.jpg)
by Sam Supakkul and Lawrence Chung
Introduction | Evaluation Catalog for Closed World Assumption | Evaluation Catalog for Open World Assumption |
Using goal-oriented modeling, an analyst represents stakeholders' hard (functional) and soft (non-functional) goals, then refines the goals and explores alternatives to achieve them. When using the NFR Framework [book (draft), paper (draft)] to model non-functional requirements (NFRs) as softgoals, the analyst explores goal operationalization alternatives and selects the desirable operationalizations and labeled them as Satisficed (denoted by a check mark), while labeling those discarded solutions as Denied (denoted by a cross mark). The achievement of top goals are determined based on the achievement of sub-goals and how they contribute to the achievement of parent goals using the evaluation procedure as depicted in the catalogs (Fig. 6 or Fig. 7), depending on the appropriate world assumption (closed or open).
Under the closed world assumption, "The implicit representation of negative facts presumes total knowledge about the domain being represented."[Reiter78]. Take Fig. 1a for an example, only TakeMagicalDrug is represented as total knowledge about how to achieve StayHealthy goal (denoted by MAKE/++), meaning it is the only way to StayHealthy. When TakeMagicalDrug is considered invalid and thus Denied (denoted by a cross mark), StayHealthy goal is also considered denied because there is no other known ways to stay healthy (under the closed world assumption). On the other hand, Fig. 1b, under the open world assumption where "gaps in one's knowledge about the domain are permitted" [Reiter78], TakeMagicalDrug is represented as one way, but not the only way, to StayHealthy. Therefore, when TakeMagicalDrug is denied, StayHealthy is not also considered denied. Fig. 1c and 1d show additional examples of label evaluation for negative contribution where SmokeCigarette is known to be the only way that negatively affects StayHealthy (denoted by BREAK/--) under the closed world assumption, but considered to be only one way that hurts StayHealthy under the open world assumption respectively. When SmokeCigarette is denied, we can claim that StayHealthy is WeaklySatisficed (W+) under the closed world assumption as the only known health hazard (SmokeCigarette) has been denied while we cannot make the same claim under the open world assumption as SmokeCigarette is not the only health hazard in the domain.
Figure 1. Comparisons of Label Evaluation Between Closed and Open World Assumptions
While the closed assumption is necessary for information systems such as in database systems [Reiter78], but it may not be intuitive for world or organizational level modeling, especially for stakeholder goals modeling where the open world assumption could better reflect knowledge about the world as illustrated in Fig. 1b and 1d. As a general guideline for goal-oriented modeling using the open world assumption, Denied labels are not propagated to parent goals. For example, when considering Password and RetinaScan alternatives for achieving Authentication of Account access (Fig. 2a), an analyst may choose Password over RetinaScan due the associated cost for collecting and maintaining biometric samples, the decisions reflected by respective Satisficed (checked) and Denied (crossed) labels. By not propagating Denied labels under the open world assumption, only the Satisficed label of Password is appropriately propagated to WeaklySatisficed for Authentication. Using the open world assumption in this case is more intuitive than the closed world assumption where the Denied label of RetinaScan is propagated to Denied label for Authentication while the Satisficed label of Password is propagated to WeaklySatisficed for Authentication, thus resulting in an Undecided (u) label for Authentication (see Fig. 2b), due to the opposing resultant positive and negative labels. But the Undecided label does not truly reflect the decisions made by the analyst because the analyst has "decided". Therefore, the open world assumption provides a more intuitive label evaluation in this case.
