Threat Analysis in Goal-Oriented Security Requirements Modelling

Per Håkon Meland; Elda Paja; Erlend Andreas Gjære; Stéphane Paul; Fabiano Dalpiaz; Paolo Giorgini

doi:10.4018/ijsse.2014040101

Threat Analysis in Goal-Oriented Security Requirements Modelling

Computer Systems and Software Engineering ◽

10.4018/978-1-5225-3923-0.ch085 ◽

2017 ◽

pp. 2025-2042 ◽

Cited By ~ 2

Author(s):

Per Håkon Meland ◽

Elda Paja ◽

Erlend Andreas Gjære ◽

Stéphane Paul ◽

Fabiano Dalpiaz ◽

...

Keyword(s):

Traffic Management ◽

Mutual Influence ◽

Automated Analysis ◽

Security Requirements ◽

Tool Support ◽

Security Issues ◽

Raising Awareness ◽

Goal Modelling ◽

Threat Modelling ◽

High Level

Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, the authors address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis. The authors show that this effort is not trivial and a trade-off between visual expressiveness, usability and usefulness has to be considered. Specifically, the authors integrate threat modelling with the socio-technical security modelling language (STS-ml), introduce automated analysis techniques that propagate threats in the combined models, and present tool support that enables reuse of threats facilitated by a threat repository. The authors illustrate their approach on a case study from the Air Traffic Management (ATM) domain, from which they extract some practical challenges. The authors conclude that threats provide a useful foundation and justification for the security requirements that the authors derive from goal modelling, but this should not be considered as a replacement to risk assessment. The usage of goals and threats early in the development process allows raising awareness of high-level security issues that occur regardless of the chosen technology and organizational processes.

Download Full-text

Research trends and solutions for secure traffic management of SDN

APTIKOM Journal on Computer Science and Information Technologies ◽

10.34306/csit.v2i3.70 ◽

2020 ◽

Vol 2 (3) ◽

pp. 97-105

Author(s):

Ravi Shankar Pandey ◽

Vivek Srivastava ◽

Lal Babu Yadav

Keyword(s):

Traffic Management ◽

Single Point ◽

Research Trends ◽

Security Requirements ◽

New Paradigm ◽

Research Papers ◽

Malicious Attack ◽

Security Issues ◽

Free Environment ◽

New Research

Software Defined Network (SDN) decouples the responsibilities of route management and datatransmission of network devices present in network infrastructure. It integrates the control responsibility at thecentralized software component which is known as controller. This centralized aggregation of responsibilities mayresult the single point of failure in the case malicious attack at the controller side. These attacks may also affect thetraffic flow and network devices. The security issues due to such malicious attacks in SDN are dominating challengesin the implementation and utilization of opportunities provided by this new paradigm. In this paper we haveinvestigated the several research papers related to proposal of new research trends for security and suggestionswhich fulfil the security requirements like confidentiality, integrity, availability, authenticity, authorization,nonrepudiation, consistency, fast responsiveness and adaptation. We have also investigated the new future researchfor creating the attack free environment for implementing the SDN.

Download Full-text

Security Reference Architecture for Cyber-Physical Systems (CPS)

JUCS - Journal of Universal Computer Science ◽

10.3897/jucs.68539 ◽

2021 ◽

Vol 27 (6) ◽

pp. 609-634

Author(s):

Julio Moreno ◽

David G. Rosado ◽

Luis E. Sánchez ◽

Manuel A. Serrano ◽

Eduardo Fernández-Medina

Keyword(s):

Global Perspective ◽

Security Requirements ◽

Reference Architecture ◽

Security Issues ◽

Starting Point ◽

Secure Environment ◽

Engineered Systems ◽

Control Technologies ◽

Definition Of ◽

High Level

Cyber-physical systems (CPS) are the next generation of engineered systems into which computing, communication, and control technologies are now being closely integrated. They play an increasingly important role in critical infrastructures, governments and everyday life. Security is crucial in CPS, but they were not, unfortunately, initially conceived as a secure environment, and if these security issues are to be incorporated, then security must be considered from the very beginning of the system design. One way in which to solve this problem is by having a global perspective, which can be achieved by employing a Reference Architecture (RA), since it is a high-level abstraction of a system that could be useful in the implementation of complex systems. It is widely accepted that adding elements in order to address many security factors (integrity, confidentiality, availability, etc.) and facilitate the definition of the security requirements of a Security Reference Architecture (SRA) is a good starting point when attempting to solve these kinds of cybersecurity problems and protect the system from the beginning of the development. An SRA makes it possible to define the key elements of a specific environment, thus allowing a better understanding of the inherent elements of the environments, while promoting the integration of security aspects and mechanisms. The present paper, therefore, presents the definition of an SRA for CPS by using UML models in an attempt to facilitate secure CPS implementations.

