Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec

Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams, and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 (Common Criteria) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the Common Criteria. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the Common Criteria and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design,which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the Common Criteria, the heuristic requirements editorHeRA, andUMLsec. SecReqmakes systematic use of the security engineering knowledge contained in the Common Criteria and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the Common Criteria, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experiencewithin SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.

Public-private partnerships and efficiency in public procurement of primary healthcare infrastructure: a qualitative research in the NHS UK

Aim There is growing interest in the contribution of public-private partnerships (PPPs) bridging the shortage of financial resources and management expertise in developing public healthcare infrastructure. However, few studies have evidenced PPPs’ ability in increasing efficiency in public procurement of primary healthcare infrastructure. The aim of this study was to assess to what extent PPPs would increase efficiency in public procurement of primary healthcare facilities. Subject and Methods A qualitative analysis, adopting a realistic research evaluation method, used data collected from a purposive sample of public (n=23) and private sector staff (n=2) directly involved in the UK National Health Service Local Improvement Finance Trust (LIFT). Results We find a positive association of LIFT helping to bridge public sector capital shortages for developing primary care surgeries. LIFT is negatively associated with inefficient procurement because it borrows finance from private banks, leaving public agencies paying high interest rates. The study shows that some contextual factors and mechanisms in LIFT play a major part in obstructing public staff from increasing procurement efficiency. Conclusion PPP’s ability to increase efficiency may be determined by contextual factors and mechanisms that restrict discretion over critical decisions by frontline public sector staff. Developing their capacity in monitoring PPP activities may make partnerships more efficient.