Analytical Study of Cognitive Layered Approach for Understanding Security Requirements Using Problem Domain Ontology

Socio-technical Systems (STS) consist of complicated requirements that consider a variety of stakeholders' viewpoints, and are inherently complex due to heterogeneity characteristics of STS components. However, security in STS is still a major issue, which can be explained by the resulting cost and the impact of the STS intrusion on the whole enterprise. However, research related to recommending security requirements for a target STS is insufficient. Firstly, systematic acquisition of understanding the problem with rich context-awareness is not provided to STS, since the knowledge for the development and execution of STS is scattered. Secondly, the majority of security analysis focuses on only the technical approach, although it is necessary to perform a holistic analysis of STS due to heterogeneity characteristics. In order to solve these problems, we conduct a study of the three-layered framework for recommending security requirements through goal-oriented risk assessment using a Problem Domain Ontology (PDO). By using this framework, we demonstrate how the PDO is built through collecting, analyzing, and categorizing different information and knowledge from various sources, and how security requirements are recommended from the threat analysis and the goal-oriented risk assessment based on PDO. In addition, we discuss the applicability of this framework with a case study based on a real threat scenario. This paper contributes to security requirements engineering research by proposing a methodology for systematically organizing knowledge with a security requirements recommendation framework using the PDO.