Resg2010 key

306 views
289 views

Published on

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
306
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Resg2010 key

  1. 1. Towards Usable Secure Requirements Engineering with IRIS Shamal Faily University of Oxford
  2. 2. How rational are security and usability requirements? Stapes USB Combination Lock PGP (no longer available)
  3. 3. HCI can help
  4. 4. HCI can help Ethno- Methodology Contextual Interaction Design Programming Activity Theory User Grounded Centered Design Design Task Analysis Participative Usage Design Centered Design Value- Centered HCI Horses for courses?
  5. 5. HCI can help Ethno- Methodology s? Contextual Interaction t Design en Programming Activity m Theory re User ui Grounded Centered q Design Design re e th Task t Participative Usage ou Analysis Design Centered ab Design Value- Centered t ha HCI W Horses for courses?
  6. 6. HCI can help Ethno- Methodology s? Contextual Interaction W s t Design en Programming Activity m ha u Theory re User t a ri ui Grounded Centered q Design Design re bo ? ec e th ut Task t Participative Usage ou Analysis ty Design th Centered ab Design Value- Centered e t ha HCI W Horses for courses?
  7. 7. It’s just an engineering problem? “there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security usability is known to be hard. Will we see conflicts between security and safety usability? As a typical plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design security that Homer can use safely?” Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop on the Economics of Information Security (WEIS 2009). 2009
  8. 8. Current problems • How do we represent different environments?
  9. 9. Current problems • How do we represent different environments? Confidentiality: High Accountability: High Office after security awareness seminar
  10. 10. Current problems • How do we represent different environments? Availability : High 6 PM Friday and running for the train
  11. 11. Current problems • How do we represent different environments? Availability : Low Availability : Low 8.15 AM Monday - on the train to work
  12. 12. Current problems
  13. 13. Current problems • Values and Context BEING HUMAN HUMAN-COMPUTER INTERACTION IN THE YEAR 2020
  14. 14. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals
  15. 15. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals ts? en m re ui q re e th t ou ab t ha W
  16. 16. Current problems • Values and Contextfor lack of industrial uptake! Reasons • Goals W ts? en ha cu m re t a ri ui se q ebo ty? reut tth th ou e ab t ha W
  17. 17. Some Good News • Environments and Contexts of Use Environment User Task Affordance Object
  18. 18. Some Good News Elicit Validate & Scope Analyse Empirical / Specify Manage Problem Problem Conceptual System System Domain Concerns Data Evolution
  19. 19. Some Good News ts? en m re qui re Elicit Validate & Scope Analyse Empirical / Specify Manage he Problem Problem Conceptual tt System System Domain Concerns Data Evolution ou t ab ha W
  20. 20. What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Context of Use Goal Task Persona Misuse 1..* 1..* Case Threat 1..* 1 1..* Motive Accept Transfer Mitigate * * *Response 1..* Persona Asset* 1..* Attacker* Task * 1..* Capability 1..* * 1 * 11 1 * 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 1..* 1..* 1..*1..* Misuse Usability * Misuse Asset Case Attribute Countermeasure Case * Attacker * * Obstacle * 1..4 Security 0..4 Attribute A Meta-Model for Usable Secure Requirements Engineering
  21. 21. What is IRIS? A framework for specifying software systems that are secure for their contexts of use. Empirical Data Participant data Context of Use Goal Establish Task Persona Scope Misuse 1..* 1..* Case Threat 1..* 1 1..* CAIRIS Motive Accept Transfer Mitigate * * *Response 1..* Persona Database Asset* 1..* Attacker Task * * 1..* Capability 1..* * 1 * 11 1 * Investigate 1..* * Risk * * Response Goal Risk 1..* * Environment 1* * 1..* Asset * Contexts * Scenario * * 1 1 * * 1 1..* * 1..* Threat * Vulnerability Requirement Vulnerability * * 1* 4 Countermeasure * 9*,*"(2+. NeuroGrid data upload/data download Requirements Specification 1..* 1..* i Requirements %2().1(4",*45"923(&2*+"+*,* %2().1(4",*45"7?&2*+"+*,* 1..*1..* Misuse Usability * :&'). !"" !"#$%&&'$()*)$+(',+-+'#*'.%/"#0"), !"" !"" #"" Misuse Asset Case Attribute Countermeasure Workshops 12(#+,'$()*)$+(',+-+'-#'.