Abstract
Successfully developing domain-specific languages (DSLs) demands language engineers to consider their organizational context, which is challenging. Action design research (ADR) provides a conceptual framework to address this challenge. Since ADR’s application to the engineering of DSLs has not yet been examined, we investigate applying it to the development of threat modeling DSLs based on the Meta Attack Language (MAL), a metamodeling language for the specification of domain-specific threat modeling languages. To this end, we conducted a survey with experienced MAL developers on their development activities. We extract guidelines and align these, together with established DSL design guidelines, to the conceptual model of ADR. The research presented, aims to be the first step to investigate whether ADR can be used to systematically engineer DSLs.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
MAL Survey https://forms.gle/Wuv5sJgqZSctgP4LA (Accessed 2021-06-01).
- 2.
References
Avdiji, H., Winter, R.: Knowledge gaps in design science research. In: ICIS 2019 (2019)
Barišić, A., Amaral, V., Goulão, M.: Usability evaluation of domain-specific languages. In: QUATIC 2012, pp. 342–347. IEEE (2012)
vom Brocke, J., Maedche, A.: The DSR grid: six core dimensions for effectively planning and communicating design science research projects. Electr. Mark. 29(3), 379–385 (2019)
Burmester, S., Giese, H., Tichy, M.: Model-driven development of reconfigurable mechatronic systems with Mechatronic UML. In: Aßmann, U., Aksit, M., Rensink, A. (eds.) MDAFA 2003-2004. LNCS, vol. 3599, pp. 47–61. Springer, Heidelberg (2005). https://doi.org/10.1007/11538097_4
Clark, T., van den Brand, M., Combemale, B., Rumpe, B.: Conceptual model of the globalization for domain-specific languages. In: Combemale, B., Cheng, B., France, R., Quel, JM., Rumpe, B. (eds.) Globalizing Domain-Specific Languages. LNCS, vol. 9400, pp. 7–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26172-0_2
Combemale, B., France, R., Jézéquel, J.M., Rumpe, B., Steel, J., Vojtisek, D.: Engineering Modeling Languages: Turning Domain Knowledge into Tools. Chapman & Hall , November 2016
Cronholm, S., Göbel, H.: Guidelines supporting the formulation of design principles. In: ACIS 2018 (2018)
Dalkey, N., Helmer, O.: An experimental application of the Delphi method to the use of experts. Manag. Sci. 9, 351–515 (1963)
Defense Use Case: Analysis of the cyber attack on the ukrainian power grid (2016). https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
Deutskens, E., De Ruyter, K., Wetzels, M., Oosterveld, P.: Response rate and response quality of internet-based surveys: an experimental study. Mark. Lett. 15(1), 21–36 (2004)
Dhillon, D.: Developer-driven threat modeling: lessons learned in the trenches. IEEE Secu. Privacy 9(4), 41–47 (2011)
Ekstedt, M., Johnson, P., Lagerström, R., Gorton, D., Nydrén, J., Shahzad, K.: Securi CAD by Foreseeti: A CAD tool for enterprise cyber security management. In: EDOCW 2015, pp. 152–155. IEEE (2015)
Gregor, S., Hevner, A.R.: Positioning and presenting design science research for maximum impact. MIS Q. 37, 337–355 (2013)
Gregory, R.W., Muntermann, J.: Research note -heuristic theorizing: proactively generating design theories. Inf. Syst. Res. 25(3), 639–653 (2014)
Hacks, S., Katsikeas, S.: Towards an ecosystem of domain specific languages for threat modeling. In: CAiSE 2021, pp. 3–18 (2021)
Hacks, S., Katsikeas, S., Ling, E., Lagerström, R., Ekstedt, M.: powerLang: a probabilistic attack simulation language for the power domain. Energy Informat. 3(1) (2020)
