Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec

Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams, and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 (Common Criteria) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the Common Criteria. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the Common Criteria and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design,which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the Common Criteria, the heuristic requirements editorHeRA, andUMLsec. SecReqmakes systematic use of the security engineering knowledge contained in the Common Criteria and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the Common Criteria, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experiencewithin SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.

Kids just wanna have fun: Children's experiences of a weight management programme

Objectives: To explore children's accounts of their experiences of the UK‘s largest childhood obesity programme, MEND (Mind, Exercise, Nutrition…Do it!) (See www.mendprogramme.org). Design: Semi-structured interviews were conducted with children who had completed the MEND obesity programme. Interviews were transcribed verbatim and analysed using Interpretative Phenomenological Analysis (IPA). Method Fourteen children spanning diverse areas of London comprised this study (eight male, six female), aged between 11 and 14 years and in secondary school. Participants were interviewed a year after completing one of the London-based MEND obesity programmes. Results: This article focuses on the most common and striking theme to emerge from the original dataset (The complete analysis may be found in L. Watson, Unpublished doctoral thesis): Fun. Subthemes were: ‘going with the flow’; active participation in activities that led to new experiences (‘actually doing it’ – seeing the fun side); the importance of others in the experience of fun (‘you do games in unity’ – ‘it's not as fun on your own’). Conclusion: Children have fun when engaged in interactive and varied activities with opportunity for individual feedback and improvement. When designing childhood obesity programmes, conditions that optimise children's experience of fun should be emphasised over didactic and risk-heavy information pertaining to childhood obesity.