Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure

Suleiman, Husam; Svetinovic, Davor

doi:10.1007/s00766-012-0153-4

Cited by 40 publications

(21 citation statements)

References 53 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many researchers highlighted that reducing security issues has become important. They sug-gested the security must be integrated into the software development life cycle from the begin-ning phase and continue until the product is in use [4,5,1]. Misspecification in requirement anal-ysis is one of factors that contribute to unsecured system [6].…”

Section: Problem Statementmentioning

confidence: 99%

See 1 more Smart Citation

Improving Security And Privacy Requirement For Business Registration System (BRS)

Daud¹,

Pa²,

Foozy³

2017

Acta inform. Malays.

View full text Add to dashboard Cite

show abstract

Section: Problem Statementmentioning

confidence: 99%

“…Security and privacy is a most essential concept for understanding level of secure software and also to guarantee user satisfaction. Security and privacy is a serious problem in software development, and may become much worse in the future [1]. This is due to millions of dollars in losses are the result of attacks on unsecured system.…”

Section: Introductionmentioning

confidence: 99%

Improving Security And Privacy Requirement For Business Registration System (BRS)

Daud¹,

Pa²,

Foozy³

2017

Acta inform. Malays.

View full text Add to dashboard Cite

show abstract

“…To validate the analysis results, we compared them with a comprehensive security analysis performed on the same smart grid case [18], this study took a total of 16 person-months to identify threats, vulnerabilities and security requirements. We find out that our identified attack alternatives can cover all the threats to the integrity of energy consumption data that have been identified manually in the comparison case.…”

Section: B Operationalize Attack Strategiesmentioning

confidence: 99%

“…Beyond that, our results can discover additional detailed attacks that can be performed by attackers, particularly how such attacks can be composed to form multistage attacks. For example, the comparison study discovered a high-level threat "Tampering with SM's firmware" (Table 4, T.5 in [18]), while our results yield a corresponding multistage attack which first performs CAPEC-16: Dictionarybased Password Attack (consisting of four detailed attack steps) to defeat the password-based authorization and gains access to the smart meter firmware, and then performs CAPEC-186: Malicious Software Update to tamper with the smart meter firmware.…”

Section: B Operationalize Attack Strategiesmentioning

confidence: 99%

“…During the security requirements analysis in each layer, related threat information is required to in order to identify critical security requirements. Such threat analysis was not accommodated by the framework, instead we proposed to incorporate external threat analysis approaches for this purpose (e.g., [12]) or to import corresponding threat information from related studies that have been performed in the same domain (e.g., [18]). However, existing threat analysis approaches cannot holistically analyze multistage attacks on STSs.…”

Section: A a Three-layer Security Requirements Analysis Frameworkmentioning

confidence: 99%

See 1 more Smart Citation

Security attack analysis using attack patterns

Paja

Mylopoulos

et al. 2016

2016 IEEE Tenth International Conference on Research Challenges in Information Science (RCIS)

View full text Add to dashboard Cite

Abstract-Discovering potential attacks on a system is an essential step in engineering secure systems, as the identified attacks will determine essential security requirements. The prevalence of Socio-Technical Systems (STSs) makes attack analysis particularly challenging. These systems are composed of people and organizations, their software systems, as well as physical infrastructures. As such, a thorough attack analysis needs to consider strategic (social and organizational) aspects of the involved people and organizations, as well as technical aspects affecting software systems and the physical infrastructure, requiring a large amount of security knowledge which is difficult to acquire. In this paper, we propose a systematic approach to efficiently leverage a comprehensive attack knowledge repository (CAPEC) in order to identify realistic and detailed attack behaviors, avoiding severe repercussions of security breaches. In particular, we propose a systematic method to model CAPEC attack patterns, which has been applied to 102 patterns, in order to semi-automatically select and apply such patterns. Using the CAPEC patterns as part of a systematic and tool-supported process, we can efficiently operationalize attack strategies and identify realistic alternative attacks on an STS. We validate our proposal by performing a case study on a smart grid scenario.

show abstract

Goal-Oriented Requirements Engineering for Research-Intensive Complex Systems: A Case Study

Woldeamlak¹,

Diabat²,

Svetinovic³

2016

Syst Eng

Self Cite

View full text Add to dashboard Cite

Complex systems in research and development exhibit important characteristics that might present significant systems engineering challenges due to lack of clear customers, system goals, previous development experience, etc. Such systems are characterized through the existence of multiple proposed preliminary architectures, no implemented prototypes, and no agreed upon standards and protocols. We refer to these systems as Research-Intensive Complex Systems (RICS). RICS requirements are not well-defined, and RICS are exposed to a wide variety of risks and uncertainties. The main source of the RICS domain knowledge, requirements, and goals are research publications and reports. There is often a lack of clear goals, and many goals are ambiguous or conflicting. This paper evaluates the effectiveness of the Knowledge Acquisition in autOmated Specification (KAOS) method applied to smart metering system, as an example of a sustainability-related RICS. The evaluation is performed using a set of qualitative criteria with respect to KAOS's ability to elicit and specify goals for RICS in comparison to the implemented goal models. C⃝ 2016 Wiley Periodicals, Inc. Syst Eng 19: 322-333, 2016

show abstract

Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure

Cited by 40 publications

References 53 publications

Improving Security And Privacy Requirement For Business Registration System (BRS)

Improving Security And Privacy Requirement For Business Registration System (BRS)

Security attack analysis using attack patterns

Goal-Oriented Requirements Engineering for Research-Intensive Complex Systems: A Case Study

Contact Info

Product

Resources

About