Decision Support for Choice of Security Solution: The Aspect-Oriented Risk Driven Development (AORDD) Framework
Abstract
In security assessment and management there is no single correct solution to the identified security problems or challenges. Instead there are only choices and tradeoffs. The main reason for this is that modern information systems and security critical information systems in particular must perform at the contracted or expected security level, make effective use of available resources and meet end-users' expectations. Balancing these needs while also fulfilling development, project and financial perspectives, such as budget and TTM constraints, mean that decision makers have to evaluate alternative security solutions.
This work describes parts of an approach that supports decision makers in choosing one or a set of security solutions among alternatives. The approach is called the Aspect-Oriented Risk Driven Development (AORDD) framework, combines Aspect-Oriented Modeling (AOM) and Risk Driven Development (RDD) techniques and consists of the seven components: (1) An iterative AORDD process. (2) Security solution aspect repository. (3) Estimation repository to store experience from estimation of security risks and security solution variables involved in security solution decisions. (4) RDD annotation rules for security risk and security solution variable estimation. (5) The AORDD security solution trade-off analysis and trade-off tool BBN topology. (6) Rule set for how to transfer RDD information from the annotated UML diagrams into the trade-off tool BBN topology. (7) Trust-based information aggregation schema to aggregate disparate information in the trade-off tool BBN topology. This work focuses on components 5 and 7, which are the two core components in the AORDD framework. This work has looked at four main research questions related to security solution decision support. These are:
RQ.1: How can alternative security solutions be evaluated against each other?
RQ.2: How can security risk impact and the effect of security solutions be measured?
RQ.3: Which development, project and financial perspectives are relevant and how can these be measured?
RQ.4: How can the disparate information involved in RQ.1, RQ.2 and RQ.3 be combined?
The main contributions of this work towards the above-mentioned research questions are:
C.1: A set of security risk variables.
C.2: A set of security solution variables.
C.3: A set of trade-off parameter variables to represent and measure relevant development, project and financial perspectives.
C.4: Methodology and tool-support for comparing the security solution variables with the security risk variables.
C.5: Methodology and tool-support for trading off security solutions and identifying the best-fitted one(s) based on security, development, project and financial perspectives.
C.1-C.5 is integrated into components 5 and 7 of the AORDD framework. C.1, C.2 and C.4 address RQ.1 and RQ.2, while C.3 and C.5 address RQ.3 and RQ.4 and C.5 addresses RQ.4.