.jpg)
Figure 2. The Open World Assumption is Useful in General Goal-Oriented Modeling
In some cases, however, the closed world assumption can be useful, for example when dealing with bad things as in security engineering where emphasis is often on mitigating known threats. Using Fig. 3a as an example, if Hackers have "Hacked passwords" as a goal that can be achieved by "Dictionary attack" and "Hack passwords repository", an organization may try to mitigate by using "Strong passwords" and "Encryption" against the two causal threats (denoted by BREAK/--), where "Strong passwords" is further And-decomposed to "Non-dictionary words" and "Frequently changed passwords" sub-goals. Suppose the stakeholders agree with the mitigation techniques as denoted by the Satisficed label (checked). The Satisficed labels are propagated and turned into Denied labels on "Dictionary attack" and "Hack passwords repository" respectively across the BREAK/-- links (see the closed world evaluation catalog in Figure 6 below), which are in turn propagated to Denied label for "Hacked passwords" across the MAKE/++ links, serving as an indicator that the organization has mitigated this known threat. On the other hand, under the open world assumption where Denied labels are not propagated, "Hacked passwords" is not derived to be Denied, thus not providing an indicator that HackedPassword has been mitigated, contradicting the effort by the organization. Therefore, the closed world assumption can be useful for applications that deal with bad things or problem-oriented modeling The notations for problems (e.g. Hacked passwords) and stakeholder level problem-oriented modeling are discussed more in detail here.
.jpg)
Figure 3. The Closed World Assumption is Useful in Problem-Oriented Modeling
Label propagation has been discussed in terms of goal-to-goal propagation so far (see Fig. 3), which is also illustrated in the catalogs in Fig. 6 and 7. However, the label evaluation procedure in fact treats softgoals and contribution links generically as propositions. Therefore, the propagation illustrated in the catalogs are applicable for both goal-to-goal and goal-to-link propagation Although link-to-goal and link-to-link propagation are possible in theory, but the constructs are not commonly used in practice, their label propagation are therefore not discussed here. Figure 4 shows examples of goal-to-goal and goal-to-link propagation where the Satisficed label of Accuracy is derived from the Satisficed label of Auditing while the Denied label of the MAKE (++) contribution link between StayHealthy and TakeMagicalDrug is derived from the Satisficed label of "Not scientifically proven" Claim that is reversed from Satisficed to Denied across the BREAK (--) contribution according to the catalogs illustrated below.
Figure 4. Examples of Uniform Label Propagation from Goal-to-Goal and Goal-to-Link
Notice that, in Fig. 4, the label of Accuracy is evaluated but that of StayHealthy is unknown and not evaluated because the MAKE(++) contribution for Accuracy is Satisficed while that of StayHealthy is Denied. This reflects the rule of label propagation for MAKE contribution that the parent goal is only evaluated when the contribution is Satisficed as described below.
"If the offspring is satisficed when the interdependency itself is satisficed then the parent is satisficeable" [book p.67]
or more formally,
[lecture p.69]
Figure 5 shows hypothetical examples of the effect of the contribution on label propagation for BREAK (--) contribution where the label of NFR1 in Fig.1 is not evaluated and unknown because the BREAK(--) contribution is Denied by Satisficed Claim1 that provides an "against" argument (BREAK/--). However, when the argument is countered by Claim2 in Fig. 5b, its "against" relationship (BREAK/-- from Claim1) is Denied, causing the Satisficed label of Claim 1 not to be propagated. As the result, the BREAK contribution between NFR1 and Op1 can be Satisficed as there is no negative evidence against it. Consequently, the Satisficed label of Op1 is propagated to Denied label for NFR1 as if Claim1 did not exist.
Figure 5. Effect of the label of MAKE(--) contribution on label propagation
Similarly, the rules for other contribution links (e.g. HELP/+, HURT/-) have a similar clause that in effect suggests that the parent goal's label be evaluated only when the contribution in question is Satisficed. This is reflected in the catalogs in Fig. 6 and 7 that the propagation are as illustrated only when the links are Satisficed as denoted by a check mark on the links.
This catalog illustrates the label propagation procedure using the closed world assumption, which is supported by the Softgoal Profile tool. The label propagation follows closely the label evaluation procedure described in the NFR Framework.
Figure 6. A Catalog of Label Evaluation Using Closed World Assumption
This catalog illustrates the label evaluation using the open world assumption as described above, which is also supported by the Softgoal Profile tool. The label propagation follows the procedure described in the NFR Framework except that it does not propagate Denied labels upward toward parent softgoals or contributions.
Figure 7. A Catalog of Label Evaluation Using Open World Assumption
Legend
© 2007-2009 Sam Supakkul
Updated May 11, 2009