Turvanõuete Tuletamise Meetodite Empiiriline Võrdlus

Date

2015

Journal Title

Journal ISSN

Volume Title

Publisher

Abstract

Kaasaegne töökeskond on tihedalt seotud infotehnoloogiaga (edaspidi IT). Seoses IT laialdase kasutamisega kõigis eluvaldkondades on üles kerkinud küsimus selle turvalisusest. Turvalisuse tagamine IT valdkonnas on tähtsal kohal. Vaatamata erinevate turvalisuse nõuete saavutamise meetodite rohkusele võib ettevõtetel ja asutustel olla keeruline leida sobivat meetodit tagamaks piisav IT turvalisus. Antud probleemi lahendamiseks võrdlesin kaht meetodit Eesti Jalgpalliliidus (EJL) läbiviidud juhtumuuringus. Security Quality Requirements Engineering (SQUARE) on laialt kasutust leidev turvalisuse nõuete tuletamise metood, mis paneb rõhku varajase disainiastme riskikaalutlustele. Security Requirements Elicitation from Business Processes (SREBP) on uus metood, mis võimaldab tuletada turvalisuse nõudeid äriprotsesside analüüsist. Tuletatud turvalisuse nõuded paigutasin võrdlevatesse kategooriatesse, mille abil sain määrata nende tõhususastme. Uuringu tulemusena selgus, et SREBP meetodi kasutamisel saadud tulem vastas rohkem turvalisuse tagamise nõuetele. See uuring kinnitab SREBP meetodi tulemuslikkust ja usaldusväärsust.
The importance of security engineering in the development cycle is widely accepted. In spite of the large variety of security requirements elicitation techniques, organizations struggle to select the most suitable security requirements elicitation method that would enable the elicitation of security requirements with the most complete coverage. Two potential solutions exist to this problem; Security Quality Requirements Engineering (SQUARE) and Security Requirements Elicitation from Business Processes (SREBP). SQUARE is an already established and widely used security requirements elicitation method that addresses security early in the software development cycle. On the other hand, SREBP is a new approach that helps derive security requirements from operational business processes. To address the above mentioned issue, this thesis compares the two methods based on an empirical case study of the Estonian Football Association. The elicited security requirements are categorized and the completeness of their coverage is compared. As a result, it was determined that SREBP provides more coverage of the security requirements. Such a result contributes to the existing literature by further strengthening the validity of SREBP.

Description

Keywords

Citation