An Attribute-Driven Model for Trustworthy ...

An Attribute-Driven Model for Trustworthy Requirements Elicitation Fei Shao, Rong Peng, Dong Sun, Han Lai, You-song Liu

An Attribute-Driven Model for Trustworthy Requirements Elicitation 1,2

1

Fei Shao, 1,2*Corresponding author Rong Peng, 1,2Dong Sun, 1,2Han Lai, 1,2You-song Liu State Key Lab of Software Engineering, Wuhan University, Wuhan 430072, China, 2 Computer School, Wuhan University, Wuhan 430072, China, [email protected], {rongpeng, sundong, laihan, ysliu}@whu.edu.cn

Abstract Building trustworthy requirements specification is difficult for its inherent complexity and interdisciplinary of requirements engineering and security. This paper deals with two challenges: (1) nonstandard architecture and definition of trustworthy attributes and (2) the inadequacy existing methodologies to support obtaining implicit trustworthy requirements. This paper proposed a trustworthy requirements elicitation model called TruReq, which mainly combines three components: Trustworthy Decomposition Tree (TDT), Correlation Matrix (CM), and Priority Vector of Trustworthy Attributes (PV). The TDT is built based on the ISO14508 Common Criteria (CC) and ISO25010:2011 to organize trustworthy attributes systematically, the CM is constructed based on fuzzy set theory to quantify dependencies between trustworthy attributes, and PV is generated by applying FQQSIG model to resolve the potential conflicts. The integrated model supports heuristics requirements’ refinement guided by TDT, the ability to finding implicit trustworthy requirements based on CM, and decision-making for conflicting requirements according to PV. A case referring to e-commerce is clarified to verify the feasibility of this model. The case study shows that the TruReq model can efficiently guide the trustworthy requirements elicitation and locate the conflicts among them.

Keywords: Correlation Matrix (CM), Priority Vector (PV), Trustworthy Requirements (TR), Trustworthy Decomposition Tree (TDT), Trustworthy Requirements Elicitation Model (TruReq) 1. Introduction For any system to be built its requirements specification plays a prominent role in the development process; it provides a baseline for subsequent development stages including design, coding, testing and maintenance. Consequently, a good quality software requirements specification is crucial for the success of project. There have been more significant literatures on how to elicit and analysis functional requirements than trustworthy requirements. However, the main purpose of elicit trustworthy requirements is promoting the quality of software system especially in the ubiquitous network environment today. In other words, trustworthy requirements don’t directly concern the functions of software but focus on the trustworthy of the functions, e.g., their reliability, security and usability. For non-experts, it is a difficult task to identify and describe the trustworthy requirements, and let alone the high quality. Thus, providing methodologies to supporting high quality trustworthy requirements elicitation is essential. The main challenge lies in ensuring the completeness and consistency of identified trustworthy requirements. As far as we know, a large proportion of relevant researches [1-6, 20, 21] comply with this rule: no or little analysis until all requirements have been collected. In this paper, the model we proposed supports iterative analysis. Thus, the intermediate results of the analysis can help the process of subsequent requirements elicitation. The paper is structured as follows: Section 2 describes the proposed model TruReq which includes 4 subsections; section 3 presents a case study about online shopping and applies the model on the process of trustworthy requirements elicitation; section 4 presents the analysis of proposed model; and the conclusion is drawn in section 5.

2. TruReq model based trustworthy requirements elicitation This section proposes a trustworthy requirements elicitation model called TruReq. TruReq mainly consists of three components: Trustworthy Decomposition Tree (TDT), Correlation

International Journal of Digital Content Technology and its Applications(JDCTA) Volume6,Number23,December 2012 doi:10.4156/jdcta.vol6.issue23.61

531

An Attribute-Driven Model for Trustworthy Requirements Elicitation Fei Shao, Rong Peng, Dong Sun, Han Lai, You-song Liu

Matrix (CM), and Priority Vector of Trustworthy Attributes (PV). The TDT is used to organize trustworthy attributes systematically, the main purpose of CM is to quantify dependencies between trustworthy attributes, and the role of PV is to resolve the identified conflicts according to their priorities.

2.1. Construction of trustworthy decomposition tree (TDT) In some of the previous literatures [8-11], the definitions of trustworthy attributes and the structures of them are various and mainly based on the authors’ subjective preferences without formalization and validation. In order to avoid redundancy and ambiguity, ISO 25010:2011[12] and CC(ISO 14508 Common Criteria) [13] are used as the basis to construct TDT which is showed in Figure 1. There are two advantages by adopting this TDT: (1) Terminology defined in details: in ISO25010:2011 and CC, all the terminologies are defined strictly and detailedly. It is easily for the users/engineers to understand and distinguish them. (2) Universality: both ISO25010:2011 and CC are international standards at expiration, so good acceptability is held all around the world, and this is an important characteristic which determines the acceptability of the subsequent works.

