Publications

Book Chapters

  1. F. Massacci, John Mylopoulos, and N. Zannone. An Ontology for Secure Socio-Technical Systems. In Handbook of Ontologies for Business Interaction. Idea Group, 2006. To appear.
    Abstract: Security is often compromised by exploiting vulnerabilities in the interface between the organization and the information systems that support it. This reveals the necessity of modeling and analyzing information systems together with the organizational setting where they will operate. In this chapter we address this problem by presenting a modeling language tailored to analyze the problem of security at an organizational level. This language proposes a set of concepts founded on the notions of permission, delegation, and trust. The chapter also presents a semantics for these concepts, based on Datalog. A case study from the bank domain is employed to illustrate the proposed language. 

    @incollection{mass-mylo-zann-07-IDEA,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{An Ontology for Secure Socio-Technical Systems}},
 booktitle = {Handbook of Ontologies for Business Interaction},
 publisher = IDEA,
 year = {2007},
 note = {To appear.},
}
  2. F. Massacci and N. Zannone. Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank. In Social Modeling for Requirements Engineering. MIT Press, 2006. To appear. 
    @incollection{mass-zann-06-MIT,
 author = {Fabio Massacci and Nicola Zannone},
 title = {{Detecting Conflicts between Functional and Security Requirements with Secure Tropos: John Rusnak and the Allied Irish Bank}},
 booktitle = {Social Modeling for Requirements Engineering},
 publisher = MIT,
 year = {2006},
 note = {To appear.}
}
  3. P. Giorgini, H. Mouratidis, and N. Zannone. Modelling Security and Trust with Secure Tropos. In Integrating Security and Software Engineering: Advances and Future Vision, pages 160-189. Idea Group, 2006.
    Abstract: Although the concepts of security and trust play an important issue in the development of information systems, they have been mainly neglected by software engineering methodologies. In this chapter, we present an approach that considers security and trust throughout the software development process. Our approach integrates two prominent software engineering approaches, one that provides a security-oriented process and one that provides a trust management process. The result is the development of a methodology that considers security and trust issues as part of its development process. Such integration represents an advance over the current state of the art by providing the first effort to consider security and trust issues under a single software engineering methodology. A case study from the health domain is employed to illustrate our approach. 

    @incollection{gior-mour-zann-06-IDEA,
 author = {Paolo Giorgini and Haralambos Mouratidis and Nicola Zannone},
 title = {{Modelling Security and Trust with Secure Tropos}},
 booktitle = {Integrating Security and Software Engineering: Advances and Future Vision},
 publisher = IDEA,
 pages = {160--189},
 year = {2006},
}
  4. P. Giorgini, F. Massacci and N. Zannone. Security and Trust Requirements Engineering. In Foundations of Security Analysis and Design III - Tutorial Lectures, LNCS 3655, pages 237-272. Springer-Verlag GmbH, 2005.
    Abstract: Integrating security concerns throughout the whole software development process is one of today's challenges in software and requirements engineering research. A challenge that so far has proved difficult to meet. The major difficulty is that providing security does not only require to solve technical problems but also to reason on the organization as a whole. This makes the usage of traditional software engineering methologies difficult or unsatisfactory: most proposals focus on protection aspects of security and explicitly deal with low level protection mechanisms and only an handful of them show the ability of capturing the high-level organizational security requirements, without getting suddenly bogged down into security protocols or cryptography algorithms. In this paper we critically review the state of the art in security requirements engineering and discuss the motivations that led us to propose the Secure Tropos methodology, a formal framework for modelling and analyzing security, that enhances the agent-oriented software development methodology i*/Tropos. We illustrate the Secure Tropos approach, a comprehensive case study, and discuss some later refinements of the Secure Tropos methodology to address some of its shortcomings. Finally, we introduce the ST-Tool, a CASE tool that supports our methodology. 

    @incollection{gior-mass-zann-05-FOSAD,
 author = {Paolo Giorgini and Fabio Massacci and Nicola Zannone},
 title = {{Security and Trust Requirements Engineering}},
 booktitle = FOSAD-05,
 series = LNCS,
 volume = {3655},
 pages = {237--272},
 publisher = SVG,
 year = {2005},
}

