More On Adding Threat During Software Requirements Elicitation and Prioritization
More On Adding Threat During Software Requirements Elicitation and Prioritization
More On Adding Threat During Software Requirements Elicitation and Prioritization
AbstractThere are two methods that are used to translate the customer requirements into software specification. First one is the Quality Function Deployment (QFD) and the second approach to the identification of software specification comes from the software engineering. Software requirements stipulate what must be accomplished, transformed, produced or provided. It is well documented that requirement engineering saves money. In this paper we have used the Web Surveys approach to elicit the software requirements for a railway projects. In this paper we have also added threat during software requirements elicitation and prioritization. Index TermsSoftware, QFP, Elicitation, and Prioritization of Software Requirements.
I. INTRODUCTION The most comprehensive study of QFD usage was performed in Japan in 1986 by the quality research section of the Japan Quality Control Association [3, 25]. AHP was developed by Thomas Saaty and applied to software engineering by Joachim Karlsson and Kevin Ryan in 1997 [11, 20]. AHP is a method for decision making in situations where multiple objectives are present. This method uses a pair-wise comparison matrix to calculate the relative value and costs of security requirements. By using AHP, the requirements engineer can also confirm the consistency of the result. AHP can prevent subjective judgment errors and increase the likelihood that the results are reliable. In the literature there are several elicitation techniques for software requirements like, 1) Soft Systems Methodology 2) Quality Function Deployment 3) Issue-Based Information Systems (IBIS) 4) Joint Application Development (JAD) 5) Accelerated Requirements Method 6) Rapid Application Development 7) Ontology Framework(ONT) 8) Misuse case
Mohd. Sadiq is with the Jamia Millia Islamia (A Central University), New Delhi-25, India. (Phone: 09891667600; email: [email protected]) Javed Ahmad, Guest Lecturer in Computer Engineering, is with the Jamia Millia Islamia (A Central University), New Delhi-25, India. (Phone: 09891667600; email: [email protected]) Abdul Rahman , R. Suman, Shweta Khandelwal are M.Tech. scholars with the Department of Computer science Engineering, AFSET, Dhauj, Faridabad, Haryana, India. (Phone: +91 9313569986; email: [email protected], [email protected], [email protected])
9) Web-Surveys We are going to discuss only few techniques and to get the detailed description about the remaining techniques please refer to [2, 18, 21]. 1.1 Misuse Cases: Misuse cases apply the concept of a negative scenariothat is, a situation that the system's owner does not want to occurin a use-case context. For example, business leaders, military planners, and game players are familiar with analyzing their opponents' best moves as identifiable threats. Misuse cases are also known as abuse cases. A deeper discussion of abuse cases as an approach for identifying security requirements can be found in [10, 13]. One significant characteristic of misuse cases is that they seem to lead to quality requirements, such as those for safety and security, whereas other elicitation methods are focused on end-user requirements, so their effectiveness in the identification of security requirements is unknown. Use cases describe system behavior in terms of functional (end-user) requirements. Interplay between misuse cases and use cases could improve the efficiency of eliciting all requirements in a system engineering life cycle. Misuse cases and use cases may be developed from system to subsystem levelsand lower as necessary. Lower level cases may draw attention to underlying problems not considered at higher levels and may compel system engineers to reanalyze the system design. Misuse cases are not a top-down method, but they provide opportunities to investigate and validate the security requirements necessary to accomplish the system's mission. Davis classifies the requirements as (i) Functional requirements (ii) Non-Functional requirements (iii) Performance/ Reliability (iv) Interfaces (v) Design Constraint. 1.2 JAD: A number of requirement elicitation techniques have been developed to extract requirements from a user. So JAD is a method where a software development team and clients all come together in workshop environments. It is not only used to create the ideas for new system but it also raises issues for the software development team [1]. The goal of JAD (Joint Application Development) is to involve all stakeholders in the design phase of the product via highly structured and focused meetings. Typical participants in the session include a facilitator, end users of the product, main developers, and observers. In the preliminary phases of JAD, the requirements-engineering team is tasked with fact finding and information gathering. Typically, the outputs of this phase, as applied to security requirements elicitation, are security goals and artifacts. The actual JAD session is then used to validate this information by establishing an agreed-on set of security requirements for the product. If JAD has some
286
IACSIT International Journal of Engineering and Technology, Vol.2, No.3, June 2010 ISSN: 1793-8236
