Security requirements Term – Secuirty requirement � A need or restriction from a user, a stakeholder or the environment related to the goal to improve the system security. Holistic security requirement engineering, Computers & Security 2004 1
Requirement sources � Business Process � internal oriented requirements and some of the risks related to them � Risk Analysis � Requirements related to common threats � Stakeholder and Environment � Stakeholder needs and demands concerning the security Security requirement engineering process � Phase 1 � Find the requirements and document them � Phase 2 � Compile the requirements to a consistent requirement specification and validate them 2
3
A DECISION MATRIX APPROACH to prioritize holistic security requirements in e-commerce Conventional approaches � Risk analysis – higher risk means earlier treatment � Risks are no longer the only source � Business Metric systems – calculate a ROSI or NPV and use the value to order the requirements � Frequently risk based � A highly volatile area, which information security constitutes, such a long term prognoses seems to be almost impossible 4
Conventional approaches II � Ask a stakeholder – ask people with interest in the system what they prefer � Problems with the dislike factor of security � Reproducibility is problematic Decision Matrix � Security benefit Cost/ Complexity � (a) means high protection of own resources or � (b) enables business � Cost/Complexity � Cost of realization and Security associated complexity. benefit 5
Quadrant meaning � Dog � Indifferent potential Cost/Complexity � Problem child Problem � Low potential Star Child � Cash Cow � High potential Cash Dog Cow � Star Security benefit � Indifferent potential. Input data elicitation � Delphi method is used for elicitation � Questionnaire design is crucial to � achieve validity � make the meaning of the distribution distinguishable � Scale should be 6 because � Fowler says it should be between 5 and 7 � It must be a multiple of two 6
Informal prioritization � Place the requirements in the matrix according to their values � Quadrants determine priority � Problem child -> low in the priority � Cash Cow -> high in the priority list � Star -> diagonal from the source; requirements below will have higher priority than the requirements above � Dog -> similar to the stars � Requirement list = { Cash Cows, lower Stars, lower Dogs, higher Stars, higher Dogs, Problem child} Formal prioritization � Calculate a value for each requirement which defines the position in the matrix � Compare requirement (a i;j ) to requirement (a k;l ) to construct a preference order � In two circumstances the prioritization value can be equal. The preference order should then be achieved dependent on the requirement parameters 7
Scenario II � Requirement values � Informal { { 5,1} ,3,{ 6,2} ,4} � Formal { 5,1,6,3,2,4 } Risk analysis 8
Terms – Risk and Risk analysis � Risk constitutes from the expected likelihood of a hazardous event and the expected damage of the event. DIN, VDE Norm 31000, � The total process to identify, control, and manage the impact of uncertain harmful events, commensurate with the value of the protected assets. National Information Systems Security Glossary National Information Systems Security Glossary Risk Analysis Approaches � Bottom up � The risk is an aggregate of lower level risks � e.g. The risk that a phone break is a aggregation of the risk of the consiting parts � Mainly used in technical risk analysis � Top down � The risk is detailed to derive more clarity � Mainly use in organizational risk analysis 9
Risk Analysis Approaches � Baseline Approach � Do not analysis but apply baseline security � Informal Approach � Pragmatic risk analysis � Detailed Risk Analysis � In-depth valuation of assets, threat assessment and vulnerability assessment � Combined Approach � Initial high level approach where important systems are further analysis with a detailed approach ISO 13335 – Guidelines for the management of IT Security (GMITS) Risk Identification � Checklists/Best practices � RA Tools (e.g. CRAMM, COBRA …) � Standards � ISO 17799, ISO 13335, Common criteria � Basic Protection Manual (Grundschutzhandbuch) � ... � Mathematical Approaches � Trend Analysis, Regression Analysis ... � Creative approaches � Brainstorming, Delphi Method .. 10
Risk Assessment � Assess the values for a risk (per asset) � How likely is it ? � How harmful is it? � Assessment Approaches � Mathematical/Statistical Methods � Time line analysis (Trend Analysis) � Regression analysis � Simulation � Monte Carlo Simulation � Expert guesses Risk Assessment � Severity Analysis � Calculate the risk; r = p * e � Qualitative Methods � Abstract values for ranking (high – low effect, high – low likelihood) � Quantitative Methods � Specific values indicating severity (p= 0.32, e = 1000 or e = 0.43) 11
Risk countermeasures � Avoidance � A measurement is chosen (respectively not chosen) so that the risk can not emerge. � Reduction � of threat � the cause of the risk is tried to be reduce. � of vulnerability � reducing the vulnerability � of impact � reduce the effects Risk countermeasures � Detection � identified when the risk is emerging – eliminating the risk source � Recovery � establish a recovery strategy � Transfer � transfer the risk to a third party � Acceptance � Preconditions set by the management � Residual Risk - The maximal acceptable risk � Final decision made by the management 12
AS/NZS: 4360 RM Process � Identify Context � Define the organizational Identify Context context Identify Risks � Identify Risks Communicate and Consult Analyze Risks � What can happen and how Monitor and Review Determine Determine � Analyze Risks Likelihood consequence � Determine Likelihood and Estimate level of risk consequences � Evaluate Risk Evaluate Risks � Compare against criteria yes Accept Risks and set priorities no � Treat Risk Treat Risks � Identify treatment options and decide for one Security Policy 13
Policy - Terms and definitions � As security policy is a formal statement of the rules by which people who are given access to an organization’s technology and information assets must abide. Security Policy (Site Security Handbook, B. Fraser) Policy classification � Language � Formal languages Corporate (mathematics, state Policy Liability engines, constrain policy - legal Internet languages privacy policy � Natural language Privacy policy for (normative languages, enterprises free speech) � Target Java Policy constrain Bell- language � Product (mostly a LaPadula technical system) Formal language Natural Language � Overall (mostly an Language organization or humans) 14
Information Security Policy Hierarchy Overall Policy � Expresses policy at the highest level of abstraction � A statement about the importance of information resources � Management and employee responsibility � Critical and subsequent security requirements � As a subdocument acceptable risks and budgets 15
Requirements to a policy � Policies need to set a high enough level to guide for longer time periods � Demonstrate organizational commitment to security � Position of responsibility to owners, partners and public � Hierarchy of policies � Concordant with organizational culture and norms Target Policies � Tactical regulation instrument � Can have operational guidelines � Specific in a target area but not to detailed 16
Product policy � Requirements to the product � Additional Security � Relaxing other policies � Formulating special target policies for products � Privacy � Confidentiality statements � Reliability statements � ... Questions ? 17
Recommend
More recommend
