A Framework for the Extension and Visualisation of Cyber Security Requirements in Modelling Languages

Almost half of UK firms claim to have been subject to some sort of cyber-attack or breach in the last 12 months, with an average cost per incident being around £20,000. Yet, even in the face of these ever-mounting threats, cyber security is still treated as an afterthought throughout the systems development lifecycle (SDLC). Though literature is aiming to rectify this mindset through the proposal of multiple software security solutions, there is still a noticeable absence of any usable, expressive tool for designing cyber security into a system at the requirements stages of the SDLC. By not practicing secure by design, there is a risk of: poor defences, confused developers with no security guidelines to work from, a potential redesign of core functionality and very expensive patch management. There have been several attempts at producing a solution, with modelling languages presenting themselves as the perfect platform to specify such designs. One can observe multiple publications throughout literature which propose the extension of these languages to include security expression. However, the ability of these propositions to provide comprehensive expression of the cyber security domain and remain usable alongside their parent modelling language, remains an elusive endeavour. The aim of this thesis is to produce a solution which ensures the practicability of expressive and usable secure by design tool implementation. That is, by conducting an evaluation of existing attempts at security extension and extracting heuristics based on their current failings, combine them with proven scientific principles to produce a framework which will act as its own form of methodology to guide the development of a security extension to modelling languages