Haj-Bolouri, A., Bernhardsson, L., Rossi, M.: PADRE: a method for participatory action design research. In: Parsons, J., Tuunanen, T., Venable, J., Donnellan, B., Helfert, M., Kenneally, J. (eds.) DESRIST 2016. LNCS, vol. 9661, pp. 19–36. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-39294-3_2
Bichler, M.: Design science in information systems research. MIS Q 48(2), 133–135 (2006). https://doi.org/10.1007/s11576-006-0028-8
Hölldobler, K., Rumpe, B., Wortmann, A.: Software language engineering in the large: towards composing and deriving languages. Comput. Lang. Syst. Struct. 54, 386–405 (2018)
Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P\(^2\)CySeMoL predictive, probabilistic cyber security modeling language. IEEE TDSC 12(6), 626–639 (2015)
Jannaber, S., Riehle, D.M., Delfmann, P., Thomas, O., Becker, J.: Designing a framework for the development of domain-specific process modelling languages. In: Maedche, A., vom Brocke, J., Hevner, A. (eds.) DESRIST 2017. LNCS, vol. 10243, pp. 39–54. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59144-5_3
Johnson, P., Lagerström, R., Ekstedt, M.: A meta language for threat modeling and attack simulations. In: ARES 2018, p. 38. ACM (2018)
Jones, C., Venable, J.R.: Integrating CCM4DSR into ADR to improve problem formulation. In: Hofmann, S., Müller, O., Rossi, M. (eds.) DESRIST 2020. LNCS, vol. 12388, pp. 247–258. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-64823-7_23
Kahraman, G., Bilgen, S.: A framework for qualitative assessment of domain-specific languages. Softw. Syst. Model. 14(4), 1505–1526 (2013). https://doi.org/10.1007/s10270-013-0387-8
Kang, D., Lee, J., Choi, S., Kim, K.: An ontology-based enterprise architecture. Exp. Syst. Appl. 37(2), 1456–1464 (2010)
Karsai, G., Krahn, H., Pinkernell, C., Rumpe, B., Schindler, M., Völkel, S.: Design guidelines for domain specific languages. In: DSM’09, pp. 7–13 (2009)
Katsikeas, S., Hacks, S., Johnson, P., Ekstedt, M., Lagerström, R., Jacobsson, J., Wällstedt, M., Eliasson, P.: An attack simulation language for the IT domain. In: Eades III, H., Gadyatskaya, O. (eds.) GraMSec 2020. LNCS, vol. 12419, pp. 67–86. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62230-5_4
Katsikeas, S., Johnson, P., Hacks, S., Lagerström, R.: Probabilistic modeling and simulation of vehicular cyber attacks: an application of the meta attack language. In: ICISSP 2019 (2019)
Kelly, S., Pohjonen, R.: Worst practices for domain-specific modeling. IEEE Softw. 26(4), 22–29 (2009)
Kelly, S., Tolvanen, J.P.: Domain-Specific Modeling: Enabling Full Code Generation. John Wiley & Sons, New York (2008)
Ling, E., Lagerström, R., Ekstedt, M.: A systematic literature review of information sources for threat modeling in the power systems domain. In: Rashid, A., Popov, P. (eds.) CRITIS 2020. LNCS, vol. 12332, pp. 47–58. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-58295-1_4
Maccani, G., Donnellan, B., Helfert, M.: Systematic problem formulation in action design research: the case of smart cities. In: ECIS 2014, January 2014
Medelyan, A.: Coding qualitative data: how to code qualitative research (2020). https://getthematic.com/insights/coding-qualitative-data/
Mernik, M., Heering, J., Sloane, A.M.: When and how to develop domain-specific languages. ACM Comput. Surv. 37(4), 316–344 (2005)
Nickerson, R.C., Varshney, U., Muntermann, J.: A method for taxonomy development and its application in information systems. Euro. J. Inf. Syst. 22(3), 336–359 (2013)
Nielsen, P., Persson, J.: Engaged problem formulation in is research. Commun. Assoc. Inf. Syst. 38, 720–737 (2016)
O’Connor, C., Joffe, H.: Intercoder reliability in qualitative research: debates and practical guidelines. Int. J. Qual. Methods 19 (2020)
Peffers, K., Tuunanen, T., Rothenberger, M.A., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)
