Identifying Implicit Vulnerabilities Through Personas as Goal Models | SpringerLink
Skip to main content
Springer Nature Link
Log in

Identifying Implicit Vulnerabilities Through Personas as Goal Models

  • Conference paper
  • First Online:
Computer Security (CyberICPS 2020, SECPRE 2020, ADIoT 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12501))

Abstract

When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system goals are captured with different mindsets, by different teams, and for different purposes. If personas are visualised as goal models, it may be easier for stakeholders to see implications of their goals being satisfied or denied, and designers to incorporate the creation and analysis of such models into the broader RE tool-chain. This paper outlines a tool-supported approach for finding implicit vulnerabilities from user and system goals by reframing personas as social goal models. We illustrate this approach with a case study where previously hidden vulnerabilities based on human behaviour were identified.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    The case study CAIRIS model is available from https://doi.org/10.5281/zenodo.3979236.

References

  1. Amyot, D., Ghanavati, S., Horkoff, J., Mussbacher, G., Peyton, L., Yu, E.: Evaluating goal models within the goal-oriented requirement language. Int. J. Intell. Syst. 25(8), 841–877 (2010)

    Article  Google Scholar 

  2. AT&T: Graphviz Web Site (2020). http://www.graphviz.org

  3. Cleland-Huang, J.: Meet elaine: a persona-driven approach to exploring architecturally significant requirements. IEEE Softw. 30(4), 18–21 (2013)

    Article  Google Scholar 

  4. Cooper, A., Reimann, R., Cronin, D., Noessel, C.: About Face: The Essentials of Interaction Design. Wiley, Hoboken (2014)

    Google Scholar 

  5. Elahi, G., Yu, E., Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010). https://doi.org/10.1007/s00766-009-0090-z

    Article  Google Scholar 

  6. Faily, S.: Bridging user-centered design and requirements engineering with GRL and persona cases. In: Proceedings of the 5th International i* Workshop, pp. 114–119. CEUR Workshop Proceedings (2011)

    Google Scholar 

  7. Faily, S.: Designing Usable and Secure Software with IRIS and CAIRIS. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-75493-2_9

  8. Faily, S., Fléchais, I.: Barry is not the weakest link: eliciting secure system requirements with personas. In: Proceedings of the 24th BCS Interaction Specialist Group Conference, pp. 124–132. BCS (2010)

    Google Scholar 

  9. Faily, S., Fléchais, I.: Persona cases: a technique for grounding personas. In: Proceedings of the 29th ACM CHI Conference on Human Factors in Computing Systems, pp. 2267–2270. ACM (2011)

    Google Scholar 

  10. Faily, S., Fléchais, I.: Eliciting and visualising trust expectations using persona trust characteristics and goal models. In: Proceedings of the 6th International Workshop on Social Software Engineering, pp. 17–24. ACM (2014)

    Google Scholar 

  11. Faily, S., Scandariato, R., Shostack, A., Sion, L., Ki-Aries, D.: Contextualisation of data flow diagrams for security analysis. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 186–197. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_10

    Chapter  Google Scholar 

  12. Friess, E.: Personas and decision making in the design process: an ethnographic case study. In: Proceedings of the 30th ACM CHI Conference on Human Factors in Computing Systems, pp. 1209–1218. ACM (2012)

    Google Scholar 

  13. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: 13th IEEE International Conference on Requirements Engineering, pp. 167–176 (2005)

    Google Scholar 

  14. Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Reasoning with goal models. In: Spaccapietra, S., March, S.T., Kambayashi, Y. (eds.) ER 2002. LNCS, vol. 2503, pp. 167–181. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45816-6_22

    Chapter  Google Scholar 

  15. van Lamsweerde, A.: Requirements Engineering: From System Goals to UML Models to Software Specifications. Wiley, Hoboken (2009)

    Google Scholar 

  16. Liu, L., Yu, E., Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE International Requirements Engineering Conference, pp. 151–161 (2003)

    Google Scholar 

  17. Massacci, F., Zannone, N.: Detecting conflicts between functional and security requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In: Yu, E., Giorgini, P., Maiden, N., Mylopoulos, J. (eds.) Social Modeling for Requirements Engineering, pp. 337–362. MIT Press, Cambridge (2011)

    Google Scholar 

  18. Matthews, T., Whittaker, S., Moran, T.P., Yuen, S.: Collaboration personas: a new approach to designing workplace collaboration tools. In: Proceedings of the 29th ACM CHI Conference on Human Factors in Computing Systems, pp. 2247–2256 (2011)

