Resg2010 key
-
Upload
resgworkshop -
Category
Technology
-
view
223 -
download
0
Transcript of Resg2010 key
![Page 1: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/1.jpg)
Towards Usable Secure Requirements Engineeringwith IRIS
Shamal FailyUniversity of Oxford
![Page 2: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/2.jpg)
How rational are security and usability
requirements?
Stapes USB Combination Lock
(no longer available)PGP
![Page 3: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/3.jpg)
HCI can help
![Page 4: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/4.jpg)
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?
![Page 5: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/5.jpg)
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?W
hat a
bout
the r
equir
emen
ts?
![Page 6: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/6.jpg)
HCI can help
UserCenteredDesign
InteractionProgramming
Value-Centered
HCI
ParticipativeDesign
GroundedDesign
ContextualDesign
TaskAnalysis Usage
CenteredDesign
Ethno-Methodology
ActivityTheory
Horses for courses?W
hat a
bout
the r
equir
emen
ts?What about the
security?
![Page 7: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/7.jpg)
It’s just an engineering problem?
“there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security
usability is known to be hard. Will we see conflicts between security and safety usability? As a typical
plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design
security that Homer can use safely?”
Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop
on the Economics of Information Security (WEIS 2009). 2009
![Page 8: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/8.jpg)
Current problems
• How do we represent different environments?
![Page 9: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/9.jpg)
Current problems
Confidentiality: HighAccountability: High
Office after security awarenessseminar
• How do we represent different environments?
![Page 10: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/10.jpg)
Current problems
6 PM Friday and running for the
train
Availability : High
• How do we represent different environments?
![Page 11: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/11.jpg)
Current problems
8.15 AM Monday - on the train to
work
Availability : Low Availability : Low
• How do we represent different environments?
![Page 12: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/12.jpg)
Current problems
![Page 13: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/13.jpg)
Current problems
• Values and Context
BEING HUMANHUMAN-COMPUTER INTERACTION
IN THE YEAR 2020
![Page 14: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/14.jpg)
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
![Page 15: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/15.jpg)
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
Wha
t abo
ut th
e req
uirem
ents?
![Page 16: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/16.jpg)
Current problems
• Values and Context
• GoalsReasons for lack of industrial uptake!
Wha
t abo
ut th
e req
uirem
ents?
What about the
security?
![Page 17: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/17.jpg)
Some Good News• Environments and Contexts of Use
Object
User Task
Environment
Affordance
![Page 18: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/18.jpg)
Some Good News
ScopeProblemDomain
Elicit Empirical / Conceptual
Data
Analyse Problem Concerns
Validate & ManageSystem
Evolution
Specify System
![Page 19: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/19.jpg)
Some Good News
ScopeProblemDomain
Elicit Empirical / Conceptual
Data
Analyse Problem Concerns
Validate & ManageSystem
Evolution
Specify System
Wha
t abo
ut th
e req
uirem
ents?
![Page 20: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/20.jpg)
What is IRIS?A framework for specifying software systems that are
secure for their contexts of use.
Environment
Goal
Obstacle
Asset
Threat
Vulnerability
Attacker
Response
Countermeasure
Task Persona
Misuse Case
Risk
1..*
1..*
1..*
1..*
1..*1..*
1..*
1..*
1..*
1..*
1..*
1..*
*
**
** *
*
*
*
*
*
*
Context of Use
Risk
Threat Vulnerability
Misuse Case
Attacker
Response Goal
CountermeasureAsset
Requirement
Security Attribute
1..*
1..4
*
* 1 1
*
1
1*1
1..*
* *
* * **
*
*
*Transfer MitigateAccept
*
*
Motive
Capability
1..*
1..*
*
0..4
*
Task
Scenario
Asset Persona
Usability Attribute
Misuse Case
**
4
11..**
11
11
A Meta-Model for Usable Secure Requirements Engineering
![Page 21: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/21.jpg)
Empirical Data Participant data
CAIRISDatabase
!""
!""
!"""
#""
!""
!""
!$$#""
!$$#""
!$$#""
!""
!""
!""
!$$#""
!""
!$$#""
#""
%&'(')*&"+*,*
-./0/1234.1
%&'.(,"32154,*,'2(
621,*&74.1"%.1,'8)*,.
9*,*"(2+.
:(*&;4'4"+*,* -215<23
6.142(*&").1,'8)*,.
:&').
%2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(>
%2().1(4",*45"7?&2*+"+*,*%2().1(4",*45"923(&2*+"+*,*
!"#$%&&'$()*)$+(',+-+'#*'.%/"#0"),
12(#+,'$()*)$+(',+-+'-#'.%/"#0"), 3#4*(#+,'+*+(5&)&',+-+
6*#*57)&%',+-+12(#+,'+/-8#")&+-)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#*
.%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#*
;%$/"%',+-+'-"+*&7)&&)#*
!<=93<= 93<> !<>
12(#+,',+-+
;%$/"%',+-+'+*+(5&)& ;%$/"%'4#"?@#4'&/A7)&&)#*
1*+/-8#")&%,'2#"-+('+$$%&&
9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%"
C;;'DE2(#)-
F"+/,/(+*-'$%"-):$+-%'+22()$+-)#*
1*+--%*,%,'4#"?&-+-)#*'+$$%&&
!"#$%&'()*+,-.'(%#/-#00+**
1+(%)20#%+-*&#()"3 1'"%('/-4+5-5('4*+(
677-89./')%
:(#$,$/#"%-0+(%)20#%+-#../)0#%)'"
!"#%%+",+,-4'(;*%#%)'"-#00+**
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33
"45($-.-$&$
6(7#5($-.-$&$
25*1,
/$)(5
8945(*&."#$%&'()*+,-./,)&*01$&,.211,++
!"#$
!"#%
&#$
&#%
!'()*+,-./01+2+(.*
3.4(2',)*5(*))/(*5
61)/,!)/+(742+)
&)/1.*2',4)/+(742+)
!)/+(742+),89(:8(+;
!'(*(42',<2+2
&2/+(2',2*.*;=(12+(.*
>*?(1(9'),!.'')5)
@*2';1(1,<2+2
!2/.'
