|Abstract|| Information systems (IS’s) support a multitude of functions vital to the modern society. IS’s carry an ever increasing volume of data and information, including personal pictures, health data or financial transactions. Continuously increasing rates of cyber-attacks have led to the subsequent need to rapidly develop secure IS. To develop secure IS’s, security goals need to be identified and fulfilled accordingly. Goal-oriented development fulfils the achievement of security goal by providing a methodology that enables security requirement elicitation throughout the entire development of an information system. This is achieved by considering every component of a system as an actor that is driven by goals that the actor strives to achieve. Nevertheless goal-oriented modeling has proven itself to be valid it maintains multiple shortcomings. The main disadvantage lays in the high granularity of the process making it complex very fast and subsequently raising the level of complexity of the overall process. Therefore a structured approach that would provide a step-by-step guide throughout the application of the process would be essential. Security patterns are proven to be reusable solutions that address recurring security problems which are commonly faced during the process of software development. In this master thesis we investigate the integration of a pattern based security requirement elicitation process in the goal-oriented IS development. By performing this integration we aim at providing a process that enables the elicitation of security requirements from Security Risk-aware Secure Tropos (RAST) models. RAST is a security goal-oriented modeling language that is applicable throughout the complete process of software development from early to late requirements, architecture, detailed design and final implementation.
The contribution of this thesis are five Security Risk-aware Patterns expressed using RAST. The thesis outlines the steps to be executed to apply the proposed security patterns. We validated our contribution by performing a case study that confirmed the overall usability of our proposed patterns and the pattern application process. Additionally the case study determined that the provided patterns can be used as a starting point for a faster and more efficient in identifying security requirements.