Download Full-text

UTM-Chain: Blockchain-Based Secure Unmanned Traffic Management for Internet of Drones

Sensors ◽

10.3390/s21093049 ◽

2021 ◽

Vol 21 (9) ◽

pp. 3049

Author(s):

Azza Allouch ◽

Omar Cheikhrouhou ◽

Anis Koubâa ◽

Khalifa Toumi ◽

Mohamed Khalgui ◽

...

Keyword(s):

Traffic Management ◽

Flight Path ◽

Security Requirements ◽

Unmanned Aerial Systems ◽

Security Threats ◽

Traffic Data ◽

Security Issues ◽

Low Altitude ◽

Aerial Systems ◽

And Storage

Unmanned aerial systems (UAVs) are dramatically evolving and promoting several civil applications. However, they are still prone to many security issues that threaten public safety. Security becomes even more challenging when they are connected to the Internet as their data stream is exposed to attacks. Unmanned traffic management (UTM) represents one of the most important topics for small unmanned aerial systems for beyond-line-of-sight operations in controlled low-altitude airspace. However, without securing the flight path exchanges between drones and ground stations or control centers, serious security threats may lead to disastrous situations. For example, a predefined flight path could be easily altered to make the drone perform illegal operations. Motivated by these facts, this paper discusses the security issues for UTM’s components and addresses the security requirements for such systems. Moreover, we propose UTM-Chain, a lightweight blockchain-based security solution using hyperledger fabric for UTM of low-altitude UAVs which fits the computational and storage resources limitations of UAVs. Moreover, UTM-Chain provides secure and unalterable traffic data between the UAVs and their ground control stations. The performance of the proposed system related to transaction latency and resource utilization is analyzed by using cAdvisor. Finally, the analysis of security aspects demonstrates that the proposed UTM-Chain scheme is feasible and extensible for the secure sharing of UAV data.

Download Full-text

Research trends and solutions for secure traffic management of SDN

APTIKOM Journal on Computer Science and Information Technologies ◽

10.11591/aptikom.j.csit.68 ◽

2017 ◽

Vol 2 (3) ◽

pp. 97-105

Author(s):

Ravi Shankar Pandey ◽

Vivek Srivastava ◽

Lal Babu Yadav

Keyword(s):

Traffic Management ◽

Single Point ◽

Research Trends ◽

Security Requirements ◽

Future Research ◽

New Paradigm ◽

Malicious Attack ◽

Security Issues ◽

Free Environment ◽

New Research

Software Defined Network (SDN) decouples the responsibilities of route management and data transmission of network devices present in network infrastructure. It integrates the control responsibility at the centralized software component which is known as controller. This centralized aggregation of responsibilities may result the single point of failure in the case malicious attack at the controller side. These attacks may also affect the traffic flow and network devices. The security issues due to such malicious attacks in SDN are dominating challenges in the implementation and utilization of opportunities provided by this new paradigm. In this paper we have investigated the several research papers related to proposal of new research trends for security and suggestions which fulfil the security requirements like confidentiality, integrity, availability, authenticity, authorization, nonrepudiation, consistency, fast responsiveness and adaptation. We have also investigated the new future research for creating the attack free environment for implementing the SDN.