3.4(2',A*5(*))/
6*28+B./(1)<,!)/+(742+),@44)11
6C'.2<,<2+2
ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11
&./+2'
".-*'.2<,<2+2
E)9#9/.-1)/
!)/+(742+),1B2/(*5
NeuroGrid data upload/data downloadRequirements Specification
i
NeuroGrid data upload/data download RequirementsSpecification
Models Requirements Documentation
Tool-support
What is IRIS?A framework for specifying software systems that are
secure for their contexts of use.
Environment
Goal
Obstacle
Asset
Threat
Vulnerability
Attacker
Response
Countermeasure
Task Persona
Misuse Case
Risk
1..*
1..*
1..*
1..*
1..*1..*
1..*
1..*
1..*
1..*
1..*
1..*
*
**
** *
*
*
*
*
*
*
Context of Use
Risk
Threat Vulnerability
Misuse Case
Attacker
Response Goal
CountermeasureAsset
Requirement
Security Attribute
1..*
1..4
*
* 1 1
*
1
1*1
1..*
* *
* * **
*
*
*Transfer MitigateAccept
*
*
Motive
Capability
1..*
1..*
*
0..4
*
Task
Scenario
Asset Persona
Usability Attribute
Misuse Case
**
4
11..**
11
11
A Meta-Model for Usable Secure Requirements Engineering
Establish Scope
Investigate Contexts
Requirements Workshops
[unresolvedcontexts]
Design Method
![Page 22: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/22.jpg)
Relevant Concepts
![Page 23: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/23.jpg)
Relevant Concepts
Requirements GORE (KAOS)
RequirementsEngineering
Scenarios
Personas
User-CenteredDesign
Misuse-Cases
Meta-Models
SecurityRequirementsEngineering
Environments
Tasks
HCI
ResponsibilityModelling
RiskAnalysis
InformationSecurity
![Page 24: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/24.jpg)
Example: Modifying PLC Software
• Programmable Logic Controllers (PLC) control clean and waste water processes.
• Modifications may be made under duress.
• Accidental or deliberate errors can be catastrophic.
![Page 25: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/25.jpg)
Example: Modifying PLC Software
• Programmable Logic Controllers (PLC) control clean and waste water processes.
• Modifications may be made under duress.
• Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010
![Page 26: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/26.jpg)
Scoping the Problem Domain
• Planned and Unplanned Environments
Laptop
InstrumentTechnician
Portal
VPN
SoftwareRepository
SysAdmin
SCADAHMI Data
PLC Software
Telemetry Software
SoftwareRepositoryManager
Configuration Data
Access PC
Corporate Network
![Page 27: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/27.jpg)
Persona building
![Page 28: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/28.jpg)
Persona building
Empirical data Grounded Theory
OrganisationalCharacteristics
Role responsibility (8)
Technology Demarcation (6)
Governance (3)
Organisational norms (34)
Supporting Roles
Sub-contractor support (5)
Commissioning (6)
Tacit Knowledge
Learned experience (13)
Site knowledge (7)
Configuration knowledge (7)
Tool knowledge (13)
Backup norms (24)
Threat
Petty theft (4) Vandalism (2)
Technical insider (1)
Social engineering (3)
Context
Planned change (11)
Unplanned change (3)
Vulnerability
Physical security perception (6)
Task fatigue (5)Tool clunkiness
(9)
Legacy concern (12)
PLC proliferation (4)
Remote access (6)
Network availability (4)
Multiple changers (2)
AffinityModelling
![Page 29: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/29.jpg)
Persona building
![Page 30: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/30.jpg)
Workshop Walkthrough
![Page 31: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/31.jpg)
Workshop Walkthrough
• Persona Validation
Alan
• “There’s a lot of ignorance out there”
• Conscious of vulnerabilities arising from complex tools.
• Hopes the repository will encourage a standardised approach to software changes and backups.
Wednesday, 16 December 2009
![Page 32: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/32.jpg)
Workshop Walkthrough
• Persona Validation
• Asset Modelling
![Page 33: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/33.jpg)
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
![Page 34: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/34.jpg)
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
![Page 35: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/35.jpg)
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
• Requirements Specification
![Page 36: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/36.jpg)
Workshop Walkthrough
• Persona Validation
• Asset Modelling
• Task Analysis
• Goal Modelling
• Requirements Specification
• Risk Analysis
![Page 37: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/37.jpg)
Observations
• A natural process to participants.
• Modelling environments increases participant sensitivity to them.
• Risk Analysis is more about the destination than the journey.
• We can’t replace creativity, but we can help innovation.
![Page 38: Resg2010 key](https://reader033.fdocuments.in/reader033/viewer/2022060119/558ec5f61a28ab72628b4675/html5/thumbnails/38.jpg)
Thank you for listening!
• Any questions?
AcknowledgementsThis research was funded by the
EPSRC CASE Studentship R07437/
CN001.
We are also grateful to Qinetiq Ltd
for their sponsorship of this work.