E-RISE 2011Engineering RIsk and SEcurity Requirements

By Yudistira Asnar, Fabio Massacci, Alberto Battocchi (UNITN)

and Camille Sabroux (Université Paris Dauphine)

• Background• Objective• Study Setting

o Participantso Expected Outcomes

• Agenda

E-RISE 2011 - Yudis(c)

Outline

• Increase of Security-related Incidentso Attacks and Breaches

Identity thefts, malware, fraud o Regulations

EU Data Protection, EU Cybercrime, HIPAA, SOX

• Complexity of Software Systemso Compositional Systemso Future Internet Services

Location-based, smart-grid, context-aware, healthcare

E-RISE 2011 - Yudis(c)

Background

• New approach of Software System Developmento Architecture: SOA, Clouds, Mobile, Ad-hoco Computing: Multi-core, multi-tenancyo Paradigm: Goal-, Value-, Service-, Social-oriented

• Various methods to engineer a secure systemo Standards and Best Practices: ISO 2700X, CC, COSO,

COBIT, ITIL, etc.o Research area: i*-based, problem frame, CORAS, domain-

ontology, etc.

E-RISE 2011 - Yudis(c)

Trends

Security Method in Research

E-RISE 2011 - Yudis(c)

Taken from http://www.authormapper.com/

Do those methods work? and Why?

E-RISE 2011 - Yudis(c)

• Evaluate and benchmark E-RISE methods through an empirical study

• Learn how and why participants intend to adopt a method

• Gather feedback to improve a method. Particularly, investigating strength, weakness, and limitation of the method

E-RISE 2011 - Yudis(c)

Objective

• Perform a series of case studies comparing how one learns, adopts, and performs a security method

• Scope of the study: o A method that analyze risk and security

requirements of an information system• Artifacts collected during the study will be

analyzed to achieve the study objectives

E-RISE 2011 - Yudis(c)

Study Setting

Roles in E-RISE 2011

Participants

• Magister students with background either at Information System, IT architecture, IT audit, or Risk & Security Analysiso Université Paris

Dauphine, Franceo University of Trento, Italy

Method Designers

• Researchers/practitioners that master a security methodo Secure Troposo Problem Frameo SI*o CORASo COBIT

E-RISE 2011 - Yudis(c)

• Participants (in a group of 4 people) will learn about a security method with the guidance of a method designer

• Groups analyze security concerns of a given problem using the defined security method

E-RISE 2011 - Yudis(c)

E-RISE 2011

Presentation

o List of recommendation about security measures to the management (e.g., CTO, CEO)

o Priority among the recommendationso Rationale of such recommendations

E-RISE 2011 - Yudis(c)

Expected Results from E-RISE

Expected Results from E-RISE

Final Executive Report (Deadline June 5, 2011)

o Documenting the process on producing such recommendations

o 1 page of Recommendations (max.)o 4 pages of documenting process for

auditing purposes (max.)o Annexes: eventual artifacts, diagrams,

tables, etc.

• Training Phase [May 9-13, 2011] Participants learn about the defined methodo May 13 in Paris

Meet the method designers for a face-to-face tutorial

• Application Phase [May 14-27, 2011] Participants perform the collaborative work upon the given

scenario and using the defined method o May 14-25 – remotelyo May 26-27 in Paris

E-RISE 2011 - Yudis(c)

Agenda

Thank youQuestion?

E-RISE 2011 - Yudis(c)