    Google Scholar 

  19. Mead, N., Shull, F., Spears, J., Heibl, S., Weber, S., Cleland-Huang, J.: Crowd sourcing the creation of personae non gratae for requirements-phase threat modeling. In: Proceedings of the 25th International Requirements Engineering Conference, pp. 412–417 (2017)

    Google Scholar 

  20. Moody, D.L., Heymans, P., Matulevicius, R.: Improving the effectiveness of visual representations in requirements engineering: an evaluation of i* visual syntax. In: Proceedings of the 17th IEEE International Requirements Engineering Conference, pp. 171–180. IEEE (2009)

    Google Scholar 

  21. Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the Tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Article  Google Scholar 

  22. Nunes Rodrigues, G., Joel Tavares, C., Watanabe, N., Alves, C., Ali, R.: A persona-based modelling for contextual requirements. In: Kamsties, E., Horkoff, J., Dalpiaz, F. (eds.) REFSQ 2018. LNCS, vol. 10753, pp. 352–368. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-77243-1_23

    Chapter  Google Scholar 

  23. Paja, E., Dalpiaz, F., Giorgini, P.: Designing secure socio-technical systems with STS-ml. In: Proceedings of the 6th International i* Workshop 2013, pp. 79–84 (2013)

    Google Scholar 

  24. Pastor, O., Estrada, H., Martínez, A.: Strengths and weaknesses of the i* framework: an empirical evaluation. In: Yu, E., Giorgini, P., Maiden, N., Mylopoulos, J. (eds.) Social Modeling for Requirements Engineering, pp. 607–643. MIT Press, Cambridge (2011)

    Google Scholar 

  25. Regev, G., Wegmann, A.: Where do goals come from: the underlying principles of goal-oriented requirements engineering. In: 13th IEEE International Conference on Requirements Engineering, pp. 353–362 (2005)

    Google Scholar 

  26. Simon, H.A.: Rational decision making in business organizations. Am. Econ. Rev. 69(4), 493–513 (1979)

    Google Scholar 

  27. Sindre, G., Opdahl, A.L.: Capturing dependability threats in conceptual modelling. In: Krogstie, J., Opdahl, A.L., Brinkkemper, S. (eds.) Conceptual Modelling in Information Systems Engineering, pp. 247–260. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72677-7_15

    Chapter  Google Scholar 

  28. Yu, E.: Modeling strategic relationships for process reengineering. Ph.D. thesis, University of Toronto (1995)

    Google Scholar 

  29. Yu, E.: Towards modeling and reasoning support for early-phase requirements engineering. In: Proceedings of the 3rd IEEE International Symposium on Requirements Engineering, pp. 226–235. IEEE (1997)

    Google Scholar 

  30. Yu, E., Giorgini, P., Maiden, N., Mylopoulos, J.: Social modeling for requirements engineering: an introduction. In: Yu, E. (ed.) Social Modeling for Requirements Engineering. MIT Press, Cambridge (2011)

    Google Scholar 

  31. Yu, E.S.: Social modeling and i*. In: Borgida, A.T., Chaudhri, V.K., Giorgini, P., Yu, E.S. (eds.) Conceptual Modeling: Foundations and Applications. LNCS, vol. 5600, pp. 99–121. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02463-4_7

    Chapter  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computing and Informatics, Bournemouth University, Poole, UK

    Shamal Faily & Duncan Ki-Aries

  2. School of Computing, University of Portsmouth, Portsmouth, UK

    Claudia Iacob

  3. Hamid Bin Khalifa University, Doha, Qatar

    Raian Ali

Authors
  1. Shamal Faily
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Claudia Iacob
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Raian Ali
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Duncan Ki-Aries
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shamal Faily .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montréal, QC, Canada

    Frédéric Cuppens

  3. Polytechnique Montréal, Montréal, QC, Canada

    Nora Cuppens

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  6. Department of Computer Science, University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  7. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  8. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

  9. Technical University of Denmark, Lyngby, Denmark

    Weizhi Meng

  10. University of Nottingham, Nottingham, UK

    Steven Furnell

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Faily, S., Iacob, C., Ali, R., Ki-Aries, D. (2020). Identifying Implicit Vulnerabilities Through Personas as Goal Models. In: Katsikas, S., et al. Computer Security. CyberICPS SECPRE ADIoT 2020 2020 2020. Lecture Notes in Computer Science(), vol 12501. Springer, Cham. https://doi.org/10.1007/978-3-030-64330-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64330-0_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64329-4

  • Online ISBN: 978-3-030-64330-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation