Remember Me
Or use your Academic/Social account:


Or use your Academic/Social account:


You have just completed your registration at OpenAire.

Before you can login to the site, you will need to activate your account. An e-mail will be sent to you with the proper instructions.


Please note that this site is currently undergoing Beta testing.
Any new content you create is not guaranteed to be present to the final version of the site upon release.

Thank you for your patience,
OpenAire Dev Team.

Close This Message


Verify Password:
Verify E-mail:
*All Fields Are Required.
Please Verify You Are Human:
fbtwitterlinkedinvimeoflicker grey 14rssslideshare1
Languages: English
Types: Article
More and more software projects today are security-related in one way or the other.\ud Requirements engineers often fail to recognise indicators for security problems which is a major source\ud of security problems in practice. Identifying security-relevant requirements is labour-intensive and errorprone.\ud In order to facilitate the security requirements elicitation process, we present an approach\ud supporting organisational learning on security requirements by establishing company-wide experience\ud resources, and a socio-technical network to benefit from them. The approach is based on modelling the\ud flow of requirements and related experiences. Based on those models, we enable people to exchange\ud experiences about security-requirements while they write and discuss project requirements. At the same\ud time, the approach enables participating stakeholders to learn while they write requirements. This can\ud increase security awareness and facilitate learning on both individual and organisational levels. As a basis\ud for our approach, we introduce heuristic assistant tools which support reuse of existing security-related\ud experiences. In particular, they include Bayesian classifiers which issue a warning automatically when\ud new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if\ud the classifier is trained with domain specific data and documents from previous projects. We show how\ud the ability to identify security-relevant requirements can be improved using this approach. We illustrate\ud our approach by providing a step-by-step example of how we improved the security requirements\ud engineering process at the European Telecommunications Standards Institute (ETSI) and report on\ud experiences made in this application.
  • The results below are discovered through our pilot algorithms. Let us know how we are doing!

