Fabiano Dalpiaz is Assistant Professor in the Department of Information and Computing Sciences at Utrecht University, the Netherlands. Elda Paja is a Postdoctoral Research Fellow in the Department of Engineering and Computer Science at the University of Trento, Italy. Paolo Giorgini is Associate Professor in the Department of Engineering and Computer Science at the University of Trento.
Security requirements engineering has received increasing attention over the past decade: security is a crucial quality attribute of any software system, and building secure software requires an analysis of security that starts since the very early development phases. This task is especially challenging because designers have to study the bigger picture that includes not only the software under design, but also the humans operating and interacting with it, the organizations involved, etc. Analyzing this bigger picture means designing a secure socio-technical system, rather than a merely technical system. Socio-technical systems are not just futuristic. Despite the research efforts about their design are still in their infancy, socio-technical systems have been a reality for quite some time. Their societal relevance and diffusion is demonstrated by many examples, such as healthcare systems, e-commerce, air traffic management control, smart cities and smart homes, etc. The socio-technical perspective poses new challenges for understanding and specifying the security requirements for the system-to-be. These challenges are related to the complexity of these systems, to the dynamics of the behaviors and interactions of the underlying subsystems, to the autonomous and heterogeneous nature of those subsystems, and to the lack of a controlling authority imposing or enforcing requirements to them.
This book proposes the Socio-Technical Security method (STS) for engineering the security requirements of socio-technical systems. STS provides guidance for a systematic security requirements engineering process. The method is model-driven, and comes with the Socio-Technical Security modeling language (STS-ml), which provides the necessary concepts and relationships to express security requirements for a socio-technical system. The book provides a comprehensive account of the STS method, the STS-ml modeling language, and the supporting software tool (called STS-Tool), which facilitates modeling and reasoning activities supported by the method.
This first edition of the book addresses two target audiences: for an academic audience, it serves as a textbook to teach security (requirements) engineering; for practitioners, it is a reference for the early adoption of a state-of-the-art security requirements engineering method. The book reports on practical applications of the method on two industrial case studies. However, more efforts are needed to foster industrial uptake, and this will be the aim of future editions of this book. Acknowledgments. We wish to thank and acknowledge all those who have provided us valuable feedback and comments to the completion of this work. We owe special thanks to John Mylopoulos and Fabio Massacci (University of Trento) for their continuous and valuable feedback. We are also much indebted to Mauro Poggianella, who has developed STS-Tool, and to Pierluigi Roberti, who coordinated the initial tool development phases. Many thanks to Alexander Borgida (Rutgers University) for the interesting discussions and valuable comments on the automated analysis framework. We are very grateful to the industrial partners of the EU Funded FP7 Project Aniketos, who have adopted the STS method, have used the STS-ml modeling language and STS-Tool since the beginning, and have provided continuous feedback for their improvement. Above all, we are much indebted for their participation in the evaluation workshops. We are grateful to St ́ephane Paul (Thales Research and Technology) and Per H ̊akon Meland (SINTEF) for their constructive criticism, and to Sandra Tr ̈osterer and Elke Beck (University of Salzburg) for all the help and support in organizing the evaluation workshops. Finally, we thank the anonymous reviewers for their comments to improve the presentation of this book.
The book is structured in five thematic parts, and has nine chapters that present the context, introduce the approach, illustrate it on concrete scenarios, and compare it with alternative approaches. Part I serves as an introduction to the book. Chapter 1 presents the landscape of security requirements engineering, emphasizes the need of considering security from a socio-technical perspective when designing software systems, and describes the running example employed throughout the book. Chapter 2 provides an overview to information and computer security, and introduces the necessary terminology to read the remainder of the book. Part II presents the STS-ml security requirements modeling language for socio-technical systems. Chapter 3 introduces each of the modeling concepts supported by the language. This chapter is the reference to consult whenever unable to understand parts of an STS-ml model. Chapter 4 combines the primitives of STS-ml into three different views (social, information, authorization), each of them representing a different perspective to be considered when conducting security requirements engineering. Part III expands the view on STS-ml by explaining how to use it within a method for security requirements engineering. Chapter 5 details automated reasoning techniques that an analyst would conduct to iteratively refine the model into a consistent one where no security requirement is violated. Chapter 6 describes the STS method that provides guidelines for the creation and refinement of STS-ml models. Part IV puts the proposed approach in practice. Chapter 7 introduces STS-Tool, the software tool that accompanies the STS-ml language and is at the basis of the STS method. STS-Tool implements the framework presented in Part II and Part III. Chapter 8 illustrates two applications of the method on scenarios from industrial case studies: the former concerns an online collaborative platform, the latter considers an eGovernment system. Part V concludes the book by comparing STS-ml and the STS method with alternative and complementary approaches in the area of security requirements engineering. This is done in Chapter 9, which also explains whether these techniques can be used in conjunction with STS, or they rather constitute an alternative.
How to read this book.
The chapters of this book are best read in sequence. Some of the chapters and sections can be skipped or skimmed through, if the reader is already familiar with the matter at hand. However, we warn from relying solely on background knowledge, for some concepts are redefined in the book (especially in Part I); ignoring this advice may result in false assumptions leading to misunderstandings. We strongly advice all readers to thoroughly read Part II, which details the STS-ml modeling language. This is the core part of the book, and failing to understand these notions would hinder the comprehension of the remainder of the book. Our advice also applies to the reader with experience in goal-oriented requirements engineering, for some of the primitives in STS-ml significantly differ from mainstream frameworks such as i* , Tropos , Secure Tropos , and SI* . We recommend to read the automated reasoning techniques in Chapter 5; however, it is possible for the user of the STS-Tool to consult that chapter when necessary (i.e., when the tool detects errors in the model, and the user does not understand their meaning). We also suggest reading the STS method presented in Chapter 6, which presents the recommended way of using STS-ml. Part IV and Part V are optional reading. The description of STS-Tool in Chapter 7 should be seen as a concise overview of its capabilities, but can be replaced by the user guide available on the tool’s website (http://www.sts-tool.eu). The case studies in Chapter 8 can be consulted whenever the reader needs to clarify some aspects of STS. Chapter 9 is useful for the reader who is interested in comparing the approach to other works in security requirements engineering.
Courtesy by MIT Press.