International Journals

  1. F. Massacci, J. Mylopoulos and N. Zannone. Computer-Aided Support for Secure Tropos. Automated Software Engineering. 2007. To appear.
    Abstract: In earlier work, we have introduced Secure Tropos, a requirements engineering methodology that extends the Tropos methodology and is intended for the design and analysis of security requirements. This paper briefly recaps the concepts proposed for capturing security aspects, and presents an implemented graphical CASE tool that supports the Secure Tropos methodology. Specifically, the tool supports the creation of Secure Tropos models, their translation to formal specifications, as well as the analysis of these specifications to ensure that they comply with specific security properties. Apart from presenting the tool, the paper also presents a two-tier evaluation consisting of two case studies and an experimental evaluation of the tool's scalability. 
    @article{mass-mylo-zann-07-ASE,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Computer-Aided Support for Secure Tropos}},
 journal = ASE,
 year = {2007},
 note = {To appear.},
}
  2. F. Massacci, J. Mylopoulos and N. Zannone. From Hippocratic Databases to Secure Tropos: a Computer-Aided Re-Engineering Approach. International Journal of Software Engineering and Knowledge Engineering, 17(2):265-284. 2007.
    Abstract: Privacy protection is a growing concern in the marketplace. Yet, privacy requirements and mechanisms are usually retro-fitted into a pre-existing design which may not be able to accommodate them due to potential conflicts with functional requirements. We propose a procedure for automatically extracting privacy requirements from databases supporting access control mechanisms for personal data (hereafter Hippocratic databases) and representing them in the Tropos modeling framework where tools are available for checking the correctness and consistency of privacy requirements. The procedure is illustrated with a case study. 
    @article{mass-mylo-zann-07-IJSEKE,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{From Hippocratic Databases to Secure Tropos: a Computer-Aided Re-Engineering Approach}},
 journal = IJSEKE,
 volume = {17},
 number = {2},
 pages = {265--284},
 year = {2007},
}
  3. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Requirements Engineering for Trust Management: Model, Methodology, and Reasoning. The International Journal of Information Security, 5(4):257-274, 2006.
    Abstract: A number of recent proposals aim to incorporate security engineering into mainstream software engineering. Yet, capturing trust and security requirements at an organizational level, as opposed to an IT system level, and mapping these into security and trust management policies is still an open problem. This paper proposes a set of concepts founded on the notions of ownership, permission and trust and intended for requirements modeling. It also extends Tropos, an agent-oriented software engineering methodology, to support security requirements engineering. These concepts are formalized and are shown to support the automatic verification of security and trust requirements using Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study. 
    @article{gior-mass-mylo-zann-06-IJIS,
 author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Requirements Engineering for Trust Management: Model, Methodology, and Reasoning}},
 journal = IJIS,
 volume = {5},
 number = {4},
 pages = {257--274},
 year = {2006},
}

  4. F. Massacci, J. Mylopoulos and N. Zannone. Hierarchical Hippocratic Databases with Minimal Disclosure for Virtual Organizations. The VLDB Journal, 15(4):370-387, 2006.
    Abstract: The protection of customer privacy is a fundamental issue in today's corporate marketing strategies. Not surprisingly, many research efforts have proposed new privacy-aware technologies. Among them, Hippocratic databases offer mechanisms for enforcing privacy rules in database systems for inter-organizational business processes (also known as virtual organizations). This paper extends these mechanisms to allow for hierarchical purposes, distributed authorizations and minimal disclosure supporting the business processes of virtual organizations that want to offer their clients a number of ways to fulfill a service. Specifically, we use a goal-oriented approach to analyze privacy policies of the enterprises involved in a business process. Based on the purpose hierarchy derived through a goal refinement process, we provide algorithms for determining the minimum set of authorizations needed to achieve a service. This allows us to automatically derive access control policies for an inter-organizational business process from the collection of privacy policies associated with different participating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to access a service. 
    @article{mass-mylo-zann-06-VLDBJ,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Hierarchical Hippocratic Databases with Minimal Disclosure for Virtual Organizations}},
 journal = VLDBJ,
 volume = {15},
 number = {3},
 pages = {370--387},
 year = {2006},
    }
  5. F. Massacci, M. Prest and N. Zannone. Using a Security Requirements Engineering Methodology in Practice: the compliance with the Italian Data Protection Legislation. Computer Standards & Interfaces, 27(5):445-455, 2005.
    Abstract: Extending Requirements Engineering modelling and formal analysis methodologies to cope with Security Requirements has been a major effort in the past decade. Yet, only few works describe complex case studies that show the ability of the informal and formal approaches to cope with the level complexity required by compliance with ISO-17799 security management requirements. In this paper we present a comprehensive case study of the application of the Secure Tropos RE methodology for the compliance to the Italian legislation on Privacy and Data Protection by the University of Trento, leading to the definition and analysis of a ISO-17799-like security management scheme. 
    @article{mass-pres-zann-05-CSI,
 author = {Fabio Massacci and Marco Prest and Nicola Zannone},
 title = {{Using a Security Requirements Engineering Methodology in Practice: the compliance with the Italian Data Protection Legislation}},
 journal = CSI,
 volume = {27},
 number = {5},
 pages = {445--455},
 year = {2005},
}