advantages so it has also some disadvantages. The important disadvantage of JAD is that if there are too many JAD sessions while the project is progressing then user may develop a feeling that the developer are shifting their work and responsibility onto the users. 1.3 RAD: Rapid Application Development (RAD) is a technique that is used to create the screens while the developers and client discuss various fields and buttons that are needed. Like use case models, RAD adds visual clarity to scenarios and dialogue structure [21]. 1.4 Ontology Framework: Researchers in the requirements engineering community have been studying and developing a number of ontology based approaches in order to elicit system requirements unambiguously and correctly. In the multiple ontology frameworks there are four types of ontology and these are (i) top level ontology, (ii) domain ontology, (iii) task ontology, (iv) application ontology [14]. 1.5 Web Surveys: Survey represents one of the most common types of quantitative, social sciences research. Web-survey tool for software requirements elicitation solves shortfalls of paper- surveys. One of the most common shortfalls is not answered question, there lack of desired information. Web-survey tool solves it by not allowing the user to proceed to the next question until he answers the previous one. Possibility of the invalidated answers is also prevented by the tool interface [26]. Elicitation is all about determining the needs of stakeholders and learning, uncovering extracting and /or discovering needs of the users and other potential stakeholders [14]. Requirement elicitation is recognized as one of the most critical knowledge intensive activities of the development of software. The analysis of secure software system based on the system requirements elicited in the form of use case and misuse case. Use cases have proven helpful for elicitation of communication about, and documentation of the function requirements. The integral development of use and misuse cases [8, 10] provides a systematic way for the elicitation of both the functional and non functional requirements [13]. Using an elicitation method can help in producing a consistent and complete set of security requirements. However, brainstorming and elicitation methods used for ordinary functional (end-user) requirements usually are not oriented toward security requirements and do not result in a consistent and complete set of security requirements. The resulting system is likely to have fewer security exposures when security requirements are elicited in a systematic way. The paper is organized as follows: Section 2 contains the background and related work. In section 3 we have used the framework proposed by [27], in section-4, experimental work is carried out and finally we conclude the paper in section-5. II. BACKGROUND AND RELATED WORK D. Firesmith [6], have worked for prioritization dimensions, prioritization approach, prioritization techniques and processes. This paper does not explain how the software requirements will be prioritize mathematically? It has only a list of prioritization techniques.
In [5] C. Kuloor and A. Eberlrin have explained the requirements engineering for software product lines. It has limited number of elicitation techniques. This paper does not include ontology framework, misuse cases, rapid application development etc. In [12] J.Karlsson, C Wohlin, and B.Regnell have evaluated six different methods for prioritization software requirements. In [1] the authors have provided the different elicitation technique and criteria for its selection. In [15] the authors have proposed a framework to elicit and prioritize the software requirements using AHP and QFD [16, 17, and 22] but this framework does not rank the requirements by the relative level of threat. In [23] the authors have presented an approach for requirements prioritization using B tree. In this paper the authors have mentioned that AHP is most promising method, although it may be problematic to scale up and they have also discussed that AHP are not useful for project that have large number of requirements. They have included AHP, Hierarchical AHP, spanning tree matrix, bubble sort, binary search tree, priority groups, and B tree in the same category. But with out having any data we can not prioritize anything. So AHP is a technique which is used to find out the importance weight of the requirements, after applying the AHP on the given set of requirements, we can use spanning tree matrix, bubble sort, binary search tree, priority groups, and B tree. It means we have to divide the given approaches into 2 groups. In the first group we have considered only AHP and Hierarchical AHP, and in the second category we will have to consider the spanning tree matrix, bubble sort, binary search tree, priority groups, and B tree. In [27] authors have proposed a framework that will elicit the software requirements and also prioritize it. The proposed framework will also rank the requirements by the relative level of threat associated with each requirement. In this paper we have expended the work of [27]. III. ELICITATION TECHNIQUE In this section we have used the Elicitation and prioritization framework proposed by [27] that will rank the requirements by the relative level of threat associated with each requirement. 1) Elicit the software requirements with the help of the following 1.1 Collect information about user expectations. 1.2) Train the Clients, Users and Managers. 1.3 Write the description of the user need for the proposed system. 1.4 Now you can apply Misuse cases or JAD or RAD, or Ontology framework. 2) In this framework we are using AHP technique for prioritization. For using AHP { Create the overall performance matrix } Then calculate the Eigen vector (Importance Weight) 3) Find out the risk associated with each requirement.
