Societal Computing Thesis Defense
- Robert Mehrabian Collaborative Innovation Center
- HANAN HIBSHI
- Ph.D. Student
- Ph.D. Program in Societal Computing, Institute for Software Research
- Carnegie Mellon University
Composite Security Requirements in the Presence of Uncertainty
Providing secure solutions for information systems relies on decisions made by expert security professionals. These professionals must be capable of aligning threats to existing vulnerabilities to provide mitigations needed to minimize security risks. Despite the abundance of security controls, guidelines, and checklists, security experts rely mostly on their background knowledge and experience to make security-related decisions. In this thesis I explore how security experts make security-related decisions, collect their assessments of security measures nested in scenarios, and extract security mitigation rules. These rules could be used to build an intelligent fuzzy logic intelligent system, which captures the knowledge of many experts in combination.
I present the Multi-factor Quality Measurement (MQM) method that I introduced to the field of requirements engineering to empirically elicit and analyze security knowledge from experts. This is done by using user-studies that instruments factorial vignettes to capture the experts' assessments of mitigations in scenarios composed of many components affecting the decision-making process. The results are analyzed quantitatively with multi-level modeling in order to capture the weights and priorities assigned to security requirements, and qualitatively to explore new or refined security requirements. The outcome of the analysis will be used to generate membership functions for a type-2 fuzzy logic system. The corresponding fuzzy rule-sets encode the interpersonal and intra-personal uncertainties among experts in decision-making.
I explores security decision-making in presence of: composite security requirements, varying expertise, and uncertainty. This work makes methodological contributions on two aspects: empiricism, where I adapt different data collection and analysis techniques adapted from other interdisciplinary fields to introduce a new research methodology in software engineering; and modeling, where I explore a data-driven modelling approach that can fit data collected from experts in a domain, where the experts are scarce and the amount of data collected is not sufficient to use machine learning.
Travis D. Breaux (Chair)
Lorrie Faith Cranor
Dongrui Wu (Huazhong University of Science and Technology)