EAI Endorsed Transactions on Self-Adaptive Systems 01-2015 | Volume 1 | Issue 1 | e2 EAI Endorsed Transactions on Self-Adaptive Systems Research Article 1 “Why can’t I do that?”: Tracing Adaptive Security Decisions Armstrong Nhlabatsi 1 , Thein Tun 2 , Niamul Khan 1 , Yijun Yu 2 , Arosha K. Bandara 2 , Khaled M. Khan 1 , Bashar Nuseibeh 2,3 1 Qatar University, {armstrong.nhlabatsi, niamul.khan, k.khan}@qu.edu.qa 2 The Open University, {t.t.tun, y.yu, a.k.bandara, b.nuseibeh}@open.ac.uk 3 Lero, University of Limerick, bashar.nuseibeh@lero.ie Abstract One of the challenges of any adaptive system is to ensure that users can understand how and why the behaviour of the system changes at runtime. This is particularly important for adaptive security behaviours which are essential for applications that are used in many different contexts, such as those hosted in the cloud. In this paper, we propose an approach for using traceability information, enriched with causality relations and contextual attributes of the deployment environment, when providing feedback to the users. We demonstrate, using a cloud storage-as-a-service environment, how our approach provides users of cloud applications better information, explanations and assurances about the security decisions made by the system. This enables the user to understand why a certain security adaptation has occurred, how the adaptation is related to current context of use of the application, and a guarantee that the application still satisfies its security requirements after an adaptation. Keywords: Traceability, Causality, Entailment Relation, Security Requirements, Access Control Policies. Received on 19 November 2014, accepted on 17 January 2015, published on 28 January 2015 Copyright © 2015 A. Nhlabatsi et al., licensed to ICST. This is an open access article distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/3.0/), which permits unlimited use, distribution and reproduction in any medium so long as the original work is properly cited. doi: 10.4108/sas.1.1.e2 1. Introduction Many software applications are now deployed as Cloud Services in order to allow users to access them from a variety of devices, wherever they happen to be. This requires that these applications be able to adapt their behaviour, in order to ensure that requirements continue to be satisfied even when the context of use changes. This is particularly important for critical quality requirements such as security requirements. For example we may want a cloud application to change its security behaviour depending on where (location) it is used, who (subject) is using it, or when (time) it is being used. We call this Adaptive Information Security (AIS). As a result of dynamic context, the assets, their values, and attack scenarios can change easily from one situation to another, increasing the challenge of finding out what the information assets are, who their owners are, where in the system vulnerabilities lie, and the extent to which the security requirements are satisfied. One of the challenges of any adaptive security system is to ensure that users can understand how and why the security behaviour of the system changes at runtime. For example, a doctor may be able to edit a medical record stored on a cloud server using one device but only able to read the same medical record when it is accessed from a different device. This is because an access control policy for maintaining confidentiality and integrity of medical records may dictate that the doctor is able to gain access to edit rights only when he is on duty. Sensors in the device used when accessing a record determine the contextual property of whether the doctor is on duty. As a result, when using a device with limited capabilities the access control mechanism may not be able to determine that the doctor is on duty resulting in limited access to the