• shareshare
  • link
  • cite
  • add
auto_awesome_motion View all 4 versions
Publication . Other literature type . Conference object . 2014

Towards a Framework to Measure Security Expertise in Requirements Analysis

Hanan Hibshi; Travis D. Breaux; Maria Riaz; Laurie Williams;
Open Access  
Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.
Subjects by Vocabulary

Microsoft Academic Graph classification: Computer security model Security engineering Security convergence Knowledge management business.industry business Security information and event management Data science Security through obscurity Security testing Information security Computer science Security service


80399 Computer Software not elsewhere classified, FOS: Computer and information sciences

Related Organizations
Download fromView all 5 sources
Conference object
License: cc0
Providers: UnpayWall