Abstract | Trustworthy information systems are information systems that fulfill all the functional and non-functional requirements. To this end, all the components of an information system, either human or technical, need to collaborate in order to meet its requirements and achieve its goals. This entails that system components will show the desired or expected behaviour once the system is put in operation. However, modern information systems include a great number of components that can behave in a very unpredictable way. This unpredictability of the behaviour of the system components is a major challenge to the development of trustworthy information systems and more particularly during the modelling stage. When a system component is modelled as part of a requirements engineering model it creates an uncertainty about its future behaviour, thus undermining the accuracy of the system model and eventually the system trustworthiness. Therefore, the addition of system components inevitably is based on assumptions of their future behaviour. Such assumptions are underlying the development of a system and usually are assumptions of trust by the system developer about her trust relationships with the system components, which are instantly formed when a component is inserted into a requirements engineering model of a system. However, despite the importance of such issues, a requirements engineering methodology that explicitly captures such trust relationships along with the entailing trust assumptions and trustworthiness requirements is still missing. For tackling the preceding problems, the thesis proposes a requirements engineering methodology, namely JTrust (Justifying Trust) for developing trustworthy information systems. The methodology is founded upon the notions of trust and control as the means of confidence achievement. In order to develop an information system the developer needs to consider her trust relationships with the system components that are formed with their addition in a system model, reason about them, and proceed to a justified decision about the design of the system. If the system component cannot be trusted to behave in a desired or expected way then the question of what are the alternatives in order to build confidence in the future behaviour of the system component raises. To answer this question we define a new class of requirements, namely trustworthiness requirements. Trustworthiness requirements prescribe the functionality of the software included in the information system that compels the rest of the information system components to behave in a desired or expected way. The proposed methodology consists of: (i) a modelling language which contains trust i and control abstractions; (ii) and a methodological process for capturing and reasoning about trust relationships, modelling and analysing trustworthiness requirements, and assessing the system trustworthiness at a requirements stage. The methodology is accompanied by a CASE tool to support it. To evaluate our proposal, we have applied our methodology to a case study, and we carried out a survey to get feedback from experts. The topic of the case study was the e-health care system of the National Health Service in England, which was used to reason about trust relationships with system components and identify trustworthiness requirements. Researchers from three academic institutions across Europe and from one industrial company, British Telecom, have participated in the survey in order to provide valuable feedback about the effectiveness and efficiency of the methodology. The results conclude that JTrust is useful and easy to use in modelling and reasoning about trust relationships, modelling and analysing trustworthiness requirements and assessing the system trustworthiness at a requirements level. |
---|