287
IACSIT International Journal of Engineering and Technology, Vol.2, No.3, June 2010 ISSN: 1793-8236
4) Compare the values of the importance weight of software requirements with step 3 and then rank or prioritize the requirements. (Adopted from [27]) IV. EXPERIMENTAL WORK The software requirements elicitation comprises an early and critical but highly error-prone phase in software development. The purpose of surveys in requirements elicitation is to gather significant amount of data about the software product at the very beginning of the development process. A survey inquires about business objectives of the product and expected product usage shows scope limitations, purposes success criteria. There are several disadvantages in conducting paper surveys like skipping questions, giving more answers then required and answering questions that are not asked. Some other disadvantages of paper surveys, like difficult handwritings, also have influence on validity of final result. Web-tool has browsers without any additional plug-ins installed not asked. Some other disadvantages of paper surveys, like difficult handwritings, also have influence on validity of final result. Web-tool has browsers without any additional plug-ins installed. In this paper we have elicited the software requirements for a railway projects. These requirements are (R1) the platform should increase the predictability of trains arrivals; (R2) the platform should provide info on the evolution of transportation conditions; (R3) The platform should ensures safety of transports; (R4) Steps to find out the Minimum transportation cost; (R5) The platform should reduce load times; (R6) non-stop accessibility; (R7) Information presented in an easy to understand format; (R8) The platform should reduce transportation costs. Consider the following overall performance matrix (OPM) that is derived from customer needs statement for Railway Project.
C R1 R2 R3 R4 R5 R6 R7 R8 PA AC EA FA GI RI PW NI R1 1 5 3 7 1/3 1/3 5 3 TABLE-1 (OPM) R2 R3 R4 R5 1/5 1 5 9 1/3 1/3 3 5 1/3 1/5 1 7 1/3 1/3 1/3 1/5 1/7 1/9 1/7 1 1/9 5 3 1/5 3 3 3 9 1 1/5 1/3 5 R6 3 3 3 1/5 5 1 1/3 1/5 R7 1/5 1/3 3 1/3 3 3 1 1/5 R8
Added Cost
3 4 5 6 7 8
According to figure 1, three most valuable requirements are SR-3, SR-4 and SR-7. The three least valuable requirements are SR-1, SR-2, and SR-5. Figure -1 and Figure-2 shows the value distribution and Cost distribution of the requirements respectively.
Value distribution of requirements
0.3 Added Value 0.25 0.2 0.15 0.1 0.05 0 SR- SR- SR- SR- SR- SR- SR- SR1 2 3 4 5 6 7 8 Requirements identifier Series1
Figure-2 shows that requirements SR-2, SR-5, and SR-8 are three most expensive and the three least expensive requirements are SR-1, SR-3, SR-6
Cost distribution of the requirements
50 40 30 20 10 0 SR- SR- SR- SR- SR- SR- SR- SR1 2 3 4 5 6 7 8 Requirements Identifer Series1
After applying the AHP we have got the importance (I) weights and it is summarized in table- 6.
TABLE-2 Category 1 2 I. Weight 0.0569 0.0674
From Figure-1 and Figure-2 we conclude, in terms of Cost- Value ratio distribution that SR-1, SR-3, SR-4, SR-6 are identified as high priority and SR-2, SR-5, and SR-8 are identified as low priority. In our study we have computed the value of the RE for each requirement. V. CONCLUSION In this paper we have used the framework proposed by [27] to elicit and prioritize the software requirements. In this paper we have shown that AHP is used only to evaluate the 288
IACSIT International Journal of Engineering and Technology, Vol.2, No.3, June 2010 ISSN: 1793-8236
importance weight of the requirements not to prioritize the requirements, after this we apply the existing prioritizing techniques. This paper is the extension of the work that has been accepted for the publication in [28]. ACKNOWLEDGEMENTS: The authors would like to thank Mr. Iqbal Azam, Principal, University Polytechnic, Faculty of Engineering and Technology, Jamia Millia Islamia (A Central University), New Delhi-25, India ; and Mr. Jawad Ahmad Siddiqui, Chairman, AL-Falah School of Engineering and Technology, Dhauj, Faridabad, Haryana, India, for his valuable support , guidance and encouragement REFERENCES