International Conferences and Workshops

  1. Hugo A. López and Fabio Massacci and Nicola Zannone. Goal-Equivalent Secure Business Process Re-engineering for E-Health. In Proceedings of the 1st International Workshop on Model-Based Trustworthy Health Information Systems (MOTHIS'07), 2007.
    Abstract: The introduction of ITs in e-Health often requires to re-engineer the business processes used to deliver care. Obviously the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow "equivalent".
    In this paper we propose a notion of equivalence over secure business processes based on the notion of goal-equivalence:
    • start from the old secure business process;
    • reconstruct from that business process the functional and security requirements at organizational level that the old business process was supposed to meet (including the trust relations that existed among the members of the organization);
    • compare the re-engineered business process with the requirements and see if they are equally met or possibly improved.
    To this intent, we present a reasoning method for passing from SI*, a modeling language that captures the functional, security and trust requirements of IT systems and their operational environments, to business processes specifications and vice versa. Both translation processes are complementary, in the sense that SI* models can have multiple business process concretizations, and different business processes can be equivalent in terms of the goals they achieve. We illustrate and motivate the proposed approach using an e-health case study. 

    @inproceedings{lope-mass-zann-07-MOTHIS,
  author    = {Hugo A. L{\'o}pez and Fabio Massacci and Nicola Zannone},
  title     = {{Goal-Equivalent Secure Business Process Re-engineering for E-Health}},
  booktitle = MOTHIS-07,
  year      = {2007},
}
  2. Hugo A. López and Fabio Massacci and Nicola Zannone. Goal-Equivalent Secure Business Process Re-engineering. In Proceedings of the 2nd International Workshop on Business Oriented Aspects concerning Semantics and Methodologies in Service-oriented Computing (SeMSoC'07), 2007.
    Abstract: The introduction of information technologies in health care systems often requires to re-engineer the business processes used to deliver care. Obviously, the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow ``equivalent''. In this paper we propose a method for passing from SI*, a modeling language for capturing and modeling functional, security, and trust organizational and system requirements, to business process specifications and vice versa. In particular, starting from an old secure business process, we reconstruct the functional and security requirements at organizational level that such a business process was supposed to meet (including the trust relations that existed among the members of the organization). To ensure that the re-engineered business process meets the elicited requirements, we employ a notion of equivalence based on goal-equivalence. Basically, we verify if the execution of the business process, described in terms of the trace it generates, satisfies the organizational model. We motivate and illustrate the method with an e-health case study. 

    @inproceedings{lope-mass-zann-07-SeMSoC,
  author    = {Hugo A. L{\'o}pez and Fabio Massacci and Nicola Zannone},
  title     = {{Goal-Equivalent Secure Business Process Re-engineering}},
  booktitle = SeMSoC-07,
  year      = {2007},
}
  3. V. Bryl, P. Mello, M. Montali, P. Torroni and N. Zannone. B-Tropos: Agent-oriented requirements engineering meets computational logic for declarative business process modeling and verification. In Proceedings of the 8th Workshop on Computational Logic in Multi-Agent Systems (CLIMA-VIII), 2007.
    Abstract: The analysis of business requirements and the specification of business processes are fundamental for the development of information systems. The first part of this paper presents B-Tropos as a way to combine business goals and requirements to the business process model. B-Tropos enhances a well-known agent-oriented early requirements engineering framework with declarative business process-oriented constructs, inspired by the DecSerFlow and ConDec languages. In the second part of the paper, we show a mapping of B-Tropos onto SCIFF, a computational logic-based framework, for properties and conformance verification. 

    @inproceedings{bryl-mell-mont-torr-zann-07-CLIMA,
  author    = {Volha Bryl and Paola Mello and  Marco Montali and Paolo Torroni and Nicola Zannone},
  title     = {{B-Tropos: Agent-oriented requirements engineering meets computational logic for declarative business process modeling and verification}},
  booktitle = CLIMA-07,
  year      = {2007},
}
  4. P. Guarda, F. Massacci, and N. Zannone. E-Government and On-line Services: Security and Legal Patterns. In Proceedings of the 1st International Conference on Methodologies, Technologies and Tools enabling e-Government (MeTTeG07), 2007. To appear.
    Abstract: E-government refers to the introduction of digital technologies into public administrations and it is assuming a pivotal role in many countries, including Italy. In particular, the supply of on-line services by public administrations represents a rapidly expanding phenomenon. The objective of the paper is to support system designer in the development of IT systems that comply with regulations that govern the use of technologies in public administrations. Thus, taking as running example a tax portal and its authentication issues, we look at the general principles and rules that govern institutional sites and portals, as established in the Italian Public Administration Code. We also show how Security Requirements Engineering methodologies can assist system designers in their activities. 

