D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
D.3.3 ALGORITHMS FOR INCREMENTAL ... - SecureChange
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
extensions to i* to model and analyze the vulnerabilities affecting system requirements.<br />
Mayer et al. [24] propose a conceptual model for managing security of an information<br />
system based on several security methods (e.g., CORAS, ISO 27001). Asnar et<br />
al. [2] propose a concrete methodology, namely the Goal-Risk framework to analyze<br />
and model security problems. GR frameworks captures the stakeholders’ goals, risks<br />
that might threaten the goals, and countermeasures required to mitigate the unacceptable<br />
the risk.<br />
Compared to these approaches, the work presented in this paper proposes an interplay<br />
between requirement engineering process and risk assessment process that is based<br />
on orchestration rather than on integration of the two processes. Orchestration has has<br />
several advantages with respect to integration. The first one is that the requirement<br />
analyst and the risk analyst do not need to have in-depth expertise in the respective domains:<br />
they just need to know the mapped concepts on which the orchestration is based.<br />
Another key aspect of our approach is that the requirement and risk model are synchronized<br />
not on the basis of a periodic review but as soon a change is applied to the models.<br />
Thus, the orchestrated process ensures bidirectional consistency of requirement and the<br />
risk models.<br />
Change propagation. Chechik et al. [4] propose a model-based approach to propagate<br />
changes between requirements and design models that utilize the relationship between<br />
the models to automatically propagate changes. Lin et al. [17] propose capturing<br />
requirement changes as a series of atomic changes in specifications and using algorithms<br />
to relate changes in requirements to corresponding changes in specifications.<br />
With respect to change management for risk, the ISO 31000 standard [13] prescribes<br />
that change detection and identification for emerging risks should be conducted<br />
as part of the overall risk management process, but gives no specific guidelines on how<br />
to do this in practice. The well-known OCTAVE [1] risk assessment methodology recommends<br />
reviewing risks and critical assets, but offers no techniques or modeling for<br />
supporting the update of the risk assessment results. The approaches of Sherer [26] and<br />
Lund et al. [20] provide some support for maintenance of risk assessment results in the<br />
sense of restoring validity of risk documentation after changes, but change propagation<br />
and change impact analysis are not explicitly supported.<br />
Other works relevant to change propagation are the one about the generation and<br />
maintenance of traceability links, and model-to-model transformations. Most of the<br />
works on the maintenance of traceability matrix focus on the recovery of traceability<br />
links between requirements and artifacts of different types e.g. code [6, 7, 14, 19], as in<br />
many cases these links are not explicitly represented; and on methods and CASE tools<br />
for the representation and management [5, 11, 12, 14] of traceability links.<br />
Model-to-model transformation techniques such as VIATRA2 [29], QVT [27], and<br />
ATLAS [3] support change propagation by means of bidirectional incremental model<br />
synchronization.<br />
In this paper we rely on VIATRA2 transformation framework to represent as graph<br />
transformation rules the mappings between concepts of SI* and CORAS. VIATRA2<br />
ensures the automatic creation of traceability links between CORAS and SI* models<br />
and the execution of the mappings when a change affects a mapped concept.