Identifying implicit vulnerabilities through personas as goal models.
Faily, Shamal; Iacob, Claudia; Ali, Raian; Ki-Aries, Duncan
When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system goals are captured with different mindsets, by different teams, and for different purposes. If personas are visualised as goal models, it may be easier for stakeholders to see implications of their goals being satisfied or denied, and designers to incorporate the creation and analysis of such models into the broader RE tool-chain. This paper outlines a tool-supported approach for finding implicit vulnerabilities from user and system goals by reframing personas as social goal models. We illustrate this approach with a case study where previously hidden vulnerabilities based on human behaviour were identified.
FAILY, S., IACOB, C., ALI, R. and KI-ARIES, D. 2020. Identifying implicit vulnerabilities through personas as goal models. In Katsikas, S., Cuppens, F., Cuppens, N., Lambrinoudakis, C., Kalloniatis, C., Mylopoulos, J., Antón, A., Gritzalis, S., Meng, W. and Furnell, S. (eds.) Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers from the 4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020), 14-18 September 2020, Guildford, UK. Lecture notes in computer science, 12501. Cham: Springer [online], pages 185-202. Available from: https://doi.org/10.1007/978-3-030-64330-0_12
|Conference Name||4th International workshop on security and privacy requirements engineering (SECPRE 2020), co-located with the 25th European symposium on research in computer security (ESORICS 2020)|
|Conference Location||Guildford, UK|
|Start Date||Sep 14, 2020|
|End Date||Sep 18, 2020|
|Acceptance Date||Aug 6, 2020|
|Online Publication Date||Dec 17, 2020|
|Publication Date||Dec 31, 2020|
|Deposit Date||Sep 16, 2021|
|Publicly Available Date||Nov 23, 2021|
|Series Title||Lecture notes in computer science (LNCS)|
|Series ISSN||0302-9743 ; 1611-3349|
|Book Title||Computer security: ESORICS 2020 international workshops, CyberICPS, SECPRE, and ADIoT: revised selected papers|
|Keywords||User personas; User behaviour; User-centred design; Systems security; Security risk analysis|
FAILY 2020 Identifying implicit vulnerabilities
You might also like
Visualising personas as goal models to find security tensions.
Redesigning an undergraduate software engineering course for a large cohort.
Using extreme characters to teach requirements engineering.