    @inproceedings{guar-mass-zann-07-MeTTeG,
  author    = {Paolo Guarda and Fabio Massacci and Nicola Zannone},
  title     = {{E-Government and On-line Services: Security and Legal Patterns}},
  booktitle = MeTTeG-07,
  year      = {2007},
}
  5. L. Compagna, P. El Khoury, F. Massacci, R. Thomas, and N. Zannone. How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach. In Proceedings of the 11th International Conference on Artificial Intelligence and Law (ICAIL 2007), 2007. To appear.
    Abstract: Laws set requirements that force organizations to assess the security and privacy of their IT systems and impose the adoption of the implementation of minimal precautionary security measures. Several frameworks have been proposed to deal with this issue. For instance, purpose-based access control is normally considered a good solution for meeting the requirements of privacy legislation. Yet, understanding why, how, and when such solutions to security and privacy problems have to be deployed is often unanswered. In this paper, we look at the problem from a broader perspective, accounting for legal and organizational issues. Security engineers and legal experts should be able to start from the organizational model and derive from there the points where security and privacy problems may arise and determine which solutions best fit the (legal) problems that they face. In particular, we investigate the methodology needed to capture security and privacy requirements for a Health Care Centre using a smart items infrastructure. 
    @inproceedings{comp-elkh-mass-thom-zann-07-ICAIL,
  author    = {Luca Compagna and Paul El Khoury and Fabio Massacci and Reshma Thomas and Nicola Zannone},
  title     = {{How to capture, model, and verify the knowledge of legal, security, and privacy experts: a pattern-based approach}},
  booktitle = ICAIL-07,
  year      = {2007},
  note = {To appear.},
}
  6. Y. Asnar, P. Giorgini, and N. Zannone. Reasoning about Risk in Agent's Deliberation Process: a Jadex Implementation. In Proceedings of the 8th International Workshop on Agent Oriented Software Engineering (AOSE'07), 2007. To appear.
    Abstract: Autonomous agents and multi-agent systems have been proved to be useful in several safety-critical applications. However, in current agent architectures (particularly BDI architectures) the deliberation process does not include any form of risk analysis. In this paper, we propose guidelines to implement Tropos Goal-Risk reasoning. Our proposal aims at introducing risk reasoning in the deliberation process of a BDI agent so that the overall set of possible plans is evaluated with respect to risk. When the level of risk results too high, agents can consider and introduce additional plans, called treatments, that produce an overall reduction of the risk. Side effects of treatments are also considered as part of the model. To make the discussion more concrete, we illustrate the proposal with a case study on the Unmanned Aerial Vehicle agent. 
    @inproceedings{asna-gior-zann-07-AOSE,
  author    = {Yudistira Asnar and Paolo Giorgini and Nicola Zannone},
  title     = {{Reasoning about Risk in Agent's Deliberation Process: a Jadex Implementation}},
  booktitle = AOSE-07,
  year      = {2007},
  note = {To appear.},
}
  7. Y. Asnar, P. Giorgini, F. Massacci, and N. Zannone. From Trust to Dependability through Risk Analysis. In Proceedings of the 2nd International Conference on Availability, Reliability and Security (ARES'07), pages 19-26. IEEE Computer Society Press, 2007.
    Abstract: The importance of critical systems has been widely recognized and several efforts are devoted to integrate dependability requirements in their development process. Such efforts result in a number of models, frameworks, and methodologies that have been proposed to model and assess the dependability of critical systems. Among them, risk analysis considers the likelihood and severity of failures for evaluating the risk affecting the system. In our previous work, we introduced the Tropos Goal-Risk framework, a formal framework for modeling, assessing, and treating risks on the basis of the likelihood and severity of failures. In this paper, we refine this framework introducing the notion of trust for assessing risks on the basis of the organizational setting of the system. The assessment process is also enhanced to analyze risks along trust relations among actors. To make the discussion more concrete, we illustrate the framework with a case study on partial airspace delegation in Air Traffic Management system. 
    @inproceedings{ASNA-GIOR-MASS-ZANN-07-ARES,
  author    = {Yudistira Asnar and Paolo Giorgini and Fabio Massacci and Nicola Zannone},
  title     = {{From Trust to Dependability through Risk Analysis}},
  booktitle = ARES-07,
  pages = {19--26},
  publisher = IEEEP,
  year      = {2007},
}
  8. F. Massacci, J. Mylopoulos and N. Zannone. A Privacy Model to Support Minimal Disclosure in Virtual Organizations. In Proceedings of the W3C Workshop on Languages for Privacy Policy Negotiation and Semantics-Driven Enforcement, 2006.
    Abstract: The last years have seen an increasing attention on privacy-aware technologies and mechanisms for the negotiation of private information between customers and enterprises. Unfortunately, current proposals are still unsatisfactory since they do not cover the entire spectrum of privacy management. Moreover, they do not provide support for emerging business models such as the inter-organizational business process (also known as virtual organizations). In this paper we propose a privacy model complying with the minimal disclosure principle when a coalition of organizations integrate their efforts to provide services to customers. 
    @inproceedings{mass-mylo-zann-06-W3C,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{A Privacy Model to Support Minimal Disclosure in Virtual Organizations}},
 booktitle = W3C-06,
 year = {2006},
}
  9. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Detecting Conflicts of Interest. In Proceedings of the 14th IEEE International Requirements Engineering Conference (RE'06), pages 315-318. IEEE Computer Society Press, 2006.