Figure 1. Trustworthy Decomposition Tree (TDT) In TDT, all attributes are organized in a three-layer structure, namely trustworthiness, attributes and sub attributes. In which the “security” and its sub attributes are integrated together based on the classes in CC and the structure of “security” in ISO 25010:2011, the rest attributes and their sub attributes come from ISO 25010:2011.

2.2. Construction of Correlation Matrix (CM) of trustworthy attributes Before building CM, the consensus which should be reached is that the relationship between any two trustworthy attributes is one-way. The two one-way relationships between the same two attributes are probability same or not. e.g., “security” and “performance” are regarded as two important attributes. Obviously, the “security” brings negative impacts on the “performance”, but it is not certainly that the attribute “performance” will affect the “security” positively or negatively in a specific system. In this study, the types of relationship between trustworthy attributes are classified into three categories: “Conflict” (-), “Unknown” (null), “Cooperation” (+). Their definitions are as follows: (1) “Conflict”: “A is Conflict with B” represents negative impact, namely, the enhancement of attribute A will hinder the achievement of attribute B; (2) “Unknown”: “The relationship from A to B is Unknown” represents the impact from A to B is nondeterministic, namely, the enhancement of attribute A may contribute or hinder the achievement of attribute B. (3) “Cooperation”: “A is Cooperation with B” represents positive impact, namely, the enhancement of attribute A will contribute to the achievement of attribute B. Aiming at quantizing qualitative attributes, fuzzy set theory is an appropriate and convenient way. Although there are many researches about how to use fuzzy set theory in the priority definition, weights determination in requirements engineering [1, 14-16], using it to express the relationships between trustworthy attributes has not been reported. There are various kinds of fuzzy numbers [17]. In this paper, trapezoidal fuzzy numbers are adopted for it can be handled arithmetically and interpreted intuitively.

532

An Attribute-Driven Model for Trustworthy Requirements Elicitation Fei Shao, Rong Peng, Dong Sun, Han Lai, You-song Liu

In order to compute the implicit relationships between any two trustworthy attributes, the real number interval which represents the direction and strength of the relationships is set as [-0.5, 0.5]. According to RAGE algorithm [21], the interval [-0.5, 0.5] can be divided to three trapezoidal fuzzy numbers listed in table I. Each liguistic fuzzy variables “Cooperation”, “Unknown” and “ Conflict” corresponds to a specific trapezoidal fuzzy number, which is defined as a tuple n’=(n1, n2, n3, n4), where n1≥-0.5 and n4≤0.5. The size of a trapezoid is related with three factors: the implication of linguistic fuzzy variables, subjective preference and previous experiences. Since the identifications of “Cooperation” and “Conflict” are clearer than the relationship “Unknown”, so the relationship “Unknown” is defined as a interval of [-0.1,0.1] whose trapezoidal size is smaller than “Cooperation” with [0.05, 0.5] and “Confict” with [-0.5, -0.05]. Table 1. Fuzzy variables and their corresponding trapezoidal fuzzy numbers fuzzy variable mark fuzzy number n’=(n1, n2, n3, n4) “Cooperation” “Unknown” “Conflict”

“+” “-”

(0.05, 0.1,0.5,0.5) (-0.1,-0.05, 0.05,0.1) (-0.5,-0.5,-0.4,-0.05)

The procedure of constructing CM of trustworthy attributes includes the following three steps: 1).Obtaining explicit correlation matrix and defuzzification, 2).Computing the transitive relation to get implicit relationships and 3).Fuzzification. 2.2.1. Obtaining explicit correlation matrix and defuzzification Initially, the explicit linguistic relationships between trustworthy attributes in TDT are given by a number of domain experts who have in-depth understandings of these trustworthy terminologies. Each expert can select only one linguistic fuzzy variable to evaluate a relationship between two trustworthy attributes. Assume that T is the number of experts, the tth expert is represented by expt (t=1,…,T). Each expert expt has a corresponding correlation matrix Mt which contains all the relationships evaluated by him. A partial sample is shown in Figure 2(a), in which the marks ‘+’, ‘-’ and blank represent “Cooperation”, “Conflict” and “Unknown” respectively. n ' ( x)

Installability Repalceability

1

Resist Economic damage risk Resist Health& Safety risk Resist Environment risk

conflict

unknown

cooperation

y x

0

(a)

-0.5

-0.4

-0.1

0

0.1

0.4

0.5

x

(b)

Figure 2. (a):Partial of correlation matrix Mt , (b):Membership function diagram The larger T is, the more accuracy the evaluations could be, for the bias caused by the experts’ preferences can be balanced out. But the precision of final CM depends more on the expert’s capability rather than the number of experts. Thus, selecting qualified experts to evaluate is most important.

