Modeling and analysis of security trade-offs - A goal oriented approach

In designing software systems, security is typically only one design objective among many. It may compete with other objectives such as functionality, usability, and performance. Too often, security mechanisms such as firewalls, access control, or encryption are adopted without explicit recognition of competing design objectives and their origins in stakeholders' interests. Recently, there is increasing acknowledgement that security is ultimately about trade-offs. One can only aim for "good enough" security, given the competing demands from many parties. This paper investigates the criteria for a conceptual modeling technique for making security trade-offs. We examine how conceptual modeling can provide explicit and systematic support for modeling and analyzing security trade-offs. We examine several existing approaches for dealing with trade-offs and security trade-offs in particular. From analyzing the limitations of existing methods, we propose an extension to the i* Framework for security trade-off analysis, taking advantage of its multi-agent and goal orientation. The method was applied to several case studies used to exemplify existing approaches. The resulting models developed using different approaches are compared. (c) 2009 Elsevier B.V. All rights reserved.