Download Full-text

Method Development and Determination of Chlorinated Polycyclic Aromatic Hydrocarbons in Different Matrices

Food Analytical Methods ◽

10.1007/s12161-020-01956-4 ◽

2021 ◽

Author(s):

Carsten Schörnick ◽

Anja Lüth ◽

Birgit Wobst ◽

Wolfgang Rotard

Keyword(s):

Polycyclic Aromatic Hydrocarbons ◽

Aromatic Hydrocarbons ◽

Method Development ◽

Automated Analysis ◽

Proficiency Tests ◽

Level Of Automation ◽

Polycyclic Aromatic ◽

Food And Feed ◽

Performance Check ◽

High Level

AbstractThe aim of this study was to develop an analytical method, which separates selected chlorinated polycyclic aromatic hydrocarbons (Cl-PAHs) from fat, and fat-free or vegetable matrices. The method contains extraction-, cleanup-, and quantification steps. Integration of automated analysis actions, as in extraction and cleanup, should enhance the reproducibility, precision, and efficiency of the method. This was confirmed by validation of the overall analytical process. In the end, as a performance check, the developed method was applied on different matrices, e.g., tea, rice, grilled pork, and eel and predator eggs, as a non-food example. An inter-laboratory check was initiated as replacement for the lack of proficiency tests. Due to the high level of automation, both personnel and time effort are very low. In addition, the method is very robust with regard to the variability of the solvent selection and the loss of analytes by evaporation to dryness. It could be demonstrated that the developed method is applicable to different matrices with reproducible and precise results. This applies also to low-fat food and feed.

Download Full-text

Users’ attitude on perceived security of enterprise systems mobility: an empirical study

Information and Computer Security ◽

10.1108/ics-05-2020-0069 ◽

2021 ◽

Vol ahead-of-print (ahead-of-print) ◽

Author(s):

Ramaraj Palanisamy ◽

Yang Wu

Keyword(s):

Cloud Computing ◽

Best Practices ◽

Empirical Study ◽

Mobile Systems ◽

Mobile Technologies ◽

Content Type ◽

Security Issues ◽

Study Results ◽

Perceived Security ◽

High Level

Purpose This study/ paper aims to empirically examine the user attitude on perceived security of enterprise systems (ES) mobility. Organizations are adopting mobile technologies for various business applications including ES to increase the flexibility and to gain sustainable competitive advantage. At the same time, end-users are exposed to security issues when using mobile technologies. The ES have seen breaches and malicious intrusions thereby more sophisticated recreational and commercial cybercrimes have been witnessed. ES have seen data breaches and malicious intrusions leading to more sophisticated cybercrimes. Considering the significance of security in ES mobility, the research questions in this study are: What are the security issues of ES mobility? What are the influences of users’ attitude towards those security issues? What is the impact of users’ attitude towards security issues on perceived security of ES mobility? Design/methodology/approach These questions are addressed by empirically testing a security model of mobile ES by collecting data from users of ES mobile systems. Hypotheses were evolved and tested by data collected through a survey questionnaire. The questionnaire survey was administered to 331 users from Chinese small and medium-sized enterprises (SME). The data was statistically analysed by tools such as correlation, factor analysis, regression and the study built a structural equation model (SEM) to examine the interactions between the variables. Findings The study results have identified the following security issues: users’ attitude towards mobile device security issues; users’ attitude towards wireless network security issues; users’ attitude towards cloud computing security issues; users’ attitude towards application-level security issues; users’ attitude towards data (access) level security issues; and users’ attitude towards enterprise-level security issues. Research limitations/implications The study results are based on a sample of users from Chinese SMEs. The findings may lack generalizability. Therefore, researchers are encouraged to examine the model in a different context. The issues requiring further investigation are the role of gender and type of device on perceived security of ES mobile systems. Practical implications The results show that the key security issues are related to a mobile device, wireless network, cloud computing, applications, data and enterprise. By understanding these issues and the best practices, organizations can maintain a high level of security of their mobile ES. Social implications Apart from understanding the best practices and the key issues, the authors suggest management and end-users to work collaboratively to achieve a high level of security of the mobile ES. Originality/value This is an empirical study conducted from the users’ perspective for validating the set of research hypotheses related to key security issues on the perceived security of mobile ES.

