Modeling Security and Trust Relationships within Organizations

MOSTRO DIT-PRJ-04-035

Status NOT active project
DISI role Partner
Project type Research Project
Dimension Trentino
Acquisition date 2004-07-09
Start date 2004-10-01
End date 2007-10-01

Project details

Project astract Although security concerns are central to organizations, they rarely affect the design and development of the software. This simple observation explains why nowadays software problems are mainly due to security design flaws. These kinds of flaw are hard to detect, and are often the major cause for system reorganization and adjustments, that is, for notoriously expensive processes.<br/>Different factors concur in determining this situation: first, security is a non-functional requirement, thus it is hard to capture with standard software design techniques; second, security is mostly a social and not a technical problem, thus it is hard to capture in standard design languages; third, there is no homogeneous way to represent security concerns at different levels of software description, thus it is hard to trace security issues along the phases of software development. <br/>The MOSTRO project aims at aims at detecting and isolating security flaws at the very early stages of software design and development, taking into account as well as the reasons for existing ineffective practices in software design. Our approach is based on an interdisciplinary view of the security problem that includes techniques from ontological analysis, security modeling, multi-agents reasoning, and systems engineering, and incorporates security concerns in a coherent and formally verifiable way at all the stages of software design and development.<br/>For achieving this, an ontologically well-founded language for modeling organizations will be developed, paying particular attention the social interaction within organizations, as related to security requirements. The intended semantics of this language will be described by means of an axiomatic theory, the Organizations Security Ontology. Relying on such ontology, the project will develop formal reasoning techniques and algorithms allowing one to analyze organization and system models with respect to security. The methodology itself will consist of a set of guidelines to be used in the everyday practice of requirements engineering. A specific case study related to the security problems of electronic payments, proposed by Informatica Trentina SpA, will be defined in the early phase of the project. It will serve to elicit real-world information for the ontological analysis, and validate both the methodology and the reasoning algorithms.<br/>Due to the international reputation of its partners, who have a leadership position in all the scientific areas addressed, the project plans also to have a long-term educational impact in Trentino, fostering the diffusion of high-quality technical and scientific competence in the critical sectors of information systems design and business analysis.
Fundings 400000 €
Partners
  • DIT - UniTN
  • Laboratory for Applied Ontology (LOA), ISTC-CNR
  • Institut de Recherche en Informatique de Toulouse (IRIT)
  • Laboratory for Applied Ontology (LOA)

DISI Sub-project details

Project astract DIT shall develop a methodology for security modeling and analysis that builds on the results of ontological analysis and on existing methodologies for requirements engineering such as TROPOS, and aims at producing a set of guidelines to be used in the everyday practice of requirements engineering, The methodology will make clear the reasons of adopting specific security mechanisms, while addressing two crucial phases of software development:<br/>? in the early requirements phase, which focuses on the system?s organizational setting (organization analysis), it will allow to describe the social relations between the relevant actors (both humans and software systems), and to model implicit security aspects in terms of such relations. <br/>? in the late requirements phase, which addresses the relevant functions and qualities of the system-to-be (system requirements analysis), it will allow for analyzing the explicit security needs, relating them to the goals of the stakeholders and their dependencies with the system. <br/>
Fundings 100000 €
Manager Fabio Massacci