Towards Usable Secure Requirements Engineeringwith IRIS

Shamal FailyUniversity of Oxford

How rational are security and usability

requirements?

Stapes USB Combination Lock

(no longer available)PGP

HCI can help

HCI can help

UserCenteredDesign

InteractionProgramming

Value-Centered

HCI

ParticipativeDesign

GroundedDesign

ContextualDesign

TaskAnalysis Usage

CenteredDesign

Ethno-Methodology

ActivityTheory

Horses for courses?

HCI can help

UserCenteredDesign

InteractionProgramming

Value-Centered

HCI

ParticipativeDesign

GroundedDesign

ContextualDesign

TaskAnalysis Usage

CenteredDesign

Ethno-Methodology

ActivityTheory

Horses for courses?W

hat a

bout

the r

equir

emen

ts?

HCI can help

UserCenteredDesign

InteractionProgramming

Value-Centered

HCI

ParticipativeDesign

GroundedDesign

ContextualDesign

TaskAnalysis Usage

CenteredDesign

Ethno-Methodology

ActivityTheory

Horses for courses?W

hat a

bout

the r

equir

emen

ts?What about the

security?

It’s just an engineering problem?

“there are many tensions that engineers have still not begun to explore. For example, ease of use is a priority in control systems design, and security

usability is known to be hard. Will we see conflicts between security and safety usability? As a typical

plant operator earns less than $40,000, the ‘Homer Simpson’ problem is a real one. How do we design

security that Homer can use safely?”

Anderson, R., Fuloria, S. Security Economics and Critical National Infrastruture. In Eighth Workshop

on the Economics of Information Security (WEIS 2009). 2009

Current problems

• How do we represent different environments?

Current problems

Confidentiality: HighAccountability: High

Office after security awarenessseminar

• How do we represent different environments?

Current problems

6 PM Friday and running for the

train

Availability : High

• How do we represent different environments?

Current problems

8.15 AM Monday - on the train to

work

Availability : Low Availability : Low

• How do we represent different environments?

Current problems

Current problems

• Values and Context

BEING HUMANHUMAN-COMPUTER INTERACTION

IN THE YEAR 2020

Current problems

• Values and Context

• GoalsReasons for lack of industrial uptake!

Current problems

• Values and Context

• GoalsReasons for lack of industrial uptake!

Wha

t abo

ut th

e req

uirem

ents?

Current problems

• Values and Context

• GoalsReasons for lack of industrial uptake!

Wha

t abo

ut th

e req

uirem

ents?

What about the

security?

Some Good News• Environments and Contexts of Use

Object

User Task

Environment

Affordance

Some Good News

ScopeProblemDomain

Elicit Empirical / Conceptual

Data

Analyse Problem Concerns

Validate & ManageSystem

Evolution

Specify System

Some Good News

ScopeProblemDomain

Elicit Empirical / Conceptual

Data

Analyse Problem Concerns

Validate & ManageSystem

Evolution

Specify System

Wha

t abo

ut th

e req

uirem

ents?

What is IRIS?A framework for specifying software systems that are

secure for their contexts of use.

Environment

Goal

Obstacle

Asset

Threat

Vulnerability

Attacker

Response

Countermeasure

Task Persona

Misuse Case

Risk

1..*

1..*

1..*

1..*

1..*1..*

1..*

1..*

1..*

1..*

1..*

1..*

*

**

** *

*

*

*

*

*

*

Context of Use

Risk

Threat Vulnerability

Misuse Case

Attacker

Response Goal

CountermeasureAsset

Requirement

Security Attribute

1..*

1..4

*

* 1 1

*

1

1*1

1..*

* *

* * **

*

*

*Transfer MitigateAccept

*

*

Motive

Capability

1..*

1..*

*

0..4

*

Task

Scenario

Asset Persona

Usability Attribute

Misuse Case

**

4

11..**

11

11

A Meta-Model for Usable Secure Requirements Engineering

Empirical Data Participant data

CAIRISDatabase

!""

!""

!"""

#""

!""

!""

!$$#""

!$$#""

!$$#""

!""

!""

!""

!$$#""

!""

!$$#""

#""

%&'(')*&"+*,*

-./0/1234.1

%&'.(,"32154,*,'2(

621,*&74.1"%.1,'8)*,.

9*,*"(2+.

:(*&;4'4"+*,* -215<23

6.142(*&").1,'8)*,.

:&').

%2().1(4"2/4,*)&."%.1,'8)*,."4=*1'(>

%2().1(4",*45"7?&2*+"+*,*%2().1(4",*45"923(&2*+"+*,*

!"#$%&&'$()*)$+(',+-+'#*'.%/"#0"),

12(#+,'$()*)$+(',+-+'-#'.%/"#0"), 3#4*(#+,'+*+(5&)&',+-+

6*#*57)&%',+-+12(#+,'+/-8#")&+-)#* .%/"#0"),'2#"-+('+$$%&& 3#4*(#+,'+/-8#")&+-)#*

.%/"#0"),'/&%"'+/-8#")&+-)#* 9%"-):$+-%')*&-+((+-)#*

;%$/"%',+-+'-"+*&7)&&)#*

!<=93<= 93<> !<>

12(#+,',+-+

;%$/"%',+-+'+*+(5&)& ;%$/"%'4#"?@#4'&/A7)&&)#*

1*+/-8#")&%,'2#"-+('+$$%&&

9%"-):$+-%'&8+")*B 9#*-"#('4%A'A"#4&%"

