e-rise 2011 engineering risk and security requirements by yudistira asnar, fabio massacci, alberto...
Post on 19-Dec-2015
213 Views
Preview:
TRANSCRIPT
E-RISE 2011Engineering RIsk and SEcurity Requirements
By Yudistira Asnar, Fabio Massacci, Alberto Battocchi (UNITN)
and Camille Sabroux (Université Paris Dauphine)
• Background• Objective• Study Setting
o Participantso Expected Outcomes
• Agenda
E-RISE 2011 - Yudis(c)
Outline
• Increase of Security-related Incidentso Attacks and Breaches
Identity thefts, malware, fraud o Regulations
EU Data Protection, EU Cybercrime, HIPAA, SOX
• Complexity of Software Systemso Compositional Systemso Future Internet Services
Location-based, smart-grid, context-aware, healthcare
E-RISE 2011 - Yudis(c)
Background
• New approach of Software System Developmento Architecture: SOA, Clouds, Mobile, Ad-hoco Computing: Multi-core, multi-tenancyo Paradigm: Goal-, Value-, Service-, Social-oriented
• Various methods to engineer a secure systemo Standards and Best Practices: ISO 2700X, CC, COSO,
COBIT, ITIL, etc.o Research area: i*-based, problem frame, CORAS, domain-
ontology, etc.
E-RISE 2011 - Yudis(c)
Trends
• Evaluate and benchmark E-RISE methods through an empirical study
• Learn how and why participants intend to adopt a method
• Gather feedback to improve a method. Particularly, investigating strength, weakness, and limitation of the method
E-RISE 2011 - Yudis(c)
Objective
• Perform a series of case studies comparing how one learns, adopts, and performs a security method
• Scope of the study: o A method that analyze risk and security
requirements of an information system• Artifacts collected during the study will be
analyzed to achieve the study objectives
E-RISE 2011 - Yudis(c)
Study Setting
Roles in E-RISE 2011
Participants
• Magister students with background either at Information System, IT architecture, IT audit, or Risk & Security Analysiso Université Paris
Dauphine, Franceo University of Trento, Italy
Method Designers
• Researchers/practitioners that master a security methodo Secure Troposo Problem Frameo SI*o CORASo COBIT
E-RISE 2011 - Yudis(c)
• Participants (in a group of 4 people) will learn about a security method with the guidance of a method designer
• Groups analyze security concerns of a given problem using the defined security method
E-RISE 2011 - Yudis(c)
E-RISE 2011
Presentation
o List of recommendation about security measures to the management (e.g., CTO, CEO)
o Priority among the recommendationso Rationale of such recommendations
E-RISE 2011 - Yudis(c)
Expected Results from E-RISE
Expected Results from E-RISE
Final Executive Report (Deadline June 5, 2011)
o Documenting the process on producing such recommendations
o 1 page of Recommendations (max.)o 4 pages of documenting process for
auditing purposes (max.)o Annexes: eventual artifacts, diagrams,
tables, etc.
• Training Phase [May 9-13, 2011] Participants learn about the defined methodo May 13 in Paris
Meet the method designers for a face-to-face tutorial
• Application Phase [May 14-27, 2011] Participants perform the collaborative work upon the given
scenario and using the defined method o May 14-25 – remotelyo May 26-27 in Paris
E-RISE 2011 - Yudis(c)
Agenda
top related