    • 1. Christopher Alberts and Audrey Dorofee. Managing Information Security Risks: The OCTAVE (TM) Approach. Addison-Wesley, New York, USA, 2002.
    • 2. C. Allmann, L. Winkler, and T. Ko¨lzow. The Requirements Engineering Gap in the OEM-Supplier Relationship. Journal of Universal Knowledge Management, 1(2):103-111, 2006.
    • 3. R. Baeza-Yates and B. Ribeiro-Neto. Modern Information Retrieval. ACM Press, Addison Wesley, 1999.
    • 4. B. Barber and J. Davey. The use of the CCTA risk-analysis and management methodology [CRAMM] in health information systems. In P. Degoulet, K.C. Lun, T.E. Piemme, and O. Rienhoff, editors, MEDINFO '92, page 1589-1593, North-Holland, 1992. Elsevier.
    • 5. D.M. Berry and E. Kamsties. Perspectives on Requirements Engineering, chapter 2. Ambiguity in Requirements Specification, pages 7-44. Kluwer, 2004.
    • 6. CEPSCO. Common Electronic Purse Specification (ePurse). http://web.archive.org/web/*/http://www.cepsco.com, accessed Apr 2007.
    • 7. Francis Chantree, Bashar Nuseibeh, Anne de Roeck, and Alistair Willis. Identifying Nocuous Ambiguities in Natural Language Requirements. In Proceedings of the 14th IEEE International Requirements Engineering Conference, pages 56-65, Minneapolis, USA, 2006. IEEE Computer Society.
    • 8. Lawrence Chung. Dealing with Security Requirements During the Development of Information Systems. In Colette Rolland, Franc¸ois Bodart, and Corine Cauvet, editors, CAiSE, volume 685 of Lecture Notes in Computer Science, pages 234-251. Springer, 1993.
    • 9. D. Damian, S. Marczak, and I. Kwan. Collaboration Patterns and the Impact of Distance on Awareness in Requirements-Centred Social Networks. In Proceedings of 15th IEEE International Requirements Engineering Conference (RE 2007), New Delhi, India, 2007.
    • 10. Tom DeMarco. Structured Analysis and System Specification. Prentice-Hall, 1979.
    • 11. F. den Braber, I. Hogganvik, M.S. Lund, K. Stølen, and F. Vraalsen. Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technology Journal, 25(1):101-117, 2007.
    • 12. Paolo Giorgini, Fabio Massacci, and John Mylopoulos. Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard. In Il-Yeol Song, Stephen W. Liddle, Tok Wang Ling, and Peter Scheuermann, editors, ER, volume 2813 of Lecture Notes in Computer Science, pages 263-276. Springer, 2003.
    • 13. GlobalPlatform. Global Platform Specification (GPS). http://www.globalplatform.org, accessed Aug 2010.
    • 14. Siv Hilde Houmb, Shareeful Islam, Eric Knauss, Jan Ju¨rjens, and Kurt Schneider. Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal, 15(1):63-93, March 2010.
    • 15. International Standardization Organization. ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB-2007-09-001, CCMB-2007- 09-002 and CCMB-2007-09-003, September 2007.
    • 16. Neil Ireson, Fabio Ciravegna, Mary Elaine Califf, Dayne Freitag, Nicholas Kushmerick, and Alberto Lavelli. Evaluating machine learning for information extraction. In ICML '05: Proceedings of the 22nd international conference on Machine learning, pages 345-352, Bonn, Germany, 2005. ACM.
    • 17. Jan Ju¨rjens and Pasha Shabalin. Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf., 9(5):527- 544, 2007.
    • 18. J. Ju¨rjens. Secure Systems Development with UML. 2005.
    • 19. E. Kelvin Kelloway and Julian Barling. Knowledge work as organizational behavior. International Journal of Management Reviews, 2:287-304, 2000.
    • 20. Nadzeya Kiyavitskaya, Nicola Zeni, Travis D. Breaux, Annie I. Anto´n, James R. Cordy, Luisa Mich, and John Mylopoulos. Automating the Extraction of Rights and Obligations for Regulatory Compliance. In Qing Li, Stefano Spaccapietra, Eric Yu, and Antoni Olive´, editors, Proceedings of 27th International Conference on Conceptual Modeling, Lecture Notes in Computer Science, pages 154-168, Barcelona, Spain, 2008. Springer.
    • 21. Nadzeya Kiyavitskaya, Nicola Zeni, Luisa Mich, and Daniel M. Berry. Requirements for tools for ambiguity identification and measurement in natural language requirements specifications. Requirements Engineering Journal, 13(3):207-239, September 2008.
    • 22. Eric Werner Knauss. Verbesserung der Dokumentation von Anforderungen auf Basis von Erfahrungen und Heuristiken. Cuvillier Verlag, Go¨ttingen, Germany, 2010. Phd Thesis.
    • 23. Eric Knauss, Siv Houmb, Kurt Schneider, Shareeful Islam, and Jan Ju¨rjens. Supporting Requirements Engineers in Recognising Security Issues. In Daniel Berry and Xavier Franch, editors, Proceedings of the 17th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ '11), LNCS, Essen, Germany, 2011. Springer.
    • 24. Eric Knauss and Daniel Lu¨bke. Using the Friction between Business Processes and Use Cases in SOA Requirements. In Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference (COMPSAC), Workshop on Requirements Engineering For Services, pages 601-606, Turku, Finland, 2008.
    • 25. E. Knauss and T. Flohr. Managing Requirement Engineering Processes by Adapted Quality Gateways and critique-based RETools. In Proceedings of Workshop on Measuring Requirements for Project and Product Success, Palma de Mallorca, Spain, November 2007. in conjunction with the IWSM-Mensura Conference.
    • 26. E. Knauss, D. Lu¨bke, and S. Meyer. Feedback-Driven Requirements Engineering: The Heuristic Requirements Assistant. In International Conference on Software Engineering (ICSE'09), Formal Research Demonstrations Track, pages 587 - 590, Vancouver, Canada, 2009.
    • 27. E. Knauss, K. Schneider, and K. Stapel. Learning to Write Better Requirements through Heuristic Critiques. In Proceedings of 17th IEEE Requirementes Engineering Conference (RE 2009), Atlanta, USA, 2009.
