Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering
Engineering projects requires to consider the increasingly significant needs and constraints regarding expected behaviors, services, quality and security. These requirements are introduced into system and software engineering projects as functional and non-functional properties. Satisfying such properties implies rigorous processes that steer the project, from the requirements identification and definition to the system deployment and maintenance. Model-Based System Engineering (MBSE) is an effective approach to address security requirements and risk assessment at the early stages of the development life cycle, which enables cost-efficient fixes. The aim of this work is to investigate how cybersecurity risk assessment could be integrated into model-based requirement engineering. We propose a Model-based Cyberisk Assessment (MBCA) method, that comprises: (1) A semantic alignment between risk assessment concepts and system modeling concepts and (2) A modeling language extension to represent security concepts and metrics throughout the system modeling life cycle. To illustrate our approach, validate its applicability and evaluate its expressiveness, we applied it to an industrial in-flight entertainment system.
D. Naouar, J. E. Hachem, J. -L. Voirin, J. Foisil and Y. Kermarrec, Towards the Integration of Cybersecurity Risk Assessment into Model-based Requirements Engineering, 2021 IEEE 29th International Requirements Engineering Conference (RE), 2021, pp. 334-344, doi: 10.1109/RE51729.2021.00037.