[1] [2] A.M. Hickey, A.M. Davis, Elicitation Technique Selection: How Do Experts Do It? Proceedings of the 11th IEEE International Requirements Engineering Conference, 2003. Ann M. Hickey, Alan M. Davis, Requirements Elicitation and Elicitation technique selection: A Model for Two knowledge-Intensive Software development Process, Proceedings of the 36th IEEE International Conference on System Sciences, 2002. Beichter F. et al, SLAN-4-A Software Specification and Design Language, IEEE Transaction on Software Engineering, SE- 10,2, 1994, pp 155-162. Bruce White, QFD for small business, Transaction from the 18 Symposium on QFD, 2006. C.Kuloor, Armin Eberlein, Requirements Engineering for Software Product Lines, The University of Calgary, Canada. D. Firesmith, Prioritizing Requirements, Journal of Object Technology, Volume 3, No.8, September 2004 Daya Gupta, Mohd Sadiq, Software Risk Assessment and Estimation Model, International Conference on Computer Science and Information Technology, IEEE Computer Society, Singapore, 2008. pp 963-967 Gunnar Peterson, John Steven, Defining Misuse within the Development Process, IEEE Security and Privacy, 2006. http://en.wikipedia.org/wiki/Analytic_Hierarchy_Process Ian Alexander, Misuse Cases Help to Elicit Non-functional Requirements, Computing and Control Engineering 2003. J. Karlsson, Software Requirements Prioritizing, Proceedings of the International Conference on Requirement Engineering, 1996. J. Karlsson, C. Wohlin, B. Regnell, An Evaluation of Methods for Prioritizing Software Requirements, Elsvier Journal of Information and Software Technology, 1998, pp. 939-947. J.J.Pauli, D.Xu, Misuse Case-Based design and Analysis of secure Software Architecture, Proceedings of the IEEE International Conference on Information Technology: Coding and Computing (ITCC05), 2005. LI Zong-yong, WANG Zhi-xue, YANG-ying, WU Yue, LIU Ying, Towards multiple ontology Framework for Requirements Elicitation and Reuse, 31st IEEE Annual International Computer Software and Application Conference, 2007. Mohd. Sadiq, Mohd. Shahid, Elicitation and Prioritization of Software requirements, International Journal of Recent Trends in Engineering, Finland, 2009. Mohd. Sadiq, Shabina Ghafir, Mohd. Shahid, An Approach for Eliciting Software Requirements and its Prioritization using Analytic Hierarchy Process, IEEE International Conference on Advances in Recent Technologies in Communication and Computing, 2009, ACEEE annual world congress on Engineering and Technology , Kerala, India. Mohd. Sadiq, Shabina Ghafir, Mohd. Shahid, A Framework to Prioritize the software Requirements using Quality Function Deployment, National Conference on Recent Development in Computing and its Application, 2009, organized by Jamia Hamdard, Delhi, India. Nancy R. Mead, Requirements Elicitation Introduction, Software Engineering Institute Carnegie Mellon University, 2008-2009. P.Rajagopal, R.Lee, Thomas Ahlswede, Chia-Chu Chiang, D. Karolak, A New Approach for Software Requirements Elicitation,
Proceedings of the 6th IEEE International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/ Distributed Computing, 2005. T. L. Saaty, The Analytic Hierarchy process, New York, McGraw-Hill, 1980. W.R. Friedrich, J. A. Van der Poll, Towards a Methodology to Elicit Tacit Domain knowledge from Users, Interdisciplinary Journal of Information, Knowledge, and Management, Volume2, 2007. Xiaoqing frank Liu, Software Quality Development, IEEE Potentials, 2008. Md. Rizwan Beg, Qamar Abbas, Ravi Prakash Verma, An approach for Requirements Prioritization using B-Tree, IEEE First International Conference on Emerging Trends in Engineering and Technology 2008. Nancy R. Mead, Dan Shoemaker, Jeffrey Ingalsbe, Ensuring Cost Efficient and Secure Software through Student Case Studies in Risk and Requirements Prioritization, IEEE Proceedings of the 42 Hawaii International Conference on System Sciences-2009. John J. Cristiano, , J.K. Liker, C. C. White, Key Factors in the Successful Application of Quality Function deployment (QFD), IEEE transaction on Engineering management, Vol. 48, No.1 February, 2001 Hrvoje Belani, K. Prepuzic and K. kobas, Implementing Web-Surveys for Software requirements Elicitation, 8th International Conference on Telecommunication, Contel2005. Mohd. Sadiq, Mohd. Shahid, Shabbir Ahmed, Adding Threat during Software Requirements Elicitation and Prioritization, International Journal of Futuristic Computer Application, Duke University, USA. Mohd. Sadiq, Jawed Ahmad, Mohammad Asim, Aslam Qureshi , R. Suman, More on Elicitation of Software requirements and prioritization using AHP, IEEE International Conference on Data Storage and Data Engineering (DSDE 2010), Bangalore, India. (Accepted for Publication)
[14]
[15] [16]