533

An Attribute-Driven Model for Trustworthy Requirements Elicitation Fei Shao, Rong Peng, Dong Sun, Han Lai, You-song Liu

x  n1 0,  xn 1  , n1  x  n2  n2  n1  n ' ( x )  1, n2  x  n3  xn 4  , n3  x  n4  n3  n4 0, x  n4 

(1)

After getting T matrixes from the experts, next step is applying defuzzification on these matrixes. RAGE defuzzification algorithm [18] is proposed by R. R. Yager and D. P. Filev, which presents a random algorithm to generate the defuzzification parameter. It regards the membership function as a probability distribution and uses a random algorithm to generate a precise deterministic value within the domain of the fuzzy variables. The membership function in RAGE is as Equation (1). Figure 2(b) is the corresponding graph based on the definitions in Table 1. The value of membership function represents the degree of truth as a degree of valuation [19]. In this paper, one real number in interval [-0.5, 0.5] is selected to denote one independent fuzzy variable. And the RAGE defuzzification algorithm is selected to calculate the precise deterministic value triples for experts. Namely, each expert has a unique precise deterministic value triple which is mapped with the fuzzy variables triple V, such as V1= (-0.45, 0.03, 0.36), V2= (-0.4, 0.13, 0.26), ..., VT=(-0.3, -0.02, 0.47) which are assigned to exp1 , exp2 ,..., expT . For illustrating the RAGE algorithm easily, we give the following steps of defuzzification with regard to “Conflict” evaluated by exp1, and the processes are similar while treating the other fuzzy variables: (1) According to the above definitions of fuzzy numbers, the fuzzy number interval of “Conflict” is [-0.5,-0.05]. Assuming di (i=1,…,I) denotes I random numbers in this interval, the fuzzy variable “Conflict” can be transformed into the probability distribution P by using Equation (2).

P(d i )  pi 

n ' ( d i )



 (di ) i 1 n ' I

, i  1,... I .

(2)

(2) Divide the interval [-0.5,-0.05] into I sections and the size of each section depends on the probability pi. Then, Arrays Ri (i=1,…,I) which denote these sections by Equation (3) as follows: Ri  [ ai , bi ]

i  1,..., I .

a1  0, b1  p1 , ai 1  bi , bi 1  ai 1  pi , bI  1

(3)

(3) Performing a random experiment to generate a random number ‘r’ from the uniform distribution on the interval [0, 1]. (4) If r  Ri , then using the expression Defuzz exp1 (Conflict )  di , in which di is the explicit number used to substitute “Conflict” when the fuzzy variable is evaluated by exp1 . From above procedure, one conclusion can be drawn that the probability corresponding with di is related to the membership of di, and the higher the membership of di is, the higher the probability P(di) is. In the same way, the defuzzification parameter of “Unknown” and “Correlation” can be calculated. Thus, the precise deterministic value triple V1 for exp1 is as following: V1  ( Defuzz exp1 (Conflict ), Defuzz exp1 (Unknow ), Defuzz exp1 (Coorelation )) . At the same time, the value triple should also reflect the expert’s individual feature. Assuming that the parameter  denotes the perceived quality parameter based on the expert’s experience data which is related with multiple factors, such as reputation, historical data, and the employed organization.. The Value triple V’ which can reflect expert’s feature can be generated by following equation:

534

An Attribute-Driven Model for Trustworthy Requirements Elicitation Fei Shao, Rong Peng, Dong Sun, Han Lai, You-song Liu

Vi'   * Vi

i  1,2,,T

(4)

By normalization processing, the element in Vi' can be normalized into the interval [-0.5, 0.5]. After the process of defuzzification and computation of Vi' , each relationship evaluated by fuzzy variable can be denoted by a precise deterministic value. The matrix Mt constructed by fuzzy variables can be transformed to a new matrix Mt’ which is constructed by precise deterministic values. Similarly, transforming all of the other matrixes of the experts can generate a set of matrixes Mt’ , t=1,…,T. T Next, computing the comprehensive matrix based on the formula M '   t 1 wexpt  M t ' , in which

M ' is a matrix generated by integrating the evaluations of all experts, and wexpt is the priority-based weight of expert expt. If each expert has the same weight, then wexpt  1 / T , t=1,…,T.

Each element in matrix M’ is represented by triple (x, y, z), in which x and y denote the trustworthy attributes, and z is the precise deterministic value of relationship (called Relationship Value) from x to y. The element M[x][y]=z in matrix M indicates the relationship value from x to y is z. In this statement, x is the attribute impacting y, y is the attribute impacted by x. Because of the one-way relationship, the relationship M[x][y] maybe unequal to M[y][x].Based on the above definitions and Equation 1, it can be concluded that 0.5>z>0.09375, -0.5< z