Identifying implicit vulnerabilities through personas as goal models.

Faily, Shamal; Iacob, Claudia; Ali, Raian; Ki-Aries, Duncan

doi:10.1007/978-3-030-64330-0_12

Identifying implicit vulnerabilities through personas as goal models.

Faily, Shamal; Iacob, Claudia; Ali, Raian; Ki-Aries, Duncan

Authors

Shamal Faily

Claudia Iacob

Raian Ali

Duncan Ki-Aries

Contributors

Sokratis Katsikas
Editor

Fr�d�ric Cuppens
Editor

Nora Cuppens
Editor

Costas Lambrinoudakis
Editor

Christos Kalloniatis
Editor

John Mylopoulos
Editor

Annie Ant�n
Editor

Stefanos Gritzalis
Editor

Weizhi Meng
Editor

Steven Furnell
Editor

Abstract

When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system goals are captured with different mindsets, by different teams, and for different purposes. If personas are visualised as goal models, it may be easier for stakeholders to see implications of their goals being satisfied or denied, and designers to incorporate the creation and analysis of such models into the broader RE tool-chain. This paper outlines a tool-supported approach for finding implicit vulnerabilities from user and system goals by reframing personas as social goal models. We illustrate this approach with a case study where previously hidden vulnerabilities based on human behaviour were identified.

Citation

FAILY, S., IACOB, C., ALI, R. and KI-ARIES, D. 2020. Identifying implicit vulnerabilities through personas as goal models. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Meng, W. and Furnell, S. (eds.) Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers from the 4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020), 14-18 September 2020, Guildford, UK. Lecture notes in computer science, 12501. Cham: Springer [online], pages 185-202. Available from: https://doi.org/10.1007/978-3-030-64330-0_12

Conference Name	4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020)
Conference Location	Guildford, UK
Start Date	Sep 14, 2020
End Date	Sep 18, 2020
Acceptance Date	Aug 6, 2020
Online Publication Date	Dec 17, 2020
Publication Date	Dec 31, 2020
Deposit Date	Sep 16, 2021
Publicly Available Date	Nov 23, 2021
Publisher	Springer
Pages	185-202
Series Title	Lecture notes in computer science (LNCS)
Series Number	12501
Series ISSN	0302-9743 ; 1611-3349
Book Title	Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers
ISBN	9783030643294
DOI	https://doi.org/10.1007/978-3-030-64330-0_12
Keywords	User personas; User behaviour; User-centred design; Systems security; Security risk analysis
Public URL	https://rgu-repository.worktribe.com/output/1364605