建立一个框架来衡量需求分析中的安全专家

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE) Pub Date : 2014-09-08 DOI:10.1109/ESPRE.2014.6890522

Hanan Hibshi, T. Breaux, M. Riaz, L. Williams

{"title":"建立一个框架来衡量需求分析中的安全专家","authors":"Hanan Hibshi, T. Breaux, M. Riaz, L. Williams","doi":"10.1109/ESPRE.2014.6890522","DOIUrl":null,"url":null,"abstract":"Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.","PeriodicalId":274809,"journal":{"name":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","volume":"273 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2014-09-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"7","resultStr":"{\"title\":\"Towards a framework to measure security expertise in requirements analysis\",\"authors\":\"Hanan Hibshi, T. Breaux, M. Riaz, L. Williams\",\"doi\":\"10.1109/ESPRE.2014.6890522\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.\",\"PeriodicalId\":274809,\"journal\":{\"name\":\"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)\",\"volume\":\"273 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2014-09-08\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"7\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ESPRE.2014.6890522\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ESPRE.2014.6890522","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 7

摘要

研究表明，普遍接受的安全需求在实践中并没有得到普遍应用。安全专家不是依靠需求检查表，而是依靠他们的专业知识和背景知识来识别安全漏洞。为了理解可用的检查表和实践之间的差距，我们进行了一系列的访谈，以便在安全需求分析期间对安全专家和新手的决策过程进行编码。参与者被要求分析两种类型的工件:源代码和漏洞的网络图，并应用需求检查表来减轻其中的一些漏洞。我们使用情境意识(一种来自心理学的认知理论)来构建我们的研究框架，以引出我们随后使用编码理论和基础分析进行分析的反应。我们报告了分析两次访谈的初步结果，这些访谈揭示了可能的决策模式，这些模式可以表征分析师如何感知、理解和预测未来的威胁，从而导致他们决定需求及其规格，此外，专家如何使用假设来克服规格中的模糊性。我们的目标是建立一个模型，研究人员可以用它来评估他们的安全需求方法，以及专家在决策过程中如何通过不同的情况感知水平进行转换。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Towards a framework to measure security expertise in requirements analysis

Research shows that commonly accepted security requirements are not generally applied in practice. Instead of relying on requirements checklists, security experts rely on their expertise and background knowledge to identify security vulnerabilities. To understand the gap between available checklists and practice, we conducted a series of interviews to encode the decision-making process of security experts and novices during security requirements analysis. Participants were asked to analyze two types of artifacts: source code, and network diagrams for vulnerabilities and to apply a requirements checklist to mitigate some of those vulnerabilities. We framed our study using Situation Awareness-a cognitive theory from psychology-to elicit responses that we later analyzed using coding theory and grounded analysis. We report our preliminary results of analyzing two interviews that reveal possible decision-making patterns that could characterize how analysts perceive, comprehend and project future threats which leads them to decide upon requirements and their specifications, in addition, to how experts use assumptions to overcome ambiguity in specifications. Our goal is to build a model that researchers can use to evaluate their security requirements methods against how experts transition through different situation awareness levels in their decision-making process.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE)

自引率

0.00%

发文量