Specifying security goals of component based systems: An end-user perspective

This paper treats security from a software engineering point of view. Security issues of software components are usually handled at the two levels of development abstractions: by the security experts during the component design, and by the software engineers during the composition of an application system. Security experts identify the threats of the component, define the security policies and functions. On the other hand, the software engineers are more interested in the compositional impact and conformity of the security properties designed and implemented by the security experts. This paper identifies a third level of abstraction: security from the end-users' perspective. This paper argues that the end-users of the system should know the specific security objectives actually achieved at the system-level. This paper makes the following three specific contributions in this regard: (i) a need for a separate view of security at the end-user level; (ii) the formulation of security goals; (iii) the derivation of security goals for automatic processing.