    Abstract: System vulnerabilities are often caused by the presence of conflicts within the organization where the system-to-be will eventually operate. In particular, conflicts of interest are very harmful since actors can exploit their positions/roles relative to the system for gaining personal advantage. Capturing and resolving such conflicts is a necessary condition for developing secure information systems. In this paper, we show how conflicts of interest can be formally detected during requirements analysis. This allows system designers to investigate the causes for which conflicts may occur in an organization. Thereby, they can better understand the organizational structure and so provide appropriate countermeasures to resolve or at least mitigate them. 
    @inproceedings{gior-mass-mylo-zann-06-RE,
 author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Detecting Conflicts of Interest}},
 booktitle = RE-06,
 pages = {315--318},
 publisher = IEEEP,
 year = {2006},
}
  10. V. Bryl, F. Massacci, J. Mylopoulos and N. Zannone. Designing Security Requirements Models through Planning. In Proceedings of the 4th International Workshop on AI for Service Composition, pages 28-35, 2006.
    Abstract: The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process. We claim that we can further push the envelope towards the automatic exploration and selection among design alternatives and show that this is concretely possible for Secure Tropos, a requirements engineering methodology that addresses security and trust concerns. In Secure Tropos, a design consists of a network of actors (agents, positions or roles) with delegation/permission dependencies among them. Accordingly, the generation of design alternatives can be accomplished by a planner which is given as input a set of actors and goals and generates alternative multi-agent plans to fulfill all given goals. We validate our claim with a case study using a state-of-the-art planner. 
    @inproceedings{bryl-mass-mylo-zann-06-AISC,
 author = {Volha Bryl and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Designing Security Requirements Models through Planning}},
 booktitle = AISC-06,
 pages = {28--35},
 year = {2006},
}
  11. N. Zannone, S. Jajodia, and D. Wijesekera. Creating Objects in the Flexible Authorization Framework. In Proceedings of the 20th Annual IFIP WG 11.3 Working Conference on Data and Applications Security (DBSec 2006), LNCS 4127, pages 1-14, Springer-Verlag GmbH, 2006.
    Abstract: Access control is a crucial concern to build secure IT systems and, more specifically, to protect the confidentiality of information. However, access control is necessary, but not sufficient. Actually, IT systems can manipulate data to provide services to users. The results of a data processing may disclose information concerning the objects used in the data processing itself. Therefore, the control of information flow results fundamental to guarantee data protection. In the last years many information flow control models have been proposed. However, these frameworks mainly focus on the detection and prevention of improper information leaks and do not provide support for the dynamical creation of new objects. In this paper we extend our previous work to automatically support the dynamical creation of objects by verifying the conditions under which objects can be created and automatically associating an access control policy to them. Moreover, our proposal includes mechanisms tailored to control the usage of information once it has been accessed. 
    @inproceedings{zann-jajo-wije-06-DBSec,
 author = {Nicola Zannone and Sushil Jajodia and Duminda Wijesekera},
 title = {{Creating Objects in the Flexible Authorization Framework}},
 booktitle = DBSec-06,
 series = LNCS,
 volume = {4127},
 pages = {1--14},
 publisher = SVG,
 year = {2006},
}
  12. V. Bryl, F. Massacci, J. Mylopoulos and N. Zannone. Designing Security Requirements Models through Planning. In Proceedings of the 18th Conference on Advanced Information Systems Engineering (CAiSE'06), LNCS 4001, pages 33-47, Springer-Verlag GmbH, 2006.
    Abstract: The quest for designing secure and trusted software has led to refined Software Engineering methodologies that rely on tools to support the design process. Automated reasoning mechanisms for requirements and software verification are by now a well-accepted part of the design process, and model driven architectures support the automation of the refinement process. We claim that we can further push the envelope towards the automatic exploration and selection among design alternatives and show that this is concretely possible for Secure Tropos, a requirements engineering methodology that addresses security and trust concerns. In Secure Tropos, a design consists of a network of actors (agents, positions or roles) with delegation/permission dependencies among them. Accordingly, the generation of design alternatives can be accomplished by a planner which is given as input a set of actors and goals and generates alternative multi-agent plans to fulfill all given goals. We validate our claim with a case study using a state-of-the-art planner. 
    @inproceedings{bryl-mass-mylo-zann-06-CAiSE,
 author = {Volha Bryl and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Designing Security Requirements Models through Planning}},
 booktitle = CAiSE-06,
 series = LNCS,
 volume = {4001},
 pages = {33--47},
 publisher = SVG,
 year = {2006},
}
  13. N. Zannone, S. Jajodia, F. Massacci and D. Wijesekera. Maintaining Privacy on Derived Objects. In Proceedings of Workshop on Privacy in the Electronic Society (WPES'05), pages 10-19. ACM Press, 2005.
    Abstract: Protecting privacy means to ensure users that access to their personal data complies with their preferences. However, information can be manipulated in order to derive new objects that may disclose part of the original information. Therefore, control of information flow is necessary for guaranteeing privacy protection since users should know and control not only who access their personal data, but also who access information derived from their data. Actually, current approaches for access control do not provide support for managing propagation of information and for representing user preferences. This paper proposes to extend the Flexible Authorization Framework (FAF) in order to automatically verify whether a subject is entitled to process personal data and derive the authorizations associated with the outcome of data processing. In order to control information flow, users may specify the range of authorizations that can be associated with objects derived from their data. The framework guarantees that every ``valid'' derived object does not disclose more information than users want and preserves the permissions that users want to maintain. To make the discussion more concrete, we illustrate the proposal with a bank case study. 
