Usable Formal Methods for the Design and Composition of Security and Privacy Policies (CMU/UTSA Collaborative Proposal) - July 2014

Public Audience
Purpose: To highlight progress. Information is generally at a higher level which is accessible to the interested public.

PI(s): Travis Breaux (CMU), Jianwei Niu (UTSA)
Researchers:

HARD PROBLEM(S) ADDRESSED

This refers to Hard Problems, released November 2012.

Metrics

Human Behavior

PUBLICATIONS
Report papers written as a results of this research. If accepted by or submitted to a journal, which journal. If presented at a conference, which conference.

1. H. Hibshi, T. Breaux, M. Riaz, L. Williams. "A Framework to Measure Experts' Decision Making in Security Requirements Analysis," In Submission: International Workshop on Evolving Security and Privacy Requirements Engineering, 2014.
   
2. R. Slavin, J.-M. Lehker, J. Niu, T. Breaux. "Managing Security Requirement Patterns Using Feature Diagram Hierarchies," Accepted To: IEEE International Requirements Engineering Conference, 2014.
   
3. Slankas, J., Riaz, M. King, J., Williams, L. "Discovering Security Requirements from Natural Language," Accepted To: IEEE International Requirements Engineering Conference, 2014.
   
4. Rao, H. Hibshi, T. Breaux, J-M. Lehker, J. Niu, "Less is More? Investigating the Role of Examples in Security Studies using Analogical Transfer," Accepted To: Symposium and Bootcamp on the Science of Security (HotSoS), 2014.
   
5. H. Hibshi, R. Slavin, J. Niu, T. Breaux, "Rethinking Security Requirements in RE Research," University of Texas at San Antonio, Technical Report #CS-TR-2014-001, January, 2014
   
6. Riaz, M., Breaux, T., Williams, L. "On the Design of Empirical Studies to Evaluate Software Patterns: A Survey," Revision submitted for consideration: Empirical Software Engineering Journal, 2012
   
7. Breaux, T., Hibshi, H., Rao, A., Lehker, J.-M. "Towards a Framework for Pattern Experimentation: Understanding empirical validity in requirements engineering patterns." 2nd IEEE Workshop on Requirements Engineering Patterns (RePa'12), Chicago, Illinois, Sep. 2012, pp. 41-47.
   
8. Slavin, R., Shen, H., Niu, J., "Characterizations and Boundaries of Security Requirements Patterns," 2nd IEEE Workshop on Requirements Engineering Patterns (RePa'12), Chicago, Illinois, Sep. 2012, pp. 48-53.

ACCOMPLISHMENT HIGHLIGHTS

* We adapted Mica Endlsey's Situation Awareness to security and discovered several patterns of security analysis that may help explain why novices struggle to apply security requirements in different scenarios. Notably, we observed that experts can reason through ambiguity by scaffolding their decisions with assumptions. Novices often struggle with perception and comprehension, failing to project possible attack scenarios or reach decisions to mitigate these risks. This work will appear in the proceedings of the International Workshop on Evolving Security and Privacy Requirements Engineering.

* We demonstrated that a new security template based on design patterns and the goal-oriented requirements models could be used to improve an analysts ability to discover and address security problems in a design. This work will appear in the proceedings of the 22nd IEEE International Requirements Engineering Conference.