publication . Other literature type . Conference object . 2014

Towards a framework to measure security expertise in requirements analysis

Hanan Hibshi; Travis D. Breaux; Maria Riaz; Laurie Williams;
Open Access
  • Published: 01 Jan 2014
  • Publisher: Zenodo
Abstract
Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.
Subjects
free text keywords: 80399 Computer Software not elsewhere classified, FOS: Computer and information sciences, Data science, Security service, Security testing, Information security, Knowledge management, business.industry, business, Security through obscurity, Computer security model, Security engineering, Security information and event management, Security convergence, Computer science
Download fromView all 4 versions
Open Access
ZENODO
Conference object . 2014
Providers: ZENODO
null
https://doi.org/10.1184/r1/662...
Other literature type . 2014
Providers: Datacite
null
https://doi.org/10.1184/r1/662...
Other literature type . 2014
Providers: Datacite
Any information missing or wrong?Report an Issue