The elements of graphing data
Information systems security design methods: implications for information systems development
ACM Computing Surveys (CSUR)
Software requirements & specifications: a lexicon of practice, principles and prejudices
Software requirements & specifications: a lexicon of practice, principles and prejudices
Toward a secure system engineering methodolgy
Proceedings of the 1998 workshop on New security paradigms
Defining and Applying Measures of Distance Between Specifications
IEEE Transactions on Software Engineering
Secrets & Lies: Digital Security in a Networked World
Secrets & Lies: Digital Security in a Networked World
Software safety: where's the evidence?
SCS '01 Proceedings of the Sixth Australian workshop on Safety critical systems and software - Volume 3
Security in Computing
Security attribute evaluation method: a cost-benefit approach
Proceedings of the 24th International Conference on Software Engineering
Certifying Software for High-Assurance Environments
IEEE Software
Conceptual Graphs and Formal Concept Analysis
ICCS '97 Proceedings of the Fifth International Conference on Conceptual Structures: Fulfilling Peirce's Dream
Surfacing Root Requirements Interactions from Inquiry Cycle Requirements Documents
ICRE '98 Proceedings of the 3rd International Conference on Requirements Engineering: Putting Requirements Engineering to Practice
Model-Based Risk Assessment to Improve Enterprise Security
EDOC '02 Proceedings of the 6th International Enterprise Distributed Object Computing Conference
Information Assurance Measures and Metrics " State of Practice and Proposed Taxonomy
HICSS '03 Proceedings of the 36th Annual Hawaii International Conference on System Sciences (HICSS'03) - Track 9 - Volume 9
Using a Concept Lattice of Decomposition Slices for Program Understanding and Impact Analysis
IEEE Transactions on Software Engineering
Abuse-Case-Based Assurance Arguments
ACSAC '01 Proceedings of the 17th Annual Computer Security Applications Conference
The description logic handbook: theory, implementation, and applications
The description logic handbook: theory, implementation, and applications
Scenario networks and formalization for scenario management
Scenario networks and formalization for scenario management
Security and Privacy Requirements Analysis within a Social Setting
RE '03 Proceedings of the 11th IEEE International Conference on Requirements Engineering
Nonfunctional Requirements: From Elicitation to Conceptual Models
IEEE Transactions on Software Engineering
Elaborating Security Requirements by Construction of Intentional Anti-Models
Proceedings of the 26th International Conference on Software Engineering
Risk Analysis in Software Design
IEEE Security and Privacy
Using Abuse Frames to Bound the Scope of Security Problems
RE '04 Proceedings of the Requirements Engineering Conference, 12th IEEE International
IEEE Computer Graphics and Applications
Reverse engineering of object oriented code
Proceedings of the 27th international conference on Software engineering
Software Security: Building Security In
Software Security: Building Security In
Ontology-based Active Requirements Engineering Framework
APSEC '05 Proceedings of the 12th Asia-Pacific Software Engineering Conference
The role of abstraction in software engineering
Proceedings of the 2006 international workshop on Role of abstraction in software engineering
A Case Study in Systematic Improvement of Language for Requirements
RE '06 Proceedings of the 14th IEEE International Requirements Engineering Conference
RE '06 Proceedings of the 14th IEEE International Requirements Engineering Conference
Semantic parameterization: A process for modeling domain descriptions
ACM Transactions on Software Engineering and Methodology (TOSEM)
Misuse Cases: Use Cases with Hostile Intent
IEEE Software
Hi-index | 0.00 |
Security breaches most often occur due to a cascading effect of failure among security constraints that collectively contribute to overall secure system behavior in a socio-technical environment. Therefore, during security certification activities, analysts must systematically take into account the nexus of causal chains that exist among security constraints imposed by regulatory requirements. Numerous regulatory requirements specified in natural language documents or listed in spreadsheets/databases do not facilitate such analysis. The work presented in this article outlines a stepwise methodology to discover and understand the multidimensional correlations among regulatory requirements for the purpose of understanding the potential for risk due to noncompliance during system operation. Our lattice algebraic computational model helps estimate the collective adequacy of diverse security constraints imposed by regulatory requirements and their interdependencies with each other in a bounded scenario of investigation. Abstractions and visual metaphors combine human intuition with metrics available from the methodology to improve the understanding of risk based on the level of compliance with regulatory requirements. In addition, a problem domain ontology that classifies and categorizes regulatory requirements from multiple dimensions of a socio-technical environment promotes a common understanding among stakeholders during certification and accreditation activities. A preliminary empirical investigation of our theoretical propositions has been conducted in the domain of The United States Department of Defense Information Technology Security Certification and Accreditation Process (DITSCAP). This work contributes a novel approach to understand the level of compliance with regulatory requirements in terms of the potential for risk during system operation.