Resolving vulnerability identification errors using security requirements on business process models

Taubenberger, Stefan; Jürjens, Jan; Yu, Yijun; Nuseibeh, Bashar

doi:10.1108/imcs-09-2012-0054

Cited by 15 publications

(9 citation statements)

References 29 publications

(55 reference statements)

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Dantu and Kolan [83] Other DE, AB BN Yes Depoy et al [105] Other DE, AB WP, WCP Yes Hasle et al [106] Enterprise (A) AW WLC No Villarrubia et al [107] Enterprise (A) RE WLC No Bhilare et al [74] Enterprise (M/L) RE None Yes Grunske and Joyce [108] Other DE, AB WP, WM Yes Sahinoglu [84] Other RE WLC, BN Yes Dantu et al [85] Other DE, AB BN Yes Chen and Wang [87] Other AW WP No Chan [88] Enterprise (M/L) RE WLC, WP No Shin et al [78] Other AW, KN WLC No Bojanc et al [109] Enterprise (A) RE WLC, WM Yes Lo and Chen [50] Enterprise (M/L) AW, RE WLC No Rantos et al [110] Enterprise (A) AW, DE, KN, AB, RE WLC Yes Shameli-Sendi et al [80] Enterprise (A) KN, AB WC No Bojanc and Jerman-Blažič [111] Enterprise (A) AW, RE WLC Yes Marconato et al [79] Other AW, DE None No Taubenberger et al [112] Enterprise (M/L) AW, RE None No Alencar Rigon et al [102] Enterprise (M/L) RE WLC No Boggs et al [113] Other AW WLC Yes Chen et al [114] Enterprise (M/L) RE WLC No Cheng et al [115] Other AW WLC, WP, WM Yes Feng et al [86] Enterprise (M/L) AW, RE BN Yes Manifavas et al [77] Enterprise (A) AW, DE, KN, AB, RE WLC Yes Silva et al [81] Other RE WLC, WP No Suhartana et al [116] Enterprise (A) AB, RE WLC Yes Yadav and Dong [117] Other AW, KN, AB, RE None Yes Dehghanimohammadabadi and Bamakan [118] Enterprise (M/L) RE WLC, WP Yes Juliadotter and Choo [119] Other AW, DE, KN, AB, RE WLC Yes Otero [120] Enterprise (M/L) AW, AB, RE None Yes Solic et al [121] Enterprise (A) AW, KN, AB WLC No Sugiura et al [122] Enterprise (A) AW, RE None No Wei et al [123] Other AW, AB WLC No You et al [7...…”

Section: Research Application Area Adkar Elements Aggregation Strategies Real-life Threatmentioning

confidence: 99%

Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics

et al. 2021

View full text Add to dashboard Cite

Cybersecurity threats are on the rise, and small- and medium-sized enterprises (SMEs) struggle to cope with these developments. To combat threats, SMEs must first be willing and able to assess their cybersecurity posture. Cybersecurity risk assessment, generally performed with the help of metrics, provides the basis for an adequate defense. Significant challenges remain, however, especially in the complex socio-technical setting of SMEs. Seemingly basic questions, such as how to aggregate metrics and ensure solution adaptability, are still open to debate. Aggregation and adaptability are vital topics to SMEs, as they require the assimilation of metrics into an actionable advice adapted to their situation and needs. To address these issues, we systematically review socio-technical cybersecurity metric research in this paper. We analyse aggregation and adaptability considerations and investigate how current findings apply to the SME situation. To ensure that we provide valuable insights to researchers and practitioners, we integrate our results in a novel socio-technical cybersecurity framework geared towards the needs of SMEs. Our framework allowed us to determine a glaring need for intuitive, threat-based cybersecurity risk assessment approaches for the least digitally mature SMEs. In the future, we hope our framework will help to offer SMEs some deserved respite by guiding the design of suitable cybersecurity assessment solutions.

show abstract

Section: Research Application Area Adkar Elements Aggregation Strategies Real-life Threatmentioning

confidence: 99%

Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics

et al. 2021

View full text Add to dashboard Cite

show abstract

“…The role of business processes in the security of organizations has been investigated in a number of studies, including the work of Wangen and Snekkenes (2014) and the work of Taubenberger et al (2013). These studies have shown that enterprises' business processes play a major role in the security of the organizations.…”

