Software risk management
Goal-directed requirements acquisition
6IWSSD Selected Papers of the Sixth International Workshop on Software Specification and Design
Design patterns: elements of reusable object-oriented software
Design patterns: elements of reusable object-oriented software
Understanding “why” in software process modelling, analysis, and design
ICSE '94 Proceedings of the 16th international conference on Software engineering
Analysis patterns: reusable objects models
Analysis patterns: reusable objects models
Problem frames: analyzing and structuring software development problems
Problem frames: analyzing and structuring software development problems
Weaknesses in the Key Scheduling Algorithm of RC4
SAC '01 Revised Papers from the 8th Annual International Workshop on Selected Areas in Cryptography
Satisficing Games and Decision Making: With Applications to Engineering and Computer Science
Satisficing Games and Decision Making: With Applications to Engineering and Computer Science
Goal-Oriented Requirements Engineering: A Guided Tour
RE '01 Proceedings of the Fifth IEEE International Symposium on Requirements Engineering
Security Engineering with Patterns: Origins, Theoretical Models, and New Applications
Security Engineering with Patterns: Origins, Theoretical Models, and New Applications
Tropos: An Agent-Oriented Software Development Methodology
Autonomous Agents and Multi-Agent Systems
Using Abuse Frames to Bound the Scope of Security Problems
RE '04 Proceedings of the Requirements Engineering Conference, 12th IEEE International
The Final Nail in WEP's Coffin
SP '06 Proceedings of the 2006 IEEE Symposium on Security and Privacy
ACM-SE 45 Proceedings of the 45th annual southeast regional conference
Identifying Security Aspects in Early Development Stages
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Selecting Security Patterns that Fulfill Security Requirements
RE '08 Proceedings of the 2008 16th IEEE International Requirements Engineering Conference
Extending Problem Frames to deal with stakeholder problems: An Agent- and Goal-Oriented Approach
Proceedings of the 2009 ACM symposium on Applied Computing
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance
| Hi-index | 0.00 |
Most attacks on computer and software systems are caused by threats to known vulnerabilities. Part of the reason is that it is difficult to possess necessary broad and deep knowledge of security related strategic knowledge to choose mitigating solutions suitable for a specific application or organization. This paper presents three patterns that use goal-oriented concepts to capture knowledge of security problems and their corresponding mitigating solutions. Each pattern captures three kinds of problems, including undesirable outcome that negatively affects a security goal, threat that could lead to an undesirable outcome, and vulnerability that could be exploited by a threat. Alternative mitigating solutions are captured in relation to the problems, including vulnerability risk transfer, threat prevention, threat containment, undesirable outcome recovery, and undesirable outcome impact prevention and control. The alternatives are identified with consequences against other non-functional requirements (NFRs) such as cost and usability, which are then used as selection criteria in associated selection patterns. The patterns illustrate how knowledge of security incidents and security standards may be captured and used to help avoid the security problems suffered by TJX in one of the largest credit card theft incident in history.