{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:46:24Z","timestamp":1767339984612},"reference-count":43,"publisher":"IGI Global","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2014,4]]},"abstract":"<jats:p>Goal and threat modelling are important activities of security requirements engineering: goals express why a system is needed, while threats motivate the need for security. Unfortunately, existing approaches mostly consider goals and threats separately, and thus neglect the mutual influence between them. In this paper, the authors address this deficiency by proposing an approach that extends goal modelling with threat modelling and analysis. The authors show that this effort is not trivial and a trade-off between visual expressiveness, usability and usefulness has to be considered. Specifically, the authors integrate threat modelling with the socio-technical security modelling language (STS-ml), introduce automated analysis techniques that propagate threats in the combined models, and present tool support that enables reuse of threats facilitated by a threat repository. The authors illustrate their approach on a case study from the Air Traffic Management (ATM) domain, from which they extract some practical challenges. The authors conclude that threats provide a useful foundation and justification for the security requirements that the authors derive from goal modelling, but this should not be considered as a replacement to risk assessment. The usage of goals and threats early in the development process allows raising awareness of high-level security issues that occur regardless of the chosen technology and organizational processes.<\/jats:p>","DOI":"10.4018\/ijsse.2014040101","type":"journal-article","created":{"date-parts":[[2014,9,2]],"date-time":"2014-09-02T13:06:38Z","timestamp":1409663198000},"page":"1-19","source":"Crossref","is-referenced-by-count":9,"title":["Threat Analysis in Goal-Oriented Security Requirements Modelling"],"prefix":"10.4018","volume":"5","author":[{"given":"Per H\u00e5kon","family":"Meland","sequence":"first","affiliation":[{"name":"SINTEF ICT, Trondheim, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Elda","family":"Paja","sequence":"additional","affiliation":[{"name":"Department of Information Engineering and Computer Science (DISI), University of Trento, Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Erlend Andreas","family":"Gj\u00e6re","sequence":"additional","affiliation":[{"name":"SINTEF ICT, Trondheim, Norway"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"St\u00e9phane","family":"Paul","sequence":"additional","affiliation":[{"name":"Critical Embedded Systems Laboratory, Information Science and Technology Research Group, Thales Research and Technology, Palaiseau, France"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fabiano","family":"Dalpiaz","sequence":"additional","affiliation":[{"name":"Department of Information and Computing Sciences, Buys Ballot Laboratory, Utrecht University, Utrecht, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Paolo","family":"Giorgini","sequence":"additional","affiliation":[{"name":"Department of Information Engineering and Computer Science (DISI), University of Trento, Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"2432","reference":[{"key":"ijsse.2014040101-0","unstructured":"Aniketos. (2013). Deliverable 1.4 Final version of the socio-technical security modelling language tool. Retrieved from http:\/\/www.aniketos.eu\/content\/deliverables"},{"key":"ijsse.2014040101-1","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-010-0112-x"},{"key":"ijsse.2014040101-2","doi-asserted-by":"publisher","DOI":"10.1007\/3-540-45341-5_8"},{"key":"ijsse.2014040101-3","first-page":"363","article-title":"On non-functional requirements in software engineering","author":"L.Chung","year":"2009","journal-title":"Conceptual modeling: Foundations and applications"},{"key":"ijsse.2014040101-4","unstructured":"Committee on National Security Systems (CNSS). (2010). National, information assurance (IA) glossary, Instruction No. 4009. Retrieved from http:\/\/www.cnss.gov\/Assets\/pdf\/cnssi_4009.pdf"},{"key":"ijsse.2014040101-5","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-011-0132-1"},{"key":"ijsse.2014040101-6"},{"key":"ijsse.2014040101-7","doi-asserted-by":"publisher","DOI":"10.1016\/0167-6423(93)90021-G"},{"key":"ijsse.2014040101-8","author":"G.Elahi","year":"2007","journal-title":"A goal oriented approach for modeling and analyzing security tradeoffs"},{"key":"ijsse.2014040101-9","unstructured":"Eurocontrol (Producer). (2013, April 15th). System wide information management (SWIM). Retrieved from http:\/\/www.eurocontrol.int\/services\/system-wide-information-management-swim"},{"key":"ijsse.2014040101-10","unstructured":"French Network and Information Security Agency. (Producer). (2010). EBIOS - Expression des Besoins et Identification des Objectifs de S\u00e9curit\u00e9. Retrieved from