    @inproceedings{zann-jajo-mass-wije-05-WPES,
 author = {Nicola Zannone and Sushil Jajodia and Fabio Massacci and Duminda Wijesekera},
 title = {{Maintaining Privacy on Derived Objects}},
 booktitle = WPES-05,
 pages = {10--19},
 publisher = ACM,
 year = {2005},
}
  14. F. Massacci, J. Mylopoulos and N. Zannone. Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation. In Proceedings of the 10th European Symposium on Research in Computer Security (ESORICS 2005), LNCS 3679, pages 438-454, Springer-Verlag GmbH, 2005.
    Abstract: Hippocratic Databases have been proposed as a mechanism to guarantee the respect of privacy principles in data management. We argue that three major principles are missing from the proposed mechanism: hierarchies of purposes, delegation of tasks and authorizations (i.e. outsourcing), and the minimal disclosure of private information. In this paper, we propose a flexible framework for the negotiation of personal information among customers and (possibly virtual) enterprises based on user preferences when enterprises may adopt different processes to provide the same service. We use a goal-oriented approach to analyze the purposes of a Hippocratic system and derive a purpose and delegation hierarchy. Based on this hierarchy, effective algorithms are given to determine the minimum set of authorizations needed for a service. In this way, the minimal authorization table of a global business process can be automatically constructed from the collection of privacy policy tables associated with the collaborating enterprises. By using effective on-line algorithms, the derivation of such minimal information can also be done on-the-fly by the customer wishing to use the services of a virtual organization. 
    @inproceedings{mass-mylo-zann-05-ESORICS,
 author = {Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Minimal Disclosure in Hierarchical Hippocratic Databases with Delegation}},
 booktitle = ESORICS-05,
 series = LNCS,
 volume = {3679},
 pages = {438--454},
 publisher = SVG,
 year = {2005},
}
  15. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Modeling Security Requirements Through Ownership, Permission and Delegation. In Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), pages 167-176. IEEE Computer Society Press, 2005.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. Methodologies in this field are challenging, as they must take into account subtle notions such as trust (or lack thereof), delegation, and permission; they must also model entire organizations and not only systems-to-be. In our previous work we introduced Secure Tropos, a formal framework for modeling and analyzing security requirements. Secure Tropos is founded on three main notions: ownership, trust, and delegation. In this paper we refine Secure Tropos introducing the notions of at-least delegation and trust of execution; also, at-most delegation and trust of permission. We also propose monitoring as a security design pattern intended to overcome the problem of lack of trust between actors. The paper presents a semantics for these notions, and describes an implemented formal reasoning tool based on Datalog. 
    @inproceedings{gior-mass-mylo-zann-05-REa,
 author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{Modeling Security Requirements Through Ownership, Permission and Delegation}},
 booktitle = RE-05,
 pages = {167--176},
 publisher = IEEEP,
 year = {2005},
}
  16. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. ST-Tool: A CASE Tool for Security Requirements Engineering. In Proceedings of the 13th IEEE International Requirements Engineering Conference (RE'05), pages 451-452. IEEE Computer Society Press, 2005.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. We propose ST-Tool, a CASE tool developed for modeling and analyzing functional and security requirements. 
    @inproceedings{gior-mass-mylo-zann-05-REb,
 author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
 title = {{ST-Tool: A CASE Tool for Security Requirements Engineering}},
 booktitle = RE-05,
 pages = {451--452},
 publisher = IEEEP,
 year = {2005},
}
  17. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Modeling Social and Individual Trust in Requirements Engineering Methodologies. In Proceedings of the Third International Conference on Trust Management (iTrust 2005), LNCS 3477, pages 161-176. Springer-Verlag GmbH, 2005.
    Abstract: When we model and analyze trust in organizations or information systems we have to take into account two different levels of analysis: social and individual. Social levels define the structure of organizations, whereas individual levels focus on individual agents. This is particularly important when capturing security requirements where a ``normally'' trusted organizational role can be played by an untrusted individual. Our goal is to model and analyze the two levels finding the link between them and supporting the automatic detection of conflicts that can come up when agents play roles in the organization. We also propose a formal framework that allows for the automatic verification of security requirements between the two levels by using Datalog and has been implemented in CASE tool. 
    @inproceedings{gior-mass-mylo-zann-05-iTrust,
  author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
  title = {{Modeling Social and Individual Trust in Requirements Engineering Methodologies}},
  booktitle = ITRUST-05,
  series = LNCS,
  volume = {3477},
  pages = {161--176},
  publisher = SVG,
  year = {2005},
}
  18. P. Giorgini, F. Massacci, J. Mylopoulos, A. Siena and N. Zannone. ST-Tool: A CASE Tool for Modeling and Analyzing Trust Requirements. In Proceedings of the Third International Conference on Trust Management (iTrust 2005), LNCS 3477, pages 415-419. Springer-Verlag GmbH, 2005.