Download Full-text

Intrusion Detection System for AES Encripted Low-Power IoT Networks

10.14210/cotb.v12.p392-399 ◽

2021 ◽

Author(s):

Eduardo De Oliveira Burger Monteiro Luiz ◽

Alessandro Copetti ◽

Luciano Bertini ◽

Juliano Fontoura Kazienko

Keyword(s):

Low Power ◽

Detection System ◽

Denial Of Service ◽

Security Requirements ◽

Power Devices ◽

Dos Attacks ◽

Reflection Attack ◽

Ipv6 Protocol ◽

Iot Devices ◽

High Level

The introduction of the IPv6 protocol solved the problem of providingaddresses to network devices. With the emergence of the Internetof Things (IoT), there was also the need to develop a protocolthat would assist in connecting low-power devices. The 6LoWPANprotocols were created for this purpose. However, such protocolsinherited the vulnerabilities and threats related to Denial of Service(DoS) attacks from the IPv4 and IPv6 protocols. In this paper, weprepare a network environment for low-power IoT devices usingCOOJA simulator and Contiki operating system to analyze theenergy consumption of devices. Besides, we propose an IntrusionDetection System (IDS) associated with the AES symmetric encryptionalgorithm for the detection of reflection DoS attacks. Thesymmetric encryption has proven to be an appropriate methoddue to low implementation overhead, not incurring in large powerconsumption, and keeping a high level of system security. The maincontributions of this paper are: (i) implementation of a reflectionattack algorithm for IoT devices; (ii) implementation of an intrusiondetection system using AES encryption; (iii) comparison ofthe power consumption in three distinct scenarios: normal messageexchange, the occurrence of a reflection attack, and runningIDS algorithm. Finally, the results presented show that the IDSwith symmetric cryptography meets the security requirements andrespects the energy limits of low-power sensors.

Download Full-text

LOCAL AUTHORITIES AND EMPOWERED BUSINESS: SCENARIOS OF MUTUAL INFLUENCE OF MUNICIPAL HEADS AND ENTREPRENEURS IN RUSSIAN MUNICIPALITIES

Вестник Пермского университета Политология ◽

10.17072/2218-1067-2020-3-64-72 ◽

2020 ◽

Vol 14 (3) ◽

pp. 64-72

Author(s):

Tatiana Vitkovskaya ◽

◽

Keyword(s):

Research Method ◽

Social Ties ◽

Mutual Influence ◽

Local Authorities ◽

Conflict Of Interests ◽

Main Research ◽

Political Status ◽

Local Business ◽

High Level ◽

Medium Businesses

The article discusses the policy of the municipalities' Heads in relation to entrepreneurs acquiring a political status and deputies with a business background. The Heads strive to maintain a high level of influence within the territory. Entrepreneurs see their entry into legislatures as an opportunity to acquire new social ties, including ones with officials, and as an opportunity to normatively regulate the context of business activities on the territory. Two scenarios of the relations between the Head and businessmen are identified: the cooperation and the conflict. Commonality or conflict of interests of the municipality and local business determine the choice of a strategy. The intensity of conflict or consensus is determined by the measure of support that the parties give each other. The article explores the interaction of Heads with small and medium businesses. The article is based on the results of the research conducted in four municipalities of the Sverdlovsk and Perm Regions. The main research method is interviews with Heads and other actors of local policies.

Download Full-text

Internal Control Considerations for Information System Changes and Patches

Advances in Business Information Systems and Analytics - Information Systems and Technology for Organizational Agility, Intelligence, and Resilience ◽

10.4018/978-1-4666-5970-4.ch008 ◽

2014 ◽

pp. 161-179 ◽

Cited By ~ 2

Author(s):

Jeffrey S. Zanzig ◽

Guillermo A. Francia III ◽

Xavier P. Francia

Keyword(s):

Information System ◽

Information Systems ◽

Internal Control ◽

Security Requirements ◽

Information Technology Professionals ◽

Organization Management ◽

Internal Auditors ◽

Security Issues ◽

System Changes ◽

Current Change

The dependence of businesses on properly functioning information systems to allow organizational personnel and outside investors to make important decisions has never been more pronounced. Information systems are constantly evolving due to operational and security requirements. These changes to information systems involve a risk that they could occur in a way that results in improper processing of information and/or security issues. The purpose of this chapter is to consider related guidance provided in a Global Technology Audit Guide (GTAG) from The Institute of Internal Auditors in conjunction with current change and patch management literature in order to assist internal auditors and organizational personnel in better understanding a process that leads to efficient and effective information system changes. The authors describe how internal auditors and information technology professionals can work together with organization management to form a mature approach in addressing both major information system changes and patches.

Download Full-text