    • 28. Leonid Kof. Text Analysis for Requirements Engineering. PhD thesis, Technische Universita¨t Mu¨nchen, Mu¨nchen, 2005.
    • 29. Seok Won Lee, Divya Muthurajan, Robin A. Gandhi, Deepak S. Yavagal, and Gail-Joon Ahn. Building Decision Support Problem Domain Ontology from Natural Language Requirements for Software Assurance. International Journal of Software Engineering and Knowledge Engineering, 16(6):851-884, 2006.
    • 30. Raimundas Matulevicius, Nicolas Mayer, Haralambos Mouratidis, Eric Dubois, Patrick Heymans, and Nicolas Genon. Adapting secure tropos for security risk management in the early phases of information systems development. In Zohra Bellahsene and Michel Le´onard, editors, CAiSE, volume 5074 of Lecture Notes in Computer Science, pages 541-555. Springer, 2008.
    • 31. Daniel Mellado, Jesus Rodr´ıguez, Eduardo Ferna´ndez-Medina, and Mario Piattini. Automated Support for Security Requirements Engineering in Software Product Line Domain Engineering. Availability, Reliability and Security, International Conference on, 0:224-231, 2009.
    • 32. Daniel L. Moody. The ”Physics” of Notations: Toward a Scientific Basis for Constructing Visual Notations in Software Engineering. IEEE Transactions on Software Engineering, 35(6):756- 779, Nov-Dec 2009.
    • 33. H. Mouratidis, P. Giorgini, and G. A. Manson. Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems. In Johann Eder and Michele Missikoff, editors, CAiSE, volume 2681 of Lecture Notes in Computer Science, pages 63-78. Springer, 2003.
    • 34. Moussa Ouedraogo, Haralambos Mouratidis, Djamel Khadraoui, and Eric Dubois. An agent-based system to support assurance of security requirements. In SSIRI, pages 78-87. IEEE Computer Society, 2010.
    • 35. M. Polanyi. The Tacit Dimension. Doubleday, Garden City, NY, 1966.
    • 36. N. Russell, A. H. M. t. Hofstede, and W. M. P. v. d. Aalst. newYAWL: Specifying a Workflow Reference Language using Coloured Petri Nets. In Eighth Workshop and Tutorial on Practical Use of Coloured Petri Nets and the CPN Tools,, 2007.
    • 37. Kurt Schneider and Daniel Lu¨bke. Systematic Tailoring of Quality Techniques. In World Congress of Software Quality 2005, volume 3, 2005.
    • 38. Kurt Schneider, Kai Stapel, and Eric Knauss. Beyond Documents: Visualizing Informal Communication. In Proceedings of Third International Workshop on Requirements Engineering Visualization (REV 08), Barcelona, Spain, 2008.
    • 39. Kurt Schneider. Software Process Improvement from a FLOW Perspective. In Learning Software Organizations Workshop, 2005.
    • 40. Kurt Schneider. Experience and Knowledge Management in Software Engineering. Springer-Verlag, 2009.
    • 41. K. Schneider. Generating Fast Feedback in Requirements Elicitation. In Requirements Engineering: Foundation for Software Quality (REFSQ 2007), 2007.
    • 42. D.A. Scho¨n. The Reflective Practitioner: How Professionals Think in Action. Basic Books, New York, 1983.
    • 43. G. Sindre and A. L. Opdahl. Eliciting security requirements with misuse cases. Requirements Engineering Journal, 10(1):34-44, 2005.
    • 44. Kai Stapel, Eric Knauss, and Kurt Schneider. Using FLOW to Improve Communication of Requirements in Globally Distributed Software Projects. In Workshop on Collaboration and Intercultural Issues on Requirements: Communication, Understanding and Softskills (CIRCUS '09), Atlanta, USA, November 2009.
    • 45. K. Stapel, E. Knauss, and C. Allmann. Lightweight Process Documentation: Just Enough Structure in Automotive PreDevelopment. In Rory V. O'Connor, Nathan Baddoo, Kari Smolander, and Richard Messnarz, editors, Proceedings of the 15th European Conference, EuroSPI, Communications in Computer and Information Science, pages 142-151, Dublin, Ireland, 9 2008. Springer.
    • 46. K. Stapel, K. Schneider, D. Lu¨bke, and T. Flohr. Improving an Industrial Reference Process by Information Flow Analysis: A Case Study. In Proceedings of PROFES 2007, volume 4589 of LNCS, pages 147-159, Riga, Latvia, 2007. Springer-Verlag Berlin Heidelberg.
    • 47. TISPAN, ETSI. Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Services requirements and capabilities for customer networks connected to TISPAN NGN. Technical report, European Telecommunications Standards Institute.
    • 48. Sholom M. Weiss and Casimir A. Kulikowski. Computer systems that learn : classification and prediction methods from statistics, neural nets, machine learning, and expert systems. M. Kaufmann Publishers, San Mateo, Calif., 1991.
    • 49. S. Winkler. Information Flow Between Requirement Artifacts. In Proceedings of REFSQ 2007 International Working Conference on Requirements Engineering: Foundation for Software Quality, volume 4542 of Lecture Notes in Computer Science, pages 232- 246, Trondheim, Norway, 2007. Springer Berlin / Heidelberg.
    • 50. Alexander Wise. Little-JIL 1.5 Language Report. Technical report, Department of Computer Science, University of Massachusetts, 2006.
    • 51. Claes Wohlin, Per Runeson, Martin Ho¨st, Magnus C. Ohlsson, Bjo¨rn Regnell, and Anders Wessle´n. Experimentation In Software Engineering: An Introduction. Kluwer Academic Publishers, Boston / Dordrecht / London, 2000.
    • 52. ST-Tool: A CASE Tool for Security Requirements Engineering, Washington, DC, USA, 2005. IEEE Computer Society.
    • 53. SecTro: A CASE Tool for Modelling Security in Requirements Engineering using Secure Tropos, London, 2011. CEUR-WS,vol - 734.
  • No related research data.
  • No similar publications.

Share - Bookmark

Cite this article