A lingua franca for security by design

Publikationstyp
Conference Paper
Publikationsdatum
2018-09
Sprache
English
Author
Van Den Berghe, Alexander 
Yskout, Koen 
Scandariato, Riccardo 
Joosen, Wouter 
TORE-URI
http://hdl.handle.net/11420/10259
Start Page
69
End Page
76
Article Number
8543389
Citation
IEEE Cybersecurity Development Conference (SecDev 2018)
Contribution to Conference
2018 IEEE Cybersecurity Development Conference, SecDev 2018 
Publisher DOI
10.1109/SecDev.2018.00017
Scopus ID
2-s2.0-85059839405
The principle of security by design is advocated by academia as well as industry. Unfortunately, its adoption in practice is not yet widespread. We believe a reason for this is the lack of a 'lingua franca' for security modelling. Such a language should support security specialists to precisely describe the security aspects in a software design, as well as simultaneously serve to communicate with a broader audience of stakeholders. For this paper, we have assessed how well a formally backed security modelling language we previously proposed, suits the needs of the needs of these two groups. Concretely, we report on a large user study investigating how well security novices are able to comprehend the foundations of our language. Furthermore, to assess our language's practicality, we show how it can be used to create a realistic model of authentication. We have found that our language's foundations are comprehensible to a broader audience and they allow to precisely model a design's security aspects, albeit some shortcomings requiring attention have been identified. Based on these findings, we believe that a precise yet comprehensible security by design lingua franca is within reach.
Schlagworte
Evaluation
Modelling language
Security by design
User study