Secondary Content

Contact Person

Enhancing UMLsec with Risk Analysis for Security Requirements (DFG-No. JU 2734/3-1)

Project description

Security has to be addressed through the whole of system development. Since every security solution has a cost, organization will want to adopt security solutions that probably have positive Return-On-Investment (ROI). In view of this, developing a secure information system in a cost effective way requires security risk analysis in the requirement engineering stage of the system development.

The aim of this research is to design a modelling language for information system security risk management by enhancing an established technique called UMLsec for secure software development. UMLsec is an extension of UML that allows expressing security relevant information within the diagrams in a system specification. UMLsec is defined in form of a UML profile using the standard UML extension mechanisms. The goal is to examine and identify concepts that should constitute a modelling technique for IS security risk analysis and build a conceptual model for achieving IS security risk assessment. A UMLsec based analysis approach for security threats identification and specification will be used and a qualitative risk measurement will be employed in the risk assessment process.

Preliminary Work: Publications

  • S. Taubenberger: Vulnerability Identification Errors in Security Risk Assessments The Open University, 2014 (PhD-Thesis).
    @PHDTHESIS{Jur02, author = {S.~Taubenberger}, title = {Vulnerability Identification Errors in Security Risk Assessments}, school = {The Open University}, year = {2014}, address = {The Open University}, file = {thesis:http://oro.open.ac.uk/39626/:URL}, keywords = {thesis} }
     BibTeX   thesis 
  • S. Taubenberger, J. Jürjens, Y. Yu, B. Nuseibeh: Resolving Vulnerability Identification Errors using Security Requirements on Business Process Models. In: Journal on Information Management and Computer Security (IMCS), vol. 21, no. 3, pp. 202-223, 2013.
    @ARTICLE{TauJurYuNus13, author = {S.~Taubenberger and J.~{J}{\"u}{r}jens and Y.~Yu and B.~Nuseibeh}, title = {Resolving Vulnerability Identification Errors using Security Requirements on Business Process Models}, journal = {Journal on Information Management and Computer Security (IMCS)}, year = {2013}, volume = {21}, number = {3}, pages = {202--223}, doi = {http://dx.doi.org/10.1108/IMCS-09-2012-0054}, file = {preprint:http\://rgse.uni-koblenz.de/web/pages/people/juerjens/publications/papers/imcs13TJYN.pdf:URL;dblp:http://www.informatik.uni-trier.de/~ley/pers/hd/j/J=uuml=rjens:Jan.html#j18:URL}, keywords = {modelbasedSecurityEngineering} }
     BibTeX   DOI   preprint   dblp 
  • S. Taubenberger, J. Jürjens, B. Nuseibeh, Yijun Yu: Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain. In: 26th IFIP International Information Security Conference, Lucerne, pp. 259-270, 2011.
    @INPROCEEDINGS{ifipsec11TJNY, author = {S.~Taubenberger and J.~{J}{\"u}{r}jens and B.~Nuseibeh and Yijun Yu}, title = {Problem Analysis of Traditional IT-Security Risk Assessment Methods - An Experience Report from the Insurance and Auditing Domain}, booktitle = {26th IFIP International Information Security Conference}, year = {2011}, volume = {354}, pages = {259--270}, address = {Lucerne}, file = {preprint:http\://rgse.uni-koblenz.de/web/pages/people/juerjens/publications/papers/ifipsec11TJNY.pdf:URL;slides:http\://rgse.uni-koblenz.de/web/pages/people/juerjens/publications/slides/ifipsec11TJNYtalk.pdf:URL;dblp:http://www.informatik.uni-trier.de/~ley/pers/hd/j/J=uuml=rjens:Jan.html#c90:URL;SpringerLink:http://link.springer.com/chapter/10.1007/978-3-642-21424-0_21:URL}, keywords = {internationalConferences, secureSoftwareEngineeringITSecurityRiskAssessment}, url = {http://www.sec2011.org/} }
     BibTeX   URL   preprint   slides   dblp   SpringerLink 
  • S. Taubenberger, J. Jürjens, S. Braun: Studie zu IT-Risikobewertungen in der Praxis. In: D-A-CH Security 2011, Oldenburg, 2011. Gemeinsame Arbeitskonferenz der GI, OCG, BITKOM, SI, TeleTrusT.
    @INPROCEEDINGS{dachsec11TJ, author = {S.~Taubenberger and J.~{J}{\"u}{r}jens and S.~Braun}, title = {Studie zu IT-Risikobewertungen in der Praxis}, booktitle = {D-A-CH Security 2011}, year = {2011}, address = {Oldenburg}, note = {Gemeinsame Arbeitskonferenz der GI, OCG, BITKOM, SI, TeleTrusT}, file = {preprint:http\://rgse.uni-koblenz.de/jj/publications/papers/dach11-stefan.pdf:URL;slides:http\://rgse.uni-koblenz.de/jj/publications/slides/dach11-stefan.pdf:URL;audio:http\://rgse.uni-koblenz.de/jj/publications/audio/dach11-stefan.wav:URL}, keywords = {nonEnglish}, url = {http://www.syssec.at/dachsecurity2011} }
     BibTeX   URL   preprint   slides   audio