CMU-ISR-18-102
Institute for Software Research
School of Computer Science, Carnegie Mellon University



CMU-ISR-18-102

Composite Security Requirements in the
Presence of Uncertainty

Hanan Hibshi

October 2018

Ph.D. Thesis
Societal Computing

CMU-ISR-18-102.pdf


Keywords: Ssecurity, requirements, decision-making, situation awareness, user study, vignettes, scenarios, security requirements, qualitative analysis, context, empirical study, fuzzy logic, type-2, uncertainty

Providing secure solutions for information systems relies on decisions made by expert security professionals. These professionals must be capable of aligning threats to existing vulnerabilities to provide mitigations needed to minimize security risks. Despite the abundance of security controls, guidelines, and checklists, security experts rely mostly on their background knowledge and experience to make security- related decisions. In this thesis I explore how security experts make security-related decisions, collect their assessments of security measures nested in scenarios, and extract security mitigation rules. These rules could be used to build an intelligent fuzzy logic intelligent system, which captures the knowledge of many experts in combination. I present the Multi-factor Quality Measurement (MQM) method that I introduced to the field of requirements engineering to empirically elicit and analyze security knowledge from experts. This is done by using user-studies that instruments factorial vignettes to capture the experts' assessments of mitigations in scenarios composed of many components affecting the decision-making process. The results are analyzed quantitatively with multi-level modeling in order to capture the weights and priorities assigned to security requirements, and qualitatively to explore new or refined security requirements.

The outcome of the analysis will be used to generate membership functions for a type-2 fuzzy logic system. The corresponding fuzzy rule-sets encode the interpersonal and intra-personal uncertainties among experts in decision-making.

I explore security decision-making in presence of: composite security requirements, varying expertise, and uncertainty. This work makes methodological contributions on two aspects: empiricism, where I adapt different data collection and analysis techniques adapted from other interdisciplinary fields and apply it to requirements engineering; and modeling, where I explore a data-driven modeling approach that can fit data collected from experts in the security domain, where the experts are scarce and the amount of data collected is not sufficient to use machine learning.

134 pages

Thesis Committee:
Travis D. Breaux (Chair)
Lorrie Faith Cranor
Stephen B. Broomell
Dongrui Wu (Huazhong University of Science and Technology)

William L. Scherlis, Director, Institute for Software Research
Andrew W. Moore, Dean, School of Computer Science


Return to: SCS Technical Report Collection
School of Computer Science

This page maintained by reports@cs.cmu.edu