Satisfaction arguments need to be constructed when analyzing the security needs of a system. One begins by representing the system using Jackson’s problem frames [18], adds security requirements in the form of constraints [22], and then attempts to argue that the system satisfies the security requirements. These arguments are the satisfaction arguments.In most cases, an initial argument will not be sufficiently convincing for one or more reasons:
1.The argument depends on properties of the system that are not currently known
2.The behavior of domains (the actors/components in the system) is not sufficiently understood
3.Domains required to satisfy the security requirements are not included in the system To address the first two cases, the analyst might choose to go deeper
into the system with the goal of better understanding the behavior and properties of the domains in the system. Unfortunately, this process can go on for a long time and, in the end, be inconclusive. At some point the analyst will decide to trust that the stated behavior and properties are as described. These decisions are called trust assumptions [15], and become an integral part of the satisfaction argument.
To support this kind of modeling, a new Compendium Stencil was created to provide a palette of Problem Frame modeling icons, specializations of the generic Reference node. If desired, a specific relational vocabulary (((Linkset) can also be defined to provide labeled edges.
Consider a simple human resources personnel information display sys-tem. The proposed system has one requirement: provide the HR data requested by a user. Security goal analysis [1, 19, 24] results in one security requirement: only to HR staff. A problem diagram is constructed
