Post on 27-Jun-2015
Towards Usable Secure Requirements Engineeringwith IRIS
Shamal FailyUniversity of Oxford
How rational are security and usability
requirements?
Stapes USB Combination Lock
(no longer available)PGP
HCI can help
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?W
hat a
bout
the r
equir
emen
ts?
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?W
hat a
bout
the r
equir
emen
ts?What about the
security?
It’s just an engineering problem?
“there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security
usability is known to be hard. Will we see conflicts between security and safety usability? As a typical
plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design
security that Homer can use safely?”
Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop
on the Economics of Information Security (WEIS 2009). 2009
Current problems
• How do we represent different environments?
Current problems
Confidentiality: HighAccountability: High
Office after security awarenessseminar
• How do we represent different environments?
Current problems
6 PM Friday and running for the
train
Availability : High
• How do we represent different environments?
Current problems
8.15 AM Monday - on the train to
work
Availability : Low Availability : Low
• How do we represent different environments?
Current problems
Current problems
• Values and Context
BEING HUMANHUMAN-COMPUTER INTERACTION
IN THE YEAR 2020
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
Wha
t abo
ut th
e req
uirem
ents?
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
Wha
t abo
ut th
e req
uirem
ents?
What about the
security?
Some Good News• Environments and Contexts of Use
Object
User Task
Environment
Affordance
Some Good News
ScopeProblemDomain
Elicit Empirical / Conceptual
Data
Analyse Problem Concerns
Validate & ManageSystem
Evolution
Specify System
Some Good News
ScopeProblemDomain
Elicit Empirical / Conceptual
Data
Analyse Problem Concerns
Validate & ManageSystem
Evolution
Specify System
Wha
t abo
ut th
e req
uirem
ents?
What is IRIS?A framework for specifying software systems that are
secure for their contexts of use.
Environment
Goal
Obstacle
Asset
Threat
Vulnerability
Attacker
Response
Countermeasure
Task Persona
Misuse Case
Risk
1..*
1..*
1..*
1..*
1..*1..*
1..*
1..*
1..*
1..*
1..*
1..*
*
**
** *
*
*
*
*
*
*
Context of Use
Risk
Threat Vulnerability
Misuse Case
Attacker
Response Goal
CountermeasureAsset
Requirement
Security Attribute
1..*
1..4
*
* 1 1
*
1
1*1
1..*
* *
* * **
*
*
*Transfer MitigateAccept
*
*
Motive
Capability
1..*
1..*
*
0..4
*
Task
Scenario
Asset Persona
Usability Attribute
Misuse Case
**
4
11..**
11
11
A Meta-Model for Usable Secure Requirements Engineering
Empirical Data Participant data
CAIRISDatabase
!""
!""
!"""
#""
!""
!""
!$$#""
!$$#""
!$$#""
!""
!""
!""
!$$#""
!""
!$$#""
#""
%&'(')*&"+*,*
-./0/1234.1
%&'.(,"32154,*,'2(
621,*&74.1"%.1,'8)*,.
9*,*"(2+.
:(*&;4'4"+*,* -215<23
6.142(*&").1,'8)*,.
:&').
%2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(>
%2().1(4",*45"7?&2*+"+*,*%2().1(4",*45"923(&2*+"+*,*
!"#$%&&'$()*)$+(',+-+'#*'.%/"#0"),
12(#+,'$()*)$+(',+-+'-#'.%/"#0"), 3#4*(#+,'+*+(5&)&',+-+
6*#*57)&%',+-+12(#+,'+/-8#")&+-)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#*
.%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#*
;%$/"%',+-+'-"+*&7)&&)#*
!<=93<= 93<> !<>
12(#+,',+-+
;%$/"%',+-+'+*+(5&)& ;%$/"%'4#"?@#4'&/A7)&&)#*
1*+/-8#")&%,'2#"-+('+$$%&&
9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%"
C;;'DE2(#)-
F"+/,/(+*-'$%"-):$+-%'+22()$+-)#*
1*+--%*,%,'4#"?&-+-)#*'+$$%&&
!"#$%&'()*+,-.'(%#/-#00+**
1+(%)20#%+-*&#()"3 1'"%('/-4+5-5('4*+(
677-89./')%
:(#$,$/#"%-0+(%)20#%+-#../)0#%)'"
!"#%%+",+,-4'(;*%#%)'"-#00+**
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
"45($-.-$&$
6(7#5($-.-$&$
25*1,
/$)(5
8945(*&."#$%&'()*+,-./,)&*01$&,.211,++
!"#$
!"#%
&#$
&#%
!'()*+,-./01+2+(.*
3.4(2',)*5(*))/(*5
61)/,!)/+(742+)
&)/1.*2',4)/+(742+)
!)/+(742+),89(:8(+;
!'(*(42',<2+2
&2/+(2',2*.*;=(12+(.*
>*?(1(9'),!.'')5)
@*2';1(1,<2+2
!2/.'
