Making Trade-offs among Security and Other Requirements during System Design

• Main Author: Elahi, Golnaz
• Other Authors: Yu, Eric
• Language: en_ca
• Published: 2012
• Subjects: Security; Trade-off; Requirements; Software Design; 0984
• Online Access: http://hdl.handle.net/1807/32704

Employing a design solution can satisfy some requirements while having negative side-effects on some other software requirements and project objectives. Ultimately, selecting a design solution among multiple options involves making trade-offs among competing requirements. These trade-offs, especially at the early stages of software development, are often hard to identify or quantify, and can be subjective. Security is one critical requirement among many, which can cause critical trade-offs and severe costs. Damages from security attacks can be overwhelming and the costs increase every year. The threat of vulnerabilities and their exploitation by potential adversaries calls for careful analysis of security risks and trade-offs that security solutions impose, from the viewpoints of both defenders and attackers. Since software developers and analysts are usually not security experts, detecting potential threats within software systems can be problematic. Even when threats are known, the risk factors, either the probability of a successful attack or the resulting damage of a successful attack, are not always known or numerically measurable. In this situation, selecting proper security solutions can be challenging, when mitigating impacts and side-effects of solutions are often not quantifiable. This thesis addresses such challenges in identifying and making trade-offs among security and other system requirements and stakeholders' goals. This work introduces a framework for identifying and modeling security risks and requirements trade-offs. The central idea in this thesis is analyzing security requirements on the basis of predicting software vulnerabilities, weaknesses or flaws that can be exploited to break into the system. Vulnerabilities and exploitation scenarios are specified within goal-oriented requirements models of the system. This approach enables analysis of vulnerability exploitations and their impacts on the running system. The structure of goal-oriented security requirements models enables tracing the ultimate impacts of the exploitations on high-level goals of stakeholders and design objectives. In order to evaluate the risk of vulnerabilities, this framework intertwines the Common Vulnerability Scoring System (CVSS) with security requirements risk assessment. The proposed framework provides a decision aid method that takes into the account risks, competing requirements, security solutions, their impacts on risks, and their side-effects on other requirements, to aid decision makers to select a solution among alternative security solutions. The proposed decision analysis method helps analysts to make requirements trade-offs systematically, in the absence of quantitative data, or when a mixture of both quantitative and qualitative data are available.