%/"#0"), !$$#"" !"#$%&'()*+,-.'(%#/-#00+** 3#4*(#+,'+*+(5&)&',+-+ ;%$/"%',+-+'+*+(5&)& !$$#"" ;%$/"%'4#"?@#4'&/A7)&&)#* Case * Attacker * %&'.(,"32154,*,'2( :(*&;4'4"+*,* !$$#"" %&'(')*&"+*,* -215<23 * * 1..4 Obstacle !$$#"" 12(#+,'+/-8#")&+-)#* 6*#*57)&%',+-+ ;%$/"%',+-+'-"+*&7)&&)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#* 3.4(2',A*5(*))/ "45($-.-$&$ !$$#"" Security 0..4 93<= 93<> -./0/1234.1 !<= !<> .%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#* %2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(> Attribute 1+(%)20#%+-*&#()"3 !"" 1'"%('/-4+5-5('4*+( ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11 1*+/-8#")&%,'2#"-+('+$$%&& !2/.' :(#$,$/#"%-0+(%)20#%+-#../)0#%)'" !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 &#% NeuroGrid data upload/data download Requirements Specification !"" #"" &#$ E)9#9/.-1)/ 3.4(2',)*5(*))/(*5 25*1, 12(#+,',+-+ !"" !""" &./+2' 6*28+B./(1)<,!)/+(742+),@44)11 ".-*'.2<,<2+2 !"" !"" &)/1.*2',4)/+(742+) !'()*+,-./01+2+(.* 74.1"%.1,'8)*,. 621,*& 6.142(*&").1,'8)*,. 9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%" F"+/,/(+*-'$%"-):$+-%'+22()$+-)#* !!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33 6(7#5($-.-$&$ [unresolved 61)/,!)/+(742+) @*2';1(1,<2+2 8945(*&."#$%&'()*+,-./,)&*01$&,.211,++ !)/+(742+),89(:8(+; >*?(1(9'),!.'')5) /$)(5 6C'.2<,<2+2 C;;'DE2(#)- 1*+--%*,%,'4#"?&-+-)#*'+$$%&& !)/+(742+),1B2/(*5 contexts] 677-89./')% !"#%%+",+,-4'(;*%#%)'"-#00+** !'(*(42',<2+2 !"#$ !"#% &2/+(2',2*.*;=(12+(.* A Meta-Model for Models Requirements Documentation Usable Secure Requirements Design Method Tool-support Engineering
  22. 22. Relevant Concepts
  23. 23. Requirements Engineering Requirements GORE (KAOS) User- Centered Scenarios Relevant Misuse-Cases Security Requirements Design Personas Concepts Meta-Models Engineering Risk Environments Analysis Tasks Responsibility Modelling Information HCI Security
  24. 24. Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic.
  25. 25. Example: Modifying PLC Software • Programmable Logic Controllers (PLC) control clean and waste water processes. • Modifications may be made under duress. • Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010
  26. 26. Scoping the Problem Domain Sys Admin Configuration Data SCADA HMI Data • Planned and Unplanned Software Repository Portal PLC Software Telemetry Environments Software VPN Corporate Network Laptop Access PC Software Repository Manager Instrument Technician
  27. 27. Persona building
  28. 28. Persona building Empirical data Grounded Theory Affinity Modelling Organisational Context Characteristics Technology Planned Unplanned Governance (3) change (11) change (3) Demarcation (6) Role Organisational responsibility (8) norms (34) Supporting Tacit Knowledge Roles Learned Site knowledge Configuration Sub-contractor Commissioning experience (13) (7) knowledge (7) support (5) (6) Tool knowledge Backup norms (13) (24) Vulnerability Threat Physical security Tool clunkiness Petty theft (4) Vandalism (2) Task fatigue (5) perception (6) (9) Technical Social Network Remote access PLC insider (1) engineering (3) availability (4) (6) proliferation (4) Multiple Legacy concern changers (2) (12)
  29. 29. Persona building
  30. 30. Workshop Walkthrough
  31. 31. Workshop Walkthrough • Persona Validation Alan • “There’s a lot of ignorance out there” • Conscious of vulnerabilities arising from complex tools. • Hopes the repository will encourage a standardised approach to software changes and backups. Wednesday, 16 December 2009
  32. 32. Workshop Walkthrough • Persona Validation • Asset Modelling
  33. 33. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis
  34. 34. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling
  35. 35. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification
  36. 36. Workshop Walkthrough • Persona Validation • Asset Modelling • Task Analysis • Goal Modelling • Requirements Specification • Risk Analysis
  37. 37. Observations • A natural process to participants. • Modelling environments increases participant sensitivity to them. • Risk Analysis is more about the destination than the journey. • We can’t replace creativity, but we can help innovation.
  38. 38. Thank you for listening! • Any questions? Acknowledgements This research was funded by the EPSRC CASE Studentship R07437/ CN001. We are also grateful to Qinetiq Ltd for their sponsorship of this work.

×