Biblio

Cyber-Physical Systems (CPS) attract growing interest from architects and attackers, given their potential effect on privacy and safety of ecosystems and users. Architectural tactics have been proposed as a design-time abstraction useful to guide and evaluate systems design decisions that address specific system qualities, but there is little published evidence of how Security Tactics help to mitigate security threats in the context of Cyber-Physical Systems. This article reports the principled derivation of architectural tactics for an actual SCADA-SAP bridge, where security was the key concern; the key inputs were (1) a well-known taxonomies of architectural tactics, and (2) a detailed record of trade-offs among these tactics. The project architects used client-specified quality attributes to identify relevant tactics in the taxonomy, and information on their trade-offs to guide top-level decisions on system global shape. We venture that all architectural tactics taxonomies should be enriched with explicit trade-offs, allowing architects to compare alternative solutions that seem equally good on principle but are not so in practice.

Cloud systems offer a diversity of security mechanisms with potentially complex configuration options. So far, security engineering has focused on achievable security levels, but not on the costs associated with a specific security mechanism and its configuration. Through a series of experiments with a variety of cloud datastores conducted over the last years, we gained substantial knowledge on how one desired quality like security can have a significant impact on other system qualities like performance. In this paper, we report on select findings related to security-performance trade-offs for three prominent cloud datastores, focusing on data in transit encryption, and propose a simple, structured approach for making trade-off decisions based on factual evidence gained through experimentation. Our approach allows to rationally reason about security trade-offs.

Software systems are increasingly called upon to autonomously manage their goals in changing contexts and environments, and under evolving requirements. In some circumstances, autonomous systems cannot be fully-automated but instead cooperate with human operators to maintain and adapt themselves. Furthermore, there are times when a choice should be made between doing a manual or automated repair. Involving operators in self-adaptation should itself be adaptive, and consider aspects such as the training, attention, and ability of operators. Not only do these aspects change from person to person, but they may change with the same person. These aspects make the choice of whether to involve humans non-obvious. Self-adaptive systems should trade-off whether to involve operators, taking these aspects into consideration along with other business qualities it is attempting to achieve. In this chapter, we identify the various roles that operators can perform in cooperating with self-adapting systems. We focus on humans as effectors-doing tasks which are difficult or infeasible to automate. We describe how we modified our self-adaptive framework, Rainbow, to involve operators in this way, which involved choosing suitable human models and integrating them into the existing utility trade-off decision models of Rainbow. We use probabilistic modeling and quantitative verification to analyze the trade-offs of involving humans in adaptation, and complement our study with experiments to show how different business preferences and modalities of human involvement may result in different outcomes.