Abstract
Use cases are widely used for functional requirements elicitation. However, security non-functional requirements are often neglected in this requirements analysis process. As systems become increasingly complex current means of analysis will probably prove ineffective. In the safety domain a variety of effective analysis techniques have emerged over many years. Since the safety and security domains share many similarities, various authors have suggested that safety techniques might usefully find application in security. This paper takes one such technique, HAZOP, and applies it to one widely used functional requirement elicitation component, UML use cases, in order to provide systematic analysis of potential security issues at the start of system development.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Allenby, K., Kelly, T.P.: Deriving safety requirements using scenarios. In: 5th IEEE International Symposium on Requirements Engineering (RE 2001), IEEE Computer Society Press, Los Alamitos (2001)
Amoroso, E.: Fundamentals of Computer Security Technology. Prentice-Hall, Englewood Cliffs (1994)
Douglass, B.P.: Real-time UML: Developing efficient objects for embedded systems, 2nd edn. Addison-Wesley Longman Ltd, Amsterdam (2000)
Jacobson, I., Christerson, M., Jonsson, P., Overgaard, G.: Object-Oriented Software Engineering: A Use Case Driven Approach. Addison-Wesley, Reading (1992)
Kelly, T.P.: Arguing Safety - A Systematic Approach to Managing Safety Cases. PhD thesis, Dept. of Comp. Science, University of York, UK (1999)
Kienzle, D.M., Wulf, W.A.: A practical approach to security assessment. In: Proc. of the 1997 New Security Paradigms Workshop, England (1997)
McDermott, J.: Abuse-case-based assurance arguments. In: 17th Annual Computer Security Applications Conference (2001)
Moore, A.P.: The JMCIS information flow improvement (JIFI) assurance strategy. Technical Report 500-190, Center for High Assurance Computer Systems Information Technology Division, Naval Research Lab., Washington, D.C. (May 1997)
UK Ministry of Defence. Defence Standard 00-58: HAZOP Studies on Systems Containing Programmable Electronics (1996)
Redmill, F., Chudleigh, M., Catmur, J.: System Safety: HAZOP and Software HAZOP. John Wiley & Sons, Chichester (1999)
Roberts, N.H., Vesely, W.E., Haasl, D.F., Goldberg, F.F.: Fault Tree Handbook. In:System and Reliablity Research Office of U.S. Nuclear Regulatory Commission, Washington, DC (1981)
Schneier, B.: Applied Cryptography. John Wiley & Sons, Chichester (1996)
Schneier, B.: Attack Trees. Dr. Dobb’s Journal (1999)
Sindre, G., Opdahl, A.L.: Eliciting security requirements by misuse cases. In: Proc. of TOOLS Pacific, pp. 120–131 (2000)
Weissman, C.: Security Penetration Testing Guideline: A Chapter of the Handbook for the Computer Security Certification of Trusted Systems. Technical report, NRL TM-8889/000/01 (1995)
Winther, R., Johnsen, O.-A., Gran, B.A.: Security assessments for safety critical systems using hazops. In: Proc. of SAFECOMP 2001, Budapest, Hungary (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Srivatanakul, T., Clark, J.A., Polack, F. (2004). Effective Security Requirements Analysis: HAZOP and Use Cases. In: Zhang, K., Zheng, Y. (eds) Information Security. ISC 2004. Lecture Notes in Computer Science, vol 3225. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-30144-8_35
Download citation
DOI: https://doi.org/10.1007/978-3-540-30144-8_35
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-23208-7
Online ISBN: 978-3-540-30144-8
eBook Packages: Springer Book Archive