http:\/\/www.ssi.gouv.fr\/site_article45.html"},{"key":"ijsse.2014040101-11","doi-asserted-by":"crossref","unstructured":"Giorgini, P., Massacci, F., Mylopoulos, J., & Zannone, N. (2005, August 29-September 2). Modeling security requirements through ownership, permission and delegation. In Proceedings.13th IEEE International Conference on Requirements Engineering.","DOI":"10.1109\/RE.2005.43"},{"key":"ijsse.2014040101-12","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-19751-2_6"},{"key":"ijsse.2014040101-13","doi-asserted-by":"publisher","DOI":"10.1007\/BF03037383"},{"key":"ijsse.2014040101-14","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE.2004.1317437"},{"key":"ijsse.2014040101-15","doi-asserted-by":"publisher","DOI":"10.1109\/ICRE.2003.1232746"},{"key":"ijsse.2014040101-16"},{"key":"ijsse.2014040101-17"},{"key":"ijsse.2014040101-18","doi-asserted-by":"crossref","unstructured":"Meland, P. H., & Gj\u00e6re, E. A. (2012). Representing threats in BPMN 2.0. Paper presented at the Seventh International Conference on Availability, Reliability and Security (ARES).","DOI":"10.1109\/ARES.2012.13"},{"key":"ijsse.2014040101-19"},{"key":"ijsse.2014040101-20","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-11747-3_9"},{"key":"ijsse.2014040101-21","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2009.67"},{"key":"ijsse.2014040101-22","doi-asserted-by":"publisher","DOI":"10.1142\/S0218194007003240"},{"key":"ijsse.2014040101-23","article-title":"A natural extension of tropos methodology for modelling security.","author":"H.Mouratidis","year":"2002","journal-title":"Proceedings of the Agent Oriented Methodologies Workshop (OOPSLA 2002)"},{"key":"ijsse.2014040101-24","article-title":"Threat modeling as a basis for security requirements.","author":"S.Myagmar","year":"2005","journal-title":"Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS)"},{"key":"ijsse.2014040101-25","unstructured":"National Institute of Standards and Technology (Producer). (2012). Information security, Guide for conducting risk assessments, Special Publication (SP) 800-30, revision 1. Retrieved from http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-30-rev1\/sp800_30_r1.pdf"},{"key":"ijsse.2014040101-26","unstructured":"Oladimeji, E., Supakkul, S., & Chung, L. (2006). Security threat modeling and analysis: A goal-oriented approach."},{"key":"ijsse.2014040101-27"},{"key":"ijsse.2014040101-28","doi-asserted-by":"publisher","DOI":"10.1109\/EDOC.2009.22"},{"issue":"3","key":"ijsse.2014040101-29","first-page":"23","article-title":"Integrating threat modeling in secure agent-oriented software development.","volume":"2","author":"D. M.Rojas","year":"2011","journal-title":"Int. J. Softw. Eng"},{"key":"ijsse.2014040101-30"},{"key":"ijsse.2014040101-31","author":"B.Schneier","year":"1999","journal-title":"Attack trees: Modeling security threats"},{"key":"ijsse.2014040101-32","unstructured":"Shostack, A. (2008). Experiences threat modeling at Microsoft. Paper presented at the Modeling Security Workshop, in Association with MODELS '08."},{"key":"ijsse.2014040101-33","article-title":"A reuse-based approach to determining security requirements.","author":"G.Sindre","year":"2003","journal-title":"Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03)"},{"key":"ijsse.2014040101-34"},{"key":"ijsse.2014040101-35","doi-asserted-by":"publisher","DOI":"10.1145\/2209249.2209268"},{"key":"ijsse.2014040101-36","author":"G.Stoneburner","year":"2002","journal-title":"SP 800-30. Risk management guide for information technology systems"},{"key":"ijsse.2014040101-37","doi-asserted-by":"crossref","unstructured":"Tracz, W. (1988). Software reuse myths. SIGSOFT Softw. Eng. Notes, 13(1), 17\u201321 http:\/\/doi.acm.org\/10.1145\/43857.43859","DOI":"10.1145\/43857.43859"},{"key":"ijsse.2014040101-38","doi-asserted-by":"publisher","DOI":"10.4018\/jsse.2012010101"},{"key":"ijsse.2014040101-39","first-page":"249","article-title":"Goal-oriented requirements engineering: A guided tour.","author":"A.van Lamsweerde","year":"2001","journal-title":"Proceedings of the Fifth IEEE International Symposium on Requirements Engineering"},{"key":"ijsse.2014040101-40","unstructured":"Yu, E., & Mylopoulos, J. (1998). Why goal-oriented requirements engineering. Paper presented at the Fourth International Workshop on Requirements Engineering: Foundation for Software Quality."},{"key":"ijsse.2014040101-41","author":"E. S.-K.Yu","year":"1996","journal-title":"Modelling strategic relationships for process reengineering"},{"key":"ijsse.2014040101-42","doi-asserted-by":"publisher","DOI":"10.1145\/237432.237434"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=113724","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2018,11,21]],"date-time":"2018-11-21T02:39:15Z","timestamp":1542767955000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijsse.2014040101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2014,4]]},"references-count":43,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.4018\/ijsse.2014040101","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2014,4]]}}}