    Abstract: ST-Tool is a graphical tool integrating an agent-oriented requirements engineering methodology with tools for the formal analysis of models. Essentially, the tool allows designers to draw visual models representing functional, security and trust requirements of systems and, then, to verify formally and automatically their correctness and consistency through different model-checkers. 
    @inproceedings{gior-mass-mylo-sien-zann-05-iTrust,
  author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Alberto Siena and Nicola Zannone},
  title = {{ST-Tool: A CASE Tool for Modeling and Analyzing Trust Requirements}},
  booktitle = ITRUST-05,
  series = LNCS,
  volume = "3477",
  pages = "415--419",
  publisher = SVG,
  year = {2005},
}
  19. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures. In Proceedings of the 1st European PKI Workshop: Research and Applications (1st EuroPKI), LNCS 3093, pages 98-111. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a major interest in designing and deploying trust management and public key infrastructures. Yet, it is still far from clear how one can pass from the organization and system requirements to the actual credentials and attribution of permissions in the PKI infrastructure. Our goal in this paper is filling this gap. We propose a formal framework for modeling and analyzing security and trust requirements, that extends the Tropos methodology for early requirements modeling. The key intuition that underlies our work is the identification of distinct roles for actors that manipulate resources, accomplish goals or execute tasks, and actors that own or permit usage of resources or goals. The paper also presents a simple case study and a PKI/trust management implementation. 
    @inproceedings{gior-mass-mylo-zann-04-EuroPKI,
author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
title = {{Filling the gap between Requirements Engineering and Public Key/Trust Management Infrastructures}},
booktitle = EUROPKI-04,
series = LNCS,
volume = "3093", 
pages = "98--111",
publisher = SVG,
year = {2004},
}
  20. F. Massacci and N. Zannone. Privacy is Linking Permission to Purpose. In Proceedings of the Twelfth International Workshop on Security Protocols, LNCS 3957, pages 179-191. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a peak in privacy related research. The focus has been mostly on how to protect the individual from being tracked, with plenty of anonymizing solutions. We advocate another model that is closer to the "physical" world: we consider our privacy respected when our personal data is used for the purpose for which we gave it in the first place. Essentially, in any distributed authorization protocol, credentials should mention their purpose beside their powers. For this information to be meaningful we should link it to the functional requirements of the original application. We sketch how one can modify a requirement engineering methodology to incorporate security concerns so that we explicitly trace back the high-level goals for which a functionality has been delegated by a (human or software) agent to another one. Then one could be directly derive purpose-based trust management solutions from the requirements. 
    @inproceedings{mass-zann-04-IWSP,
  author = {Fabio Massacci and Nicola Zannone},
  title = {{Privacy is Linking Permission to Purpose}},
  booktitle = IWSP-04,
  series = LNCS,
  volume = {3957},
  pages = {179--191},
  publisher = SVG,
  year = {2004},
}
  21. P. Giorgini, F. Massacci, J. Mylopoulos and N. Zannone. Requirements Engineering meets Trust Management: Model, Methodology, and Reasoning. In Proceedings of the Second International Conference on Trust Management (iTrust 2004), LNCS 2995, pages 176-190. Springer-Verlag GmbH, 2004.
    Abstract: The last years have seen a number of proposals to incorporate Security Engineering into mainstream Software Requirements Engineering. However, capturing trust and security requirements at an organizational level (as opposed to a design level) is still an open problem. This paper presents a formal framework for modeling and analyzing security and trust requirements. It extends the Tropos methodology, an agent-oriented software engineering methodology. The key intuition is that in modeling security and trust, we need to distinguish between the actors that manipulate resources, accomplish goals or execute tasks, and actors that own the resources or the goals. To analyze an organization and its information systems, we proceed in two steps. First, we built a trust model, determining the trust relationships among actors, and then we give a functional model, where we analyze the actual delegations against the trust model, checking whether an actor that offers a service is authorized to have it. The formal framework allows for the automatic verification of security and trust requirements by using a suitable delegation logic that can be mechanized within Datalog. To make the discussion more concrete, we illustrate the proposal with a Health Care case study. 
    @inproceedings{gior-mass-mylo-zann-04-iTrust,
  author = {Paolo Giorgini and Fabio Massacci and John Mylopoulos and Nicola Zannone},
  title = {{Requirements Engineering meets Trust Management: Model, Methodology, and Reasoning}},
  booktitle = ITRUST-04,
  series = LNCS,
  volume = {2995},
  pages = {176--190},
  publisher = SVG,
  year = {2004},
}
  22. C. Bodei, P. Degano, C. Priami and N. Zannone. An Enhanced CFA for Security Policies. In Proceedings of the Workshop on Issues on the Theory of Security (WITS'03), pages 131-145, 2003.
    Abstract: We introduce a Control Flow Analysis, improving the one in [6], that statically approximates the dynamic behaviour of mobile processes, expressed in (a variant of) the pi-calculus. Our analysis of a system is able to describe the behaviour of each sub-system, tracking where and between whom communications may occur. To identify each sub-system, we use a syntactic encoding of its position inside the abstract syntax tree. Furthermore, our analysis is general enough to safely approximate the behaviour of a system plugged in a larger and mainly unknown context, without explicitly analysing it. Quite a lot of possible properties fan out, among which some related to security policies. 
    @inproceedings{bode-dega-pria-zann-03-WITS,
  author = {Chiara Bodei and Pierpaolo Degano and Corrado Priami and Nicola Zannone},
  title = {{An Enhanced CFA for Security Policies}},
  booktitle = WITS-03,
  pages = {131--145}, 
  year = {2003}
}

