The last years have seen a growing concern on the security of information systems and, consequently, a call to arms for including security aspects during the entire development process. Unfortunately, most proposals treat security in system-oriented terms and model information systems through the policies and security mechanisms they supports. In contrast, attackers move around such security measures by exploiting weaknesses of the organization as a whole. Many weaknesses are due to the presence of conflicts in functional and security requirements at organizational level. In this paper we show how the Secure Tropos requirements engineering methodology can be used to model such conflicts in a concrete case study: the fraud at Allied Irish Bank. In particular, the paper analyzes the vulnerabilities affecting the organization and information system of Allied Irish Bank and its subsidiary First Maryland Bancorp, that were exploited by a currency trader in order to fraudulently cover $700 million losses.
Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank / Massacci, Fabio; Zannone, Nicola. - ELETTRONICO. - (2006), pp. 1-27.
Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank
Massacci, Fabio;Zannone, Nicola
2006-01-01
Abstract
The last years have seen a growing concern on the security of information systems and, consequently, a call to arms for including security aspects during the entire development process. Unfortunately, most proposals treat security in system-oriented terms and model information systems through the policies and security mechanisms they supports. In contrast, attackers move around such security measures by exploiting weaknesses of the organization as a whole. Many weaknesses are due to the presence of conflicts in functional and security requirements at organizational level. In this paper we show how the Secure Tropos requirements engineering methodology can be used to model such conflicts in a concrete case study: the fraud at Allied Irish Bank. In particular, the paper analyzes the vulnerabilities affecting the organization and information system of Allied Irish Bank and its subsidiary First Maryland Bancorp, that were exploited by a currency trader in order to fraudulently cover $700 million losses.| File | Dimensione | Formato | |
|---|---|---|---|
|
002.pdf
accesso aperto
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
673.75 kB
Formato
Adobe PDF
|
673.75 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
