Security requirements Term Secuirty requirement A need or - - PDF document

1

Security requirements Term – Secuirty requirement

A need or restriction from a user, a

stakeholder or the environment related to the goal to improve the system security.

Holistic security requirement engineering, Computers & Security 2004

2

Requirement sources

Business Process

internal oriented requirements

and some of the risks related to them

Risk Analysis

Requirements related to

common threats

Stakeholder and Environment

Stakeholder needs and demands

concerning the security

Security requirement engineering process

Phase 1

Find the

requirements and document them

Phase 2

Compile the

requirements to a consistent requirement specification and validate them

3

4

A DECISION MATRIX APPROACH

to prioritize holistic security requirements in e-commerce

Conventional approaches

Risk analysis – higher risk means earlier

treatment

Risks are no longer the only source

Business Metric systems – calculate a ROSI or

NPV and use the value to order the requirements

Frequently risk based A highly volatile area, which information security

constitutes, such a long term prognoses seems to be almost impossible

5

Conventional approaches II

Ask a stakeholder – ask people with

interest in the system what they prefer

Problems with the dislike factor of security Reproducibility is problematic

Decision Matrix

Security benefit

(a) means high

protection of own resources or

(b) enables business

Cost/Complexity

Cost of realization and

associated complexity.

Security benefit Cost/ Complexity

6

Quadrant meaning

Dog

Indifferent potential

Problem child

Low potential

Cash Cow

High potential

Star

Indifferent potential.

Dog Problem Child Star Cash Cow

Cost/Complexity Security benefit

Input data elicitation

Delphi method is used for elicitation Questionnaire design is crucial to

achieve validity make the meaning of the distribution

distinguishable

Scale should be 6 because

Fowler says it should be between 5 and 7 It must be a multiple of two

7

Informal prioritization

Place the requirements in the matrix

according to their values

Quadrants determine priority

Problem child -> low in the priority Cash Cow -> high in the priority list Star -> diagonal from the source; requirements

below will have higher priority than the requirements above

Dog -> similar to the stars

Requirement list = { Cash Cows, lower Stars,

lower Dogs, higher Stars, higher Dogs, Problem child}

Formal prioritization

Calculate a value for each requirement which defines

the position in the matrix

Compare requirement (ai;j) to requirement (ak;l) to

construct a preference order

In two circumstances the prioritization value can be

• equal. The preference order should then be achieved

dependent on the requirement parameters

8

Scenario II

Requirement values Informal { { 5,1} ,3,{ 6,2} ,4} Formal { 5,1,6,3,2,4}

Risk analysis

9

Terms – Risk and Risk analysis

Risk constitutes from the expected

likelihood of a hazardous event and the expected damage of the event.

DIN, VDE Norm 31000, The total process to identify, control,

and manage the impact of uncertain harmful events, commensurate with the value of the protected assets.

National Information Systems Security Glossary National Information Systems Security Glossary

Risk Analysis Approaches

Bottom up

The risk is an aggregate of lower level risks

e.g. The risk that a phone break is a

aggregation of the risk of the consiting parts

Mainly used in technical risk analysis

Top down

The risk is detailed to derive more clarity Mainly use in organizational risk analysis

10

Risk Analysis Approaches

Baseline Approach

Do not analysis but apply baseline security

Informal Approach

Pragmatic risk analysis

Detailed Risk Analysis

In-depth valuation of assets, threat assessment

and vulnerability assessment

Combined Approach

Initial high level approach where important

systems are further analysis with a detailed approach

ISO 13335 – Guidelines for the management of IT Security (GMITS)

Risk Identification

Checklists/Best practices

RA Tools (e.g. CRAMM, COBRA …) Standards

ISO 17799, ISO 13335, Common criteria Basic Protection Manual (Grundschutzhandbuch)

...

Mathematical Approaches

Trend Analysis, Regression Analysis ...

Creative approaches

Brainstorming, Delphi Method ..

11

Risk Assessment

Assess the values for a risk (per asset)

How likely is it ? How harmful is it?

Assessment Approaches

Mathematical/Statistical Methods

Time line analysis (Trend Analysis) Regression analysis

Simulation

Monte Carlo Simulation

Expert guesses

Risk Assessment

Severity Analysis

Calculate the risk; r = p * e

Qualitative Methods

Abstract values for ranking (high – low

effect, high – low likelihood)

Quantitative Methods

Specific values indicating severity (p= 0.32,

e = 1000 or e = 0.43)

12

Risk countermeasures

Avoidance

A measurement is chosen (respectively not

chosen) so that the risk can not emerge.

Reduction

• f threat

the cause of the risk is tried to be reduce.

• f vulnerability

reducing the vulnerability

• f impact

reduce the effects

Risk countermeasures

Detection

identified when the risk is emerging – eliminating the risk

source

Recovery

establish a recovery strategy

Transfer

transfer the risk to a third party

Acceptance

Preconditions set by the management

Residual Risk - The maximal acceptable risk

Final decision made by the management

13

AS/NZS: 4360 RM Process

Identify Context

Define the organizational

context

Identify Risks

What can happen and how

Analyze Risks

Determine Likelihood and

consequences

Evaluate Risk

Compare against criteria

and set priorities

Treat Risk

Identify treatment options

and decide for one

Identify Context Identify Risks Evaluate Risks Treat Risks Determine Likelihood Determine consequence Estimate level of risk Analyze Risks Accept Risks Monitor and Review Communicate and Consult

yes no

Security Policy

14

Policy - Terms and definitions

As security policy is a formal

statement of the rules by which people who are given access to an

• rganization’s technology and

information assets must abide.

Security Policy (Site Security Handbook, B. Fraser)

Policy classification

Language

Formal languages

(mathematics, state engines, constrain languages

Natural language

(normative languages, free speech)

Target

Product (mostly a

technical system)

Overall (mostly an

• rganization or humans)

Language

Natural Language Formal language

Bell- LaPadula Java Policy constrain language Corporate Policy Privacy policy for enterprises Internet privacy policy Liability policy - legal

15

Information Security Policy Hierarchy Overall Policy

Expresses policy at the highest level of

abstraction

A statement about the importance of

information resources

Management and employee responsibility Critical and subsequent security requirements As a subdocument acceptable risks and

budgets

16

Requirements to a policy

Policies need to set a high enough level to

guide for longer time periods

Demonstrate organizational commitment to

security

Position of responsibility to owners, partners

and public

Hierarchy of policies Concordant with organizational culture and

norms

Target Policies

Tactical regulation instrument

Can have operational guidelines

Specific in a target area but not to detailed

17

Product policy

Requirements to the product

Additional Security Relaxing other policies

Formulating special target policies for

products

Privacy Confidentiality statements Reliability statements ...

Questions ?