National Conferences and Workshops

  1. V. Bryl, P. Mello, M. Montali, P. Torroni and N. Zannone. Extending Agent-oriented Requirements with Declarative Business Processes: a Computational Logic-based Approach. In Proceedings of the 22nd Convegno Italiano di Logica Computazionale (CILC'07), 2007.
    Abstract: The analysis of business requirements and the specification of business processes are fundamental for the development of information system. The focus of this paper is on the combination of these two phases, that is, on linking the business goals and requirements to the business process model. To this end, we propose to extend the Tropos framework, which is used to model system and business requirements, with declarative business process-oriented constructs, inspired by DecSerFlow and ConDec languages. We also show how the proposed framework can be mapped into SCIFF, a computational logic-based framework, for properties and conformance verification. 

    @inproceedings{bryl-mell-mont-torr-zann-07-CILC,
  author    = {Volha Bryl and Paola Mello and  Marco Montali and Paolo Torroni and Nicola Zannone},
  title     = {{Extending Agent-oriented Requirements with Declarative Business Processes: a Computational Logic-based Approach}},
  booktitle = CILC-07,
  year      = {2007},
}

PhD Thesis

  1. N. Zannone. A Requirements Engineering Methodology for Trust, Security, and Privacy. PhD Thesis. University of Trento, March 2007.
    Abstract: Security Requirements Engineering is emerging as a branch of Software Engineering, spurred by the realization that security must be dealt with early on during the requirements phase. This entails capturing security, privacy, and trust requirements at an organizational level, as opposed to an IT system level. Specifically, the development of secure and privacy-aware systems requires to explicitly model the goals and trust relations of stakeholders of the system which will be partially implemented by the IT system and partially by organizational procedures. To this end, we propose Secure Tropos, an agent-oriented requirements engineering methodology tailored to model and analyze security, privacy, and trust requirements of systems and the organizational setting where they operate. The Secure Tropos methodology adopts the SI* modeling language for the acquisition, modeling and analysis of requirements. This language proposes a set of concepts founded on the notions of permission, delegation, and trust. These concepts are formalized and are shown to support the requirements analysis process through a formal reasoning tool based on the Answer Set Programming paradigm. This allows designers to automatically verify the correctness of security, privacy, and trust requirements and their consistency with functional requirements. 

    @incollection{zann-07-PhD,
 author = {Nicola Zannone},
 title = {{A Requirements Engineering Methodology for Trust, Security, and Privacy}},
 school ={University of Trento}, 
 month = {March},
 year = {2006},
}
Home Page
Webstats4U - Free web site statistics Personal homepage website counter