Popping, R.: Analyzing open-ended questions by means of text analysis procedures. Bull. Sociol. Methodol. 128(1), 23–39 (2015)
Rencelj Ling, E., Ekstedt, M.: Generating threat models and attack graphs based on the IEC 61850 system configuration description language. In: AT-CPS 20’21, pp. 98–103. ACM (2021)
Rumpe, B.: Modeling with UML: Language, Concepts, Methods. Springer, Cham, July 2016. https://doi.org/10.1007/978-3-319-33933-7
Sabbagh, B.A., Kowalski, S.: A socio-technical framework for threat modeling a software supply chain. IEEE Secur. Privacy 13(4), 30–39 (2015)
Sein, M.K., Henfridsson, O., Purao, S., Rossi, M., Lindgren, R.: Action design research. MIS Q 35, 37–56 (2011)
Selic, B.: The theory and practice of modeling language design for model-based software engineering—a personal perspective. In: Fernandes, J.M., Lämmel, R., Visser, J., Saraiva, J. (eds.) GTTSE 2009. LNCS, vol. 6491, pp. 290–321. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18023-1_7
Shostack, A.: Threat Modeling : Designing for Security. Wiley, Hoboken (2014)
Torr, P.: Demystifying the threat modeling process. Secur Priv 3(5), 66–70 (2005)
Uzunov, A., Fernandez, E.: An extensible pattern-based library and taxonomy of security threats for distributed systems. Comput. Stand. Int. 36(4), 734–747 (2014)
Venable, J.: The role of theory and theorising in design science research. In: DESRIST 2006, pp. 1–18. Citeseer (2006)
Venable, J., Pries-Heje, J., Baskerville, R.: A comprehensive framework for evaluation in design science research. In: Peffers, K., Rothenberger, M., Kuechler, B. (eds.) DESRIST 2012. LNCS, vol. 7286, pp. 423–438. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29863-9_31
Venable, J.R., Pries-Heje, J., Baskerville, R.: Choosing a design science research methodology. In: ACIS 2017 (2017)
Völter, M.: Best practices for DSLs and model-driven development. J. Object Technol. 8(6), 79–102 (2009)
Vraalsen, F., Lund, M.S., Mahler, T., Parent, X., Stølen, K.: Specifying legal risk scenarios using the CORAS threat modelling language. In: Herrmann, P., Issarny, V., Shiu, S. (eds.) iTrust 2005. LNCS, vol. 3477, pp. 45–60. Springer, Heidelberg (2005). https://doi.org/10.1007/11429760_4
Walter, R., Masuch, M.: How to integrate domain-specific languages into the game development process. In: ACE 2011, pp. 1–8 (2011)
Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)
Xiong, W., Legrand, E., Åberg, O., Lagerström, R.: Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. SoSyM (2021)
Yskout, K., Heyman, T., Van Landuyt, D., Sion, L., Wuyts, K., Joosen, W.: Threat modeling: from infancy to maturity. In: ICSE 2020, pp. 9–12. ACM (2020)
Acknowledgements
This project has received funding from the European Union’s H2020 research and innovation program under the Grant Agreement No. 832907, the Swedish Centre for Smart Grids and Energy Storage (SweGRIDS), and the Deutsche Forschungsgemeinschaft (DFG) under Grant Agreement No. 441207927.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Hacks, S., Katsikeas, S., Rencelj Ling, E., Xiong, W., Pfeiffer, J., Wortmann, A. (2022). Towards a Systematic Method for Developing Meta Attack Language Instances. In: Augusto, A., Gill, A., Bork, D., Nurcan, S., Reinhartz-Berger, I., Schmidt, R. (eds) Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2022 2022. Lecture Notes in Business Information Processing, vol 450. Springer, Cham. https://doi.org/10.1007/978-3-031-07475-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-07475-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-07474-5
Online ISBN: 978-3-031-07475-2
eBook Packages: Computer ScienceComputer Science (R0)