Identifying implicit vulnerabilities through personas as goal models
Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
When used in requirements processes and tools, personas have the potential to identify vulnerabilities resulting from misalignment between user expectations and system goals. Typically, however, this potential is unfulfilled as personas and system goals are captured with different mindsets, by different teams, and for different purposes. If personas are visualised as goal models, it may be easier for stakeholders to see implications of their goals being satisfied or denied, and designers to incorporate the creation and analysis of such models into the broader RE tool-chain. This paper outlines a tool-supported approach for finding implicit vulnerabilities from user and system goals by reframing personas as social goal models. We illustrate this approach with a case study where previously hidden vulnerabilities based on human behaviour were identified.
|Title of host publication||Computer Security - ESORICS 2020 International Workshops, CyberICPS, SECPRE, and ADIoT, 2020, Revised Selected Papers|
|Editors||Sokratis Katsikas, Frédéric Cuppens, Nora Cuppens, Costas Lambrinoudakis, Christos Kalloniatis, John Mylopoulos, Annie Antón, Stefanos Gritzalis, Weizhi Meng, Steven Furnell|
|Number of pages||18|
|Publication status||Published - 17 Dec 2020|
|Event||6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, 2nd International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and 3rd International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2020, held in conjunction with 25th European Symposium on Research in Computer Security, ESORICS 2020 - Guildford, United Kingdom|
Duration: 14 Sep 2020 → 18 Sep 2020
|Name||Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)|
|Conference||6th International Workshop on Security of Industrial Control Systems and Cyber-Physical Systems, CyberICPS 2020, 2nd International Workshop on Security and Privacy Requirements Engineering, SECPRE 2020, and 3rd International Workshop on Attacks and Defenses for Internet-of-Things, ADIoT 2020, held in conjunction with 25th European Symposium on Research in Computer Security, ESORICS 2020|
|Period||14/09/20 → 18/09/20|
Rights statement: This is a post-peer-review, pre-copyedit version of an article published in Katsikas S. et al. (eds) Computer Security. CyberICPS 2020, SECPRE 2020, ADIoT 2020. Lecture Notes in Computer Science, vol 12501. Springer, Cham. The final authenticated version is available online at: http://dx.doi.org/10.1007/978-3-030-64330-0_12.
Accepted author manuscript (Post-print), 1.26 MB, PDF document
Due to publisher’s copyright restrictions, this document is not freely available to download from this website until: 17/12/21