Decision-Making In Security Requirements Engineering With Constrained Goal Models

Selecting security mechanisms for complex software systems is a cumbersome process. The presence of multiple goals and architectural components, as well as cost and performance considerations, render decision-making a crucial but complicated aspect of a system's design. In our work, we extend Secure Tropos, a security requirements engineering methodology, by introducing the concept of Risk in order to facilitate the elicitation and analysis of security requirements and also support a systematic risk assessment process during the system's design time. Next, we use Constrained Goal Models to reason about optimal security mechanism combinations with respect to multiple objectives of the system-to-be, taking into account conflicting functional and non-functional goals. This type of reasoning allows combining linear multi-objective optimisation with logical constraints introduced by the system's stakeholders. Finally, we illustrate the application of approach through a real-world case study from the e-government sector.