C;;'DE2(#)-

F"+/,/(+*-'$%"-):$+-%'+22()$+-)#*

1*+--%*,%,'4#"?&-+-)#*'+$$%&&

!"#$%&'()*+,-.'(%#/-#00+**

1+(%)20#%+-*&#()"3 1'"%('/-4+5-5('4*+(

677-89./')%

:(#$,$/#"%-0+(%)20#%+-#../)0#%)'"

!"#%%+",+,-4'(;*%#%)'"-#00+**

!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33

!!"#$%&'()*+,-./,)&*01$&,.211,++.&'),$&,#+33

"45($-.-$&$

6(7#5($-.-$&$

25*1,

/$)(5

8945(*&."#$%&'()*+,-./,)&*01$&,.211,++

!"#$

!"#%

&#$

&#%

!'()*+,-./01+2+(.*

3.4(2',)*5(*))/(*5

61)/,!)/+(742+)

&)/1.*2',4)/+(742+)

!)/+(742+),89(:8(+;

!'(*(42',<2+2

&2/+(2',2*.*;=(12+(.*

>*?(1(9'),!.'')5)

@*2';1(1,<2+2

!2/.'

3.4(2',A*5(*))/

6*28+B./(1)<,!)/+(742+),@44)11

6C'.2<,<2+2

ADC'.(+,6*28+B./(1)<,!)/+(742+),@44)11

&./+2'

".-*'.2<,<2+2

E)9#9/.-1)/

!)/+(742+),1B2/(*5

NeuroGrid data upload/data downloadRequirements Specification

i

NeuroGrid data upload/data download RequirementsSpecification

Models Requirements Documentation

Tool-support

What is IRIS?A framework for specifying software systems that are

secure for their contexts of use.

Environment

Goal

Obstacle

Asset

Threat

Vulnerability

Attacker

Response

Countermeasure

Task Persona

Misuse Case

Risk

1..*

1..*

1..*

1..*

1..*1..*

1..*

1..*

1..*

1..*

1..*

1..*

*

**

** *

*

*

*

*

*

*

Context of Use

Risk

Threat Vulnerability

Misuse Case

Attacker

Response Goal

CountermeasureAsset

Requirement

Security Attribute

1..*

1..4

*

* 1 1

*

1

1*1

1..*

* *

* * **

*

*

*Transfer MitigateAccept

*

*

Motive

Capability

1..*

1..*

*

0..4

*

Task

Scenario

Asset Persona

Usability Attribute

Misuse Case

**

4

11..**

11

11

A Meta-Model for Usable Secure Requirements Engineering

Establish Scope

Investigate Contexts

Requirements Workshops

[unresolvedcontexts]

Design Method

Relevant Concepts

Relevant Concepts

Requirements GORE (KAOS)

RequirementsEngineering

Scenarios

Personas

User-CenteredDesign

Misuse-Cases

Meta-Models

SecurityRequirementsEngineering

Environments

Tasks

HCI

ResponsibilityModelling

RiskAnalysis

InformationSecurity

Example: Modifying PLC Software

• Programmable Logic Controllers (PLC) control clean and waste water processes.

• Modifications may be made under duress.

• Accidental or deliberate errors can be catastrophic.

Example: Modifying PLC Software

• Programmable Logic Controllers (PLC) control clean and waste water processes.

• Modifications may be made under duress.

• Accidental or deliberate errors can be catastrophic. © Reed Business Information 2010

Scoping the Problem Domain

• Planned and Unplanned Environments

Laptop

InstrumentTechnician

Portal

VPN

SoftwareRepository

SysAdmin

SCADAHMI Data

PLC Software

Telemetry Software

SoftwareRepositoryManager

Configuration Data

Access PC

Corporate Network

Persona building

Persona building

Empirical data Grounded Theory

OrganisationalCharacteristics

Role responsibility (8)

Technology Demarcation (6)

Governance (3)

Organisational norms (34)

Supporting Roles

Sub-contractor support (5)

Commissioning (6)

Tacit Knowledge

Learned experience (13)

Site knowledge (7)

Configuration knowledge (7)

Tool knowledge (13)

Backup norms (24)

Threat

Petty theft (4) Vandalism (2)

Technical insider (1)

Social engineering (3)

Context

Planned change (11)

Unplanned change (3)

Vulnerability

Physical security perception (6)

Task fatigue (5)Tool clunkiness

(9)

Legacy concern (12)

PLC proliferation (4)

Remote access (6)

Network availability (4)

Multiple changers (2)

AffinityModelling

Persona building

Workshop Walkthrough

Workshop Walkthrough

• Persona Validation

Alan

• “There’s a lot of ignorance out there”

• Conscious of vulnerabilities arising from complex tools.

• Hopes the repository will encourage a standardised approach to software changes and backups.

Wednesday, 16 December 2009

Workshop Walkthrough

• Persona Validation

• Asset Modelling

Workshop Walkthrough

• Persona Validation

• Asset Modelling

• Task Analysis

Workshop Walkthrough

• Persona Validation

• Asset Modelling

• Task Analysis

• Goal Modelling

Workshop Walkthrough

• Persona Validation

• Asset Modelling

• Task Analysis

• Goal Modelling

• Requirements Specification

Workshop Walkthrough

• Persona Validation

• Asset Modelling

• Task Analysis

• Goal Modelling

• Requirements Specification

• Risk Analysis

Observations

• A natural process to participants.

• Modelling environments increases participant sensitivity to them.

• Risk Analysis is more about the destination than the journey.

• We can’t replace creativity, but we can help innovation.

Thank you for listening!

• Any questions?

AcknowledgementsThis research was funded by the

EPSRC CASE Studentship R07437/

CN001.

We are also grateful to Qinetiq Ltd

for their sponsorship of this work.