What do you assume? A Theory of Security-Related Assumptions

Assumptions play a significant role in software engineering. Especially for security, implicit, inconsistent, or invalid assumptions on the system can have a high impact. Even though there are several approaches for managing assumptions in security engineering, most of them are highly specific for their domain and phase in software development. However, for holistic assumption management, a general understanding of security-related assumptions is needed. Funded on a Grounded Theory-based approach, including nine interviews with security researchers and a literature review of 53 scientific publications on assumptions, we propose a first definition of security-related assumptions.


INTRODUCTION
Assumptions play a significant role in various aspects of software engineering, as evident from prior research [9,16,18].Regrettably, many assumptions are impromptu and left implicit.The repercussions of implicit, inconsistent, and invalid assumptions can be profound, causing requirement violations, miscommunication, and many system issues, including security vulnerabilities [16].Many of these problems can be prevented by assumption management.Assumption management for software systems is the systematic development and maintenance of explicit assumptions in software systems.This covers identifying, describing, evaluating, maintaining, tracing, monitoring, reusing, and organizing assumptions [16].
In systems with elevated security standards, explicit assumption management becomes crucial.Failures in such systems, such as those used in cars, medical systems, or power supplies, can severely affect user privacy or safety.Security engineering faces numerous challenges with many issues arising from undocumented and implicit assumptions that give rise to vulnerabilities [17].An example is the Equifax data breach from 2017 [8].Systematic uncovering and management of the assumed anchors of a system's security could help with these challenges.Indicators can be found when investigating the relation of assumptions and threats [2,10,12,13].Therefore, an understanding of security-related assumptions, their inclusion in the software engineering process, and their relations to other artifacts is needed.
Even though assumption is a widely used term, it is often not well-defined [16].In a systematic mapping study on assumptions and their management, Yang et al. categorize and describe several types of assumptions in software engineering.The most frequent types are context, trust, architectural, and early architectural assumptions.Especially, trust assumption is a widely but differently used term in security [5,6,14].In general, a problem with the existing notions is that assumptions are only defined for specific contexts and software development phases.However, assumptions have a dynamic nature and have a flexible usage [13].This requires the opportunity to define and refine assumptions regarding contexts, software development phases, and viewed artifacts.However, to our knowledge, no definition or concept addresses this problem.
In this work, we investigate assumptions that impact directly the security of a system, so-called security-related assumptions, and raise the research question: "What is a security-related assumption, and how is it linked to other software development concepts?"

APPROACH
To answer our research question, we decided on a Constructivist Grounded Theory-based approach [3].The main goal of Grounded Theory is to inductively generate theory from data by immediate and continuous data analysis.Everything can be used as data, e.g., interviews, literature, or media.To build the theory, exemplary assumptions would work the best.However, publicly available, explicit assumptions on security are rare to find.Therefore, we conducted structured interviews with nine security researchers from a German university.In each interview, we presented the Dutch smart grid as a common scenario [11].The interviewees ICSE-Companion '24, April 14-20, 2024, Lisbon, Portugal Corallo et al.
were then asked to reflect on assumptions and requirements that occurred during their work as well as their impact on the security of the system.After every two to three interviews, we coded and analyzed the gathered data to adapt our view on security-related assumptions.
We increased the amount of analyzable data by an extensive literature review of 53 scientific publications.Due to an observed similarity between assumptions and requirements, we clustered the literature regarding requirements engineering activities, e.g., elicitation and verification and highlighted activities, e.g., threat models, code, and design, to support the coding process.

RESULTS
In the conducted interviews, we observed several commonalities and discrimination criteria: Security-related assumptions seem to have a probability of violation that seems to be useful for security estimations.Moreover, they have consequences, e.g., legal, conceptual, and physical aspects, as well as an impact on the system.Security-related assumptions are specific for a certain perspective, described by a subject and the viewed information, e.g., an UML class diagram.Thereby, an assumption targets the outer world, the context, or the inner of a system.In both of the latter cases, assumptions influence decisions on the system.Independent of the view or the target space, assumptions, like requirements, can be formulated on different levels of abstraction.Thereby, assumptions can have sub-assumptions that describe the first on a more fine-grained level.
In our literature review, most work aligned with our picture of assumptions, even though some extended our view.The most remarkable change was regarding the relation between requirements and assumptions.Whereas some works do not distinguish between assumptions and requirements [1,15], some make assumptions on design decisions [4].
In conclusion of our observations, we provide the following definition.As it relies on limited data, it is formulated as a theory.
Theory.A security-related assumption is a statement that: (1) is taken for true, (2) can be violated, (3) is formulated from a certain perspective1 Security-related assumptions seem to have several properties: (4) They can be interpreted differently from different perspectives, (5) they can be refined horizontally (on the same abstraction level), as well as vertically (across different abstraction levels), ( 6) they have a probability to be violated, they have a risk for the security of the system, as well as consequences of their violation, (7) they occur when a design decision is made, (8) they transform into a requirement if they are supposed to be realized by a design decision.
To see whether the definition and properties would help to explicate security-related assumptions, we conducted a applicability study based on a worked example.For this, we used risk assessment