Mohd. Sadiq was born at Bakewar; district Etawah, U.P. India, on 20 March, 1980. He did Master of Technology in Computer Science and Engineering with specialization in Software Engineering from Aligarh Muslim University (AMU), Aligarh, U.P., India, in 2005 and Bachelor of Engineering in Computer Science and Engineering from AL-Falah School of Engineering and Technology, Dhauj, Faridabad, Haryana, affiliated to Maharshi Dayanand University, Rohtak, Haryana, in 2001with first position in second year. He has more than 5 years of teaching experience and currently he is working as an Assistant Professor of Computer Engineering in Section of Computer Engineering, University Polytechnic, Faculty of Engineering and Technology, Jamia Millia Islamia (A Central University), New Delhi, India. He has published more than 20 research papers in international and national journals like International Journal of Recent Trends in Engineering, Finland and International Journal of Futuristic Computer Application, Duke University, USA; and in international and national conferences like IEEE international conferences at Singapore, Thailand, Kerala (India), and Bangalore (India). His research interest includes Software Engineering, Data Structure and Algorithms. Mr. Sadiq is a member of International Association of Engineers (IAENG) England, International Association of Computer Science and Information Technology (IACSIT), Singapore and member of Computer Science Teachers Association (CSTA), USA. Mr. Sadiq is a Member of the Editorial Review Board of Journal for Computing Teachers (JCT), Buffalo State College, New York, U.S.A., and also the Member of the Editorial Review Board of Journal of Internet and Information System. Victoria Island Lagos, Nigeria. Mr. Sadiq has also chaired the session of IEEE International Conference on Advances in Recent Technologies in Communication and Computing, 2009, Kerala, India.
[17]
[18] [19]
289
IACSIT International Journal of Engineering and Technology, Vol.2, No.3, June 2010 ISSN: 1793-8236
Javed Ahmad was born at Sultanpur on December 23, 1985. He did B.Tech. in Computer Science and Engineering from Shobhit Institute of Engg. & Technology, Meerut, affiliated to U.P. Technical University, Lucknow, U. P. India in 2008.Currently he is pursuing M. Tech. (Part Time) in Computer Science from Jamia Hamdard (Hamdard University), New Delhi, India. He is working as Guest Lecturer in Computer Engineering in Section of Computer Engineering, University Polytechnic, Faculty of Engineering and Millia Islamia (A Central University), New
Abdul Rahman was born at Jhansi on December 26, 1979. He did B. Tech. in Computer Science and Engineering from G.L.A.I.T.M Mathura, affiliated to U.P. Technical University, Lucknow, U. P. India in 2005. Currently he is pursuing M.Tech. in Computer Engineering from AL-Falah School of Engineering and Technology (AFSET), Affiliated to Maharshi Dayanand University, Rohtak, Haryana, India. Before joining the full time M.Tech. at AFSET he has worked as programmer at Cancer Hospital & Research Institute, Gwalior and Reliance Communication -Bhopal M.P. He has published several research papers in international and national conferences and journals. Mr. Rahman has delivered Seminar on Rural Development program on Knowledge of Software organized in Lingayas Institute of Technology and Management, Faridabad, Haryana, India. Mr. Rahman was the Member of organizing committee of National Confenrce -2008 in Lingayas Institute of Technology and Management Faridabad, Haryana, India.
Suman Aggarwal was born on 4 February, 1985. She did B. Tech. in Information Technology from S.I.T.M. College, Rewari, affiliated to M.D. University, Rohtak, Haryana in 2007. Currently she is pursuing M. Tech. in Computer Science and Engineering from AL-Falah School of Engineering and Technology, Faridabad, Haryana, affiliated to M.D. University, Rohtak, India. She has more than 2 years of teaching experience. Currently she is working in GSMVNIET, Palwal (Aurangabad) as a lecturer in the Department of CS/IT since 1st Sept. 2008 till date. She has published research papers in IEEE international Conferences at Singapore and Bangalore. Shweta Khandelwal was born on 20 November, 1982. She did B. Tech. in Computer Science and Engineering from AL-Falah School of Engineering and Technology, Dhauj, Faridabad in 2005, affiliated to M.D. University, Rohtak, and Haryana. Currently she is pursuing M. Tech. in Computer Science and Engineering from AL-Falah School of Engineering and Technology, Faridabad, Haryana, affiliated to M.D. University, Rohtak, India. She has more than 3 years of teaching experience. Currently she is working in GSMVNIET, Palwal (Aurangabad) as Assistant Professor in the Department of Computer Science since 8th Feb 2010 till date.
290