Nicola Zannone scite author profile

Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging, as they must take into account subtle notions such as trust (or lack thereof), delegation, and permission; they must also model entire organizations and not only systems-to-be.In our previous work we introduced Secure Tropos, a formal framework for modeling and analyzing security requirements. Secure Tropos is founded on three main notions: ownership, trust, and delegation. In this paper we refine Secure Tropos introducing the notions of at-least delegation and trust of execution; also, at-most delegation and trust of permission. We also propose monitoring as a security design pattern intended to overcome the problem of lack of trust between actors. The paper presents a semantics for these notions, and describes an implemented formal reasoning tool based on Datalog. A Running ExampleThe example is abstracted from a substantial case study on the compliance of Italian public administrations such as universities, local governments and health care authorities to Italian security and privacy legislation.

show abstract

Requirements engineering for trust management: model, methodology, and reasoning

Giorgini

Massacci

Mylopoulos

et al. 2006

Int. J. Inf. Secur.

106

107

View full text Add to dashboard Cite

A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission, and trust and intended for requirements modeling. It also extends Tropos, an agentoriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study.Keywords Requirements Engineering · Agent-oriented software · Security Engineering · Trust models for business and organizations · Verification and validation of software · Privilege management This work is an expanded and revised version of [19,20].

show abstract

A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities

Elahi

Zannone

2009

Requirements Eng

View full text Add to dashboard Cite

Many security breaches occur because of exploitation of vulnerabilities within the system. Vulnerabilities are weaknesses in the requirements, design, and implementation, which attackers exploit to compromise the system. This paper proposes a methodological framework for security requirements elicitation and analysis centered on vulnerabilities. The framework offers modeling and analysis facilities to assist system designers in analyzing vulnerabilities and their effects on the system; identifying potential attackers and analyzing their behavior for compromising the system; and identifying and analyzing the countermeasures to protect the system. The framework proposes a qualitative goal model evaluation analysis for assessing the risks of vulnerabilities exploitation and analyzing the impact of countermeasures on such risks.

show abstract

Towards the development of privacy-aware systems

Guarda

Zannone

2009

Information and Software Technology

113

View full text Add to dashboard Cite

Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Massacci

Prest

Zannone

2005

Computer Standards & Interfaces

View full text Add to dashboard Cite

Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements.In this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for the compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme.

show abstract

Security and privacy for innovative automotive applications: A survey

Hartog

Zannone

2018

Computer Communications

View full text Add to dashboard Cite

Access control in Internet-of-Things: A survey

Ravidas

Lekidis

Paci

et al. 2019

Journal of Network and Computer Applications

111

View full text Add to dashboard Cite

Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach

Asnar

Moretti

Sebastianis

et al. 2008

View full text Add to dashboard Cite

The analysis of business solutions is one of critical issues in industry. Risk is one of the most preeminent and accepted metrics for the evaluation of business solutions. Not surprisingly, many research efforts have been devoted to develop risk management frameworks. Among them, Tropos Goal-Risk offers a formal framework for assessing and treating risks on the basis of the likelihood and severity of failures. In this paper, we extend the Tropos Goal-Risk to assess and treat risks by considering the interdependency among actors within an organization. To make the discussion more concrete, we apply the proposed framework for analysis of the risks within manufacturing organizations.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

334 Leonard St

Brooklyn, NY 11211

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Nicola Zannone

Modeling security requirements through ownership, permission and delegation

Requirements engineering for trust management: model, methodology, and reasoning

A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities

Towards the development of privacy-aware systems

Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation

Security and privacy for innovative automotive applications: A survey

Access control in Internet-of-Things: A survey

Risk as Dependability Metrics for the Evaluation of Business Solutions: A Model-driven Approach

Contact Info

Product

Resources

About