orchestrating the requirement elicitation and analysis process with risk assessment<br />
process, and to works on how to handle change propagation.<br />
Requirements and Risk Analysis Interplay. Several requirement frameworks have<br />
attempted to extend requirements conceptual models with security related concepts and<br />
to include risk analysis as part of the requirement analysis. Among goal-oriented approaches,<br />
van Lamsweerde extends KAOS by introducing the notions of obstacle [28]<br />
and anti-goal [15] to analyze the security concerns of a system. KAOS obstacle captures<br />
an undesired state of affairs that might harm safety goals (i.e., hazard) or threaten security<br />
goals (i.e., threat). KAOS anti-goal captures the intention of an attacker or considers<br />
it as a malicious obstacle. A formal framework is proposed to identify the obstacles to<br />
a goal in a given domain properties and to generate countermeasures to those obstacles.<br />
Liu et al. [18] proposes an extension of the i* framework [30] to identify attackers, and<br />
analyze vulnerabilities through actor’s dependency links. In this framework, all actors<br />
are considered as potential attackers, and therefore their capabilities are analyzed and<br />
possible damages caused by actors are assessed. In Li et al. [16], the authors propose<br />
a formal framework to support the attacker analysis. Similarly, Elahi et al. [8] propose