Argumentation-Based Security Requirements Elicitation: The Next Round

TitleArgumentation-Based Security Requirements Elicitation: The Next Round
Publication TypeConference Paper
Year of Publication2014
AuthorsIonita D., Bullee J.H, Wieringa R.J
Conference NameProceedings of the 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE), Karlskrona, Sweden
Date PublishedAugust
PublisherIEEE Computer Society

Information Security Risk Assessment can be viewed as part of requirements engineering because it is used to translate security goals into security requirements, where security requirements are the desired system properties that mitigate threats to security goals. To improve the defensibility of these mitigations, several researchers have attempted to base risk assessment on argumentation structures. However, none of these approaches have so far been scalable or usable in real-world risk assessments. In this paper, we present the results from our search for a scalable argumentation-based information security RA method. We start from previous work on both formal argumentation frameworks and informal argument structuring and try to find a promising middle ground. An initial prototype using spreadsheets is validated and iteratively improved via several Case Studies. Challenges such as scalability, quantify-ability, ease of use, and relation to existing work in parallel fields are discussed. Finally, we explore the scope and applicability of our approach with regard to various classes of Information Systems while also drawing more general conclusions on the role of argumentation in security.