Section: Process-based Security Assessmentmentioning

confidence: 99%

Enterprise Architecture Security Assessment Framework (EASAF)

Alshammari¹

2017

Journal of Computer Science

View full text Add to dashboard Cite

Abstract:Many existing studies have shown that the causes of most of system attacks are not related to coding vulnerabilities that apply to individual systems, issues related to the run-time environment, or the technology in place. In fact, they are caused by issues associated with how systems within organizations are structured. Therefore, it is necessary to examine security with regard to all components that influence the organization's systems, including data, processes and even employees. The most promising approach to achieving this goal is Enterprise Architecture (EA). The main goal of this project is to develop a framework based on the concepts of well-established EA frameworks such as TOGAF and Zachman and their compositional layers (e.g., application, information and process). This framework will be combined with a data flow analysis of the principles that trace the potential information flow between high-and low-security enterprise components. Therefore, this paper studies various enterprise architecture frameworks and shows how to develop an enterprise architecture framework that considers the organization's information security from the perspective of information flow. This framework will have various layers, each with a set of security metrics that quantify the organization's relative security based on the specifications of that layer. The defined framework will be capable of defining Enterprise Architecture security-related principles and metrics. These principles and metrics will eventually be used to define how to develop secure enterprise systems based on the enterprise architecture with regard to security-critical information flow within any given organization. The defined framework will also be capable of providing guidance for information security architects by recognizing certain parts of the organization that are less secure than others.

show abstract

“…Taubenberger et al have also evaluated their approach in resolving errors related to the identification of vulnerabilities in comparison to an existing approach. Their findings indicate that explicitly evaluating security requirements during the course of business can help in resolving vulnerability identification errors (Taubenberger et al 2013). Karpati et al have recently reported empirical evaluation of misuse case maps in identifying security threats through two controlled experiments (Karpati, Opdahl, and Sindre 2015).…”

Section: Security Requirements Elicitation and Evaluationmentioning

confidence: 99%

Identifying the implied: Findings from three differentiated replications on the use of security requirements templates

et al. 2016

View full text Add to dashboard Cite

Context: Identifying security requirements early on can lay the foundation for secure software development. Security requirements are often implied by existing functional requirements but are mostly left unspecified. The Security Discoverer process automatically identifies security implications of individual requirements sentences and suggests applicable security requirements templates.Goal: To support requirements analysts in identifying security requirements by automating the suggestion of security requirements templates that are implied by existing functional requirements. Method:We conducted a controlled experiment in a graduate-level security class at North Carolina State University (NCSU) to evaluate the Security Discoverer (SD) process in eliciting implied security requirements in 2014. We have subsequently conducted three differentiated replications to evaluate the generalizability and applicability of the initial findings. The replications were conducted across three countries at the University of Trento, NCSU, and the University of Costa Rica. We evaluated the responses of the 205 total participants in terms of quality, coverage, relevance and efficiency. We also develop shared insights regarding the impact of context factors such as time, motivation and support, on the study outcomes and provide lessons learned in conducting the replications.Results: Treatment group, using the SD process, performed significantly better than the control group (at p-value <0.05) in terms of the coverage of the identified security requirements and efficiency of the requirements elicitation process in two of the three replications, supporting the findings of the original study. Participants in the treatment group identified 84% more security requirements in the oracle as compared to the control group on average. Overall, 80% of the 111 participants in the treatment group were favorable towards the use of templates in identifying security requirements. Our qualitative findings indicate that participants may be able to differentiate between relevant and extraneous templates suggestions and be more inclined to fill in the templates with additional support. Conclusion:Security requirements templates capture the security knowledge of multiple experts and can support the security requirements elicitation process when automatically suggested, making the implied security requirements more evident. However, individual participants may still miss out on identifying a number of security requirements due to empirical constraints as well as potential limitations on knowledge and security expertise.

show abstract

Resolving vulnerability identification errors using security requirements on business process models

Cited by 15 publications

References 29 publications

Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics

Respite for SMEs: A Systematic Review of Socio-Technical Cybersecurity Metrics

Enterprise Architecture Security Assessment Framework (EASAF)

Identifying the implied: Findings from three differentiated replications on the use of security requirements templates

Contact Info

Product

Resources

About