Effective Security Requirements Analysis: HAZOP and Use Cases

Srivatanakul, Thitima; Clark, John A.; Polack, Fiona

doi:10.1007/978-3-540-30144-8_35

Cited by 40 publications

(24 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…By introducing a special set of guidewords, Winther et al [36] show how HAZOP can be extended to identify security threats. Srivantakul et al [33] combine HAZOP study with UML use case diagrams to identify potential misuse scenarios in computer systems. We take a similar approach to combine PHEA study with HAZOP and analyse user (engineer) behaviour in a SCADA environment.…”

Section: Related Workmentioning

confidence: 99%

A log mining approach for process monitoring in SCADA

Hadžiosmanović

Bolzoni

Hartel

2012

Int. J. Inf. Secur.

View full text Add to dashboard Cite

SCADA (supervisory control and data acquisition) systems are used for controlling and monitoring industrial processes. We propose a methodology to systematically identify potential process-related threats in SCADA. Process-related threats take place when an attacker gains user access rights and performs actions, which look legitimate, but which are intended to disrupt the SCADA process. To detect such threats, we propose a semi-automated approach of log processing. We conduct experiments on a real-life water treatment facility. A preliminary case study suggests that our approach is effective in detecting anomalous events that might alter the regular process workflow.

show abstract

Section: Related Workmentioning

confidence: 99%

A log mining approach for process monitoring in SCADA

Hadžiosmanović

Bolzoni

Hartel

2012

Int. J. Inf. Secur.

View full text Add to dashboard Cite

show abstract

“…Srivatanakul et al [21] criticize Security-HazOp and claim that the recommended guidewords are not flexible enough to bring out the analysts' creativity. They propose to apply guidewords to elements of a case by interpreting the guidewords for the attributes of each element of the case that is subject to deviation.…”

Section: Security-hazopmentioning

confidence: 99%

Extended eTVRA vs. security checklist: Experiences in a value-web

Morali

Zambon

Houmb

et al. 2009

2009 31st International Conference on Software Engineering - Companion Volume

View full text Add to dashboard Cite

Security evaluation according to ISO 15408 (Common Criteria) is a resource and time demanding activity, as well as being costly. For this reason, only few companies take their products through a Common Criteria evaluation. To support security evaluation, the European Telecommunications Standards Institute (ETSI) has developed a threat, vulnerability, risk analysis (eTVRA) method for the Telecommunication (Telco) domain. eTVRA builds on the security risk management methodology CORAS and is structured in such a way that it provides output that can be directly fed into a Common Criteria security evaluation.In this paper, we evaluate the time and resource efficiency of parts of eTVRA and the quality of the result produced by following eTVRA compared to a more pragmatic approach (Protection Profile-based checklists). We use both approaches to identify and analyze risks of a new SIM card currently under joint development by a small hardware company and a large Telco provider.

show abstract

“…In addition, whenever such proof succeeds, Zenon helps the user to locate the source of the inconsistency (the conflicting security properties) by providing the list of properties (and definitions) not used to complete the proof (since the user can provide more properties than necessary). This approach might be coupled with complementary methods, such as deviational techniques [11], in order to cater for external factors (which can still influence the regulation content) using flaw hypotheses to explore security violations.…”

Section: Consistencymentioning

confidence: 99%

Reasoning about Airport Security Regulations Using the Focal Environment

Delahaye

Étienne

Donzeau-Gouge

2006

Second International Symposium on Leveraging Applications of Formal Methods, Verification and Validation (Isola 2006)

View full text Add to dashboard Cite

Abstract-We present the validation of regulations intended to ensure airport security in the framework of civil aviation. In particular, we describe the proofs of correctness/completeness for two standards, one at the international level and the other at the European level, and we show how the properties of the European level refines those of the international level. These models are expressed using the Focal environment, an objectoriented specification and proof system, and the proofs described by means of a declarative-like language are processed by the automated theorem prover Zenon. We show how Zenon appears quite appropriate when dealing with abstract specifications like our case study, but also how it should be controlled to present readable proofs.

show abstract

Effective Security Requirements Analysis: HAZOP and Use Cases

Cited by 40 publications

References 9 publications

A log mining approach for process monitoring in SCADA

A log mining approach for process monitoring in SCADA

Extended eTVRA vs. security checklist: Experiences in a value-web

Reasoning about Airport Security Regulations Using the Focal Environment

Contact Info

Product

Resources

About