3.4(2',A*5(*))/
6*28+B./(1)<,!)/+(742+),@44)11
6C'.2<,<2+2
ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11
&./+2'
".-*'.2<,<2+2
E)9#9/.-1)/
!)/+(742+),1B2/(*5
NeuroGrid data upload/data downloadRequirements Specification
i
NeuroGrid data upload/data download RequirementsSpecification
Models Requirements Documentation
Tool-support
What is IRIS?A framework for specifying software systems that are
secure for their contexts of use.
Environment
Goal
Obstacle
Asset
Threat
Vulnerability
Attacker
Response
Countermeasure
Task Persona
Misuse Case
Risk
1..*
1..*
1..*
1..*
1..*1..*
1..*
1..*
1..*
1..*
1..*
1..*
*
**
** *
*
*
*
*
*
*
Context of Use
Risk
Threat Vulnerability
Misuse Case
Attacker
Response Goal
CountermeasureAsset
Requirement
Security Attribute
1..*
1..4
*
* 1 1
*
1
1*1
1..*
* *
* * **
*
*
*Transfer MitigateAccept
*
*
Motive
Capability
1..*
1..*
*
0..4
*
Task
Scenario
Asset Persona
Usability Attribute
Misuse Case
**
4
11..**
11
11
A Meta-Model for Usable Secure Requirements Engineering
Establish Scope
Investigate Contexts
Requirements Workshops
[unresolvedcontexts]
Design Method
Relevant Concepts
Relevant Concepts
Requirements GORE (KAOS)
RequirementsEngineering
Scenarios
Personas
User-CenteredDesign
Misuse-Cases
Meta-Models
SecurityRequirementsEngineering
Environments
Tasks
HCI
ResponsibilityModelling
RiskAnalysis
InformationSecurity
Example: Modifying PLC Software
• Programmable Logic Controllers (PLC) control clean and waste water processes.
• Modifications may be made under duress.
• Accidental or deliberate errors can be catastrophic.
Example: Modifying PLC Software
• Programmable Logic Controllers (PLC) control clean and waste water processes.
• Modifications may be made under duress.
• Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010
Scoping the Problem Domain
• Planned and Unplanned Environments
Laptop
InstrumentTechnician
Portal
VPN
SoftwareRepository
SysAdmin
SCADAHMI Data
PLC Software
Telemetry Software
SoftwareRepositoryManager
Configuration Data
Access PC
Corporate Network
Persona building
Persona building
Empirical data Grounded Theory
OrganisationalCharacteristics
Role responsibility (8)
Technology Demarcation (6)
Governance (3)
Organisational norms (34)
Supporting Roles
Sub-contractor support (5)
Commissioning (6)
Tacit Knowledge
Learned experience (13)
Site knowledge (7)
Configuration knowledge (7)
Tool knowledge (13)
Backup norms (24)
Threat
Petty theft (4) Vandalism (2)
Technical insider (1)
Social engineering (3)
Context
Planned change (11)
Unplanned change (3)
Vulnerability
Physical security perception (6)
Task fatigue (5)Tool clunkiness
(9)
Legacy concern (12)
PLC proliferation (4)
Remote access (6)
Network availability (4)
Multiple changers (2)
AffinityModelling
Persona building
Workshop Walkthrough
Workshop Walkthrough
• Persona Validation
Alan
• “There’s a lot of ignorance out there”
• Conscious of vulnerabilities arising from complex tools.
• Hopes the repository will encourage a standardised approach to software changes and backups.
Wednesday, 16 December 2009
Workshop Walkthrough
• Persona Validation
• Asset Modelling
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
• Requirements Specification
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
• Requirements Specification
• Risk Analysis
Observations
• A natural process to participants.
• Modelling environments increases participant sensitivity to them.
• Risk Analysis is more about the destination than the journey.
• We can’t replace creativity, but we can help innovation.
Thank you for listening!
• Any questions?
AcknowledgementsThis research was funded by the
EPSRC CASE Studentship R07437/
CN001.
We are also grateful to Qinetiq Ltd
for their sponsorship of this work.