Abstract
This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.
Similar content being viewed by others
Notes
We propose to avoid the use of “context”, because it is an overloaded term within software engineering. Often in requirements engineering context is used to refer to the specific environment in which the machine is situated [19]. Context has also increasingly become a concept in newer branches of computer science. One example being “context-aware systems” modeling the properties of a given context, which may or may not be the physical environment. Context is then used to adapt the machine or the environment to the users’ needs.
A non-monotonic logic in which defeasible rules can be overridden by others when certain conditions hold. For example, in the case of an emergency, certain confidentiality rules can be overridden.
The definition of mal-activity diagrams [46] is based on a similar idea. In this recent work, malicious activities and actors are added to UML activity diagrams in order to model potential attacks.
Details about the i *-modeling framework can be found online: http://www.istar.rwth-aachen.de/
Details about Si *: http://www.sesa.dit.unitn.it/sistar_tool/
References
Common Criteria for Information Technology Security Evaluation, Version 3.1. (2006) [Online]. Available: http://www.commoncriteriaportal.org/public/expert/
Bishop M (2003) Computer security. Addison-Wesley, New York
Viega J, McGraw G (2001) Building secure software: how to avoid security problems the right way. Addison-Wesley, New York
Eckert C (2004) IT-Sicherheit, 3rd edn. Oldenbourg-Verlag, München
Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. Carnegie Melon University. Technical report SEI-2003-TN-033
Rupp C, SOPHIST GROUP (2003) Requirements-engineering und -management, 3rd edn. Carl Hanser Verlag
Rannenberg K, Pfitzmann A, Müller G (1999) IT security and multilateral security. In: Müller G, Rannenberg K (eds) Multilateral security in communications—technology, infrastructure. Economy Addison-Wesley, pp 21–29
Zave P, Jackson M (1997) Four dark corners of requirements engineering. ACM Trans Softw Eng Methodol 6(1):1–30
Fricker S, Gorschek T, Glinz M (2008) Goal-oriented requirements communication in new product development. In: Proceedings of the international workshop on software product management. IEEE Computer Society, Los Alamitos, pp 27–34
Liu L, Yu E (2001) From requirements to architectural design using goals and scenarios. In: Proceedings of the international workshop from software requirements to architectures (STRAW). Toronto
Antòn AI, Earp JB (2000) Strategies for developing policies and requirements for secure electronic commerce systems. Department of Computer Science, North Carolina State University. Technical report TR-2000-09. [Online]. Available: citeseer.ist.psu.edu/anton00strategies.html
Mylopoulos J, Chung L, Nixon B (1992) Representing and using non-functional requirements: a process-oriented approach. IEEE Transactions on Software Engineering pp 483–497
Sommerville I (2007) Software Engineering, 8th edn. Addison Wesley, New York
Glinz M (2007) On non-functional requirements. In: Proceedings of 15th IEEE international requirements engineering conference (RE ’07), pp 21–26
Jureta I, Mylopoulos J, Faulkner S (2008) Revisiting the core ontology and problem in requirements engineering. In: Proceedings of 16th IEEE international requirements engineering conference (RE ’08), pp 71–80
Information technology—security techniques—code of practice for information security management (ISO/IEC FDIS 17799:2005) (2005) International Organization for Standardization
Information technology—security techniques—management of information and communications technology security—part 1: Concepts and models for information and communications technology security management (ISO/IEC 13335-1:2004)(2004) International Organization for Standardization
NIST SP 800-26: Security Self-Assessment Guide for Information Technology Systems (2001) National institute of standards and technology
Berry DM, Lawrence B (1998) Guest editors’ introduction: requirements engineering. IEEE Softw 15(2):26–29
Robinson WN, Pawlowski SD, Volkov V (2003) Requirements interaction management. ACM Comput Surv 35(2):132–190
Finkelstein A, Baggay D, Hunter A, Kramer J, Nuseibeh B (1994) Inconsistency handling in multi-perspective specifications. IEEE Trans Softw Eng (20):569–578
Easterbrook S, Nuseibeh B (1996) Using viewpoints for inconsistency management. Softw Eng J 31–43
Kotonya G, Sommerville I (1996) Requirements engineering with viewpoints. BCS/IEE Softw Eng J 11(1):5–18
Giorgini P, Massacci F, Mylopoulos J, Zannone N (2006) Detecting conflicts of interest. In: Proceedings 14th IEEE international requirements engineering conference (RE ’06). IEEE Computer Society, pp 308–311
van Lamsweerde A, Darimont R, Massonet P (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24
Jackson M, Zave P (1995) Deriving specifications from requirements: an example. In: Proceedings 17th international conference on software engineering. ACM Press, Seattle, pp 15–24
Haley B, Laney C, Moffett D, Nuseibeh B (2006) Using trust assumptions with security requirements. Requir Eng 11(2):138–151
Haley CB, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153
Santen T (2006) Stepwise development of secure systems. In Górski J (ed) International conference on computer safety, reliability and security (SAFECOMP), ser. LNCS 4166. Springer, pp 142–155
Moffett JD, Haley CB, Nuseibeh B (2004) Core security requirements artifacts. The Open University, UK (technical report)
Breaux TD, Antòn A (2005) Analyzing goal semantics for rights, permissions, and obligations. In: Requirements engineering, pp 177–188
Mayer N (2009) Model-based management of information system security risk. Ph.D. dissertation, University of Namur [Online]. Available: http://www.nmayer.eu/publis/Thesis_Mayer_2.0.pdf
Mayer N, Heymans P, Matulevičius R (2007) Design of a modelling language for information system security risk management. In: 1st International conference on research challenges in information science (RCIS 2007)
Mellado D, Fernandez-Medina E, Piattini M (2006) A comparison of the Common Criteria with proposals of information systems security requirements. In: ARES ’06: proceedings of the first international conference on availability, reliability and security (ARES’06). IEEE Computer Society, Washington, DC, pp 654–661
Kalloniatis C, Kavakli E, Gritzalis S (2004) Security requirements engineering for e-government applications: analysis of current frameworks. Springer, Berlin
Tøndel I, Jaatun M, Meland P (2008) Security requirements for the rest of us: asurvey. Softw IEEE 25(1):20–27
van Lamsweerde A (2007) Engineering requirements for system reliability and security. In: Broy JGM, Hoare C (eds) Software system reliability and security, ser. NATO security through science series-D: information and communication security, vol 9. IOS Press, pp 196–238
Gürses S, Santen T (2006) Contextualizing security goals—a method for multilateral security requirements elicitation. In: Dittmann J (ed) Proceedings of Sicherheit 2006—Schutz und Zuverlässigkeit, ser. Lecture notes in Informatics. Gesellschaft für Informatik, pp 42–53
Gürses S, Berendt B, Santen T (2006) Multilateral security requirements analysis for preserving privacy in ubiquitous environments. In: Berendt B, Menasalvas E (eds) Proceedings of workshop on ubiquitous knowledge discovery for users (UKDU’06) [Online]. Available:http://www.vasarely.wiwi.hu-berlin.de/UKDU06/Proceedings/UKDU06-proceedings.pdf
Gürses S, Jahnke JH, Obry C, Onabajo A, Santen T, Price M (2005) Eliciting confidentiality requirements in practice. In: CASCON ’05: Proceedings of the 2005 conference of the centre for advanced studies on collaborative research. IBM Press, pp 101–116
Onabajo A, Weber-Jahnke J (2008) Stratified modeling and analysis of confidentiality requirements. In: 41st Annual Hawaii international conference on system sciences
Mead N, Hough E, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. Carnegie Mellon Software Engineering Institute, Technical report CMU/SEI-2005-TR-009
Mead N, Viswanathan V, Padmanabhan D, Raveendran A (2008) Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. Carnegie Mellon Software Engineering Institute. Technical report CMU/SEI-2008-TN-006
UML Revision Task Force (2006) OMG unified modeling language: superstructure. http://www.omg.org/docs/ptc/06-04-02.pdf
Sindre G, Opdahl AL (2001) Capturing security requirements by misuse cases. In: Proceedings of the 14th Norwegian informatics conference (NIK’2001)
Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. In: Sawyer P, Paech B, Heymanns P (eds) Proceedings of REFSQ 2007, ser. LNCS 4542. Springer, pp 355–366
Lodderstedt T, Basin DA, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language (UML’02). Springer, London, pp 426–441
UML Revision Task Force (2006) OMG object constraint language: reference. http://www.omg.org/docs/formal/06-05-01.pdf
Jürjens J (2003) Secure systems development with UML. Springer, New York
Bertrand P, Darimont R, Delor E, Massonet P, van Lamsweerde A (1998) GRAIL/KAOS: an environment for goal drivent requirements engineering. In: ICSE’98—20th international conference on software engineering
Dardenne A, van Lamsweerde A, Fickas S (1993) Goal-directed requirements acquisition. Sci Comput Program 20(1–2):3–50
van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. ICSE pp. 148–157
Bresciani P, Perini A, Giorgini P, Giunchiglia F, Mylopoulos J (2004) Tropos: an agent-oriented software development methodology. Auton Agent Multi Agent Syst 8(3):203–236
Giorgini P, Susi A, Perini A, Mylopoulos J (2005) The tropos metamodel and its use. Inf J 29:401–408
Fuxman A, Liu L, Mylopoulos J, Pistore M, Roveri M, Traverso P (2004) Specifying and analyzing early requirements in tropos. Requir Eng J 9(2):132–150
Yu ES-K (1996) Modelling strategic relationships for process reengineering. Ph.D. dissertation, University of Toronto, Toronto
Yu ESK (1997) Towards modeling and reasoning support for early-phase requirements engineering. In: RE ’97: proceedings of the 3rd IEEE international symposium on requirements engineering. IEEE Computer Society, Washington, DC, p 226
Yu ESK, Liu L (2001) Modelling trust for system design using the i * strategic actors framework. In: Proceedings of the workshop on deception, fraud, and trust in agent societies held during the autonomous agents conference. Springer, London, pp 175–194
Giorgini P, Mouratidis H, Zannone N (2007) Modelling security and trust with secure tropos. In: Integrating security and software engineering: advances and future vision. IDEA
Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309
Mouratidis H, Giorgini P (2004) Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In: Proceedings of the 1st international workshop on safety and security in multiagent systems, SASEMAS
Mouratidis H, Giorgini P (2005) Secure tropos: dealing effectively with security requirements in the development of multiagent systems. In: Proceedings of the 2nd international workshop on safety and security in multi-agent systems, SASEMAS, ser. Computers & Security, vol 24, no.8. Elsevier, pp 614–617
Massacci F, Mylopoulos J, Zannone N (2007) Ontologies for business interaction. Information science reference, ch. An ontology for secure socio-technical systems pp 188–207
Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. University of Toronto, Department of Computer Science. Technical report
Matulevičius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management in the early phases of information systems development. In: CAiSE ’08: proceedings of the 20th international conference on advanced information systems engineering. Springer, Berlin, pp 541–555
Mayer N, Rifaut A, Dubois E (2005) Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th international workshop on requirements engineering: foundation for software quality (REFSQ’05), in conjunction with the 17th conference on advanced information systems engineering (CAiSE’05)
Bauer B, Müller JP, Odell J (2001) Agent UML: a formalism for specifying multiagent software systems. Int J Softw Eng Knowl Eng 11(3):207–230
Giorgini P, Manson G, Mouratidis H (2004) Using security attack scenarios to analyse security during information systems design. In: The 6th international conference on enterprise information systems. Porto
Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of 11th IEEE requirements engineering conference. IEEE Press, pp 151–161
Abiteboul S, Hull R, Vianu V (1995) Foundations of databases. Addison-Wesley, New York
Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) St-tool: a case tool for security requirements engineering. In: RE-05. IEEEP, pp 451–452
Massacci F, Zannone N (2006) Detecting conflicts between functional and security requirements with secure tropos: John rusnak and the allied irish bank
Leone N, Pfeifer G, Faber W, Eiter T, Gottlob G, Perri S, Scarcello F (2006) The DLV system for knowledge representation and reasoning. ACM Trans Comput Logic 7(3):499–562
He Q, Antòn AI (2003) A framework for modeling privacy requirements in role engineering. In: International workshop on requirements engineering for software quality (REFSQ 2003)
CERIAS Technical Report (1999) Policy framework for interpreting risk in ecommerce security
Hauser J, Clausing D (1988) The house of quality. Harv Bus Rev 32(5)
Jackson M (2001) Problem frames. Analyzing and structuring software development problems. Addison-Wesley, New York
Lin L, Nuseibeh B, Ince D, Jackson M (2004) Using abuse frames to bound the scope of security problems. In: Proceedings of 11th IEEE international requirements engineering conference (RE’04). pp 354–355
Hatebur D, Heisel M, Schmidt H (2006) Security engineering using problem frames. In: Müller G (ed) Proceedings of the international conference on emerging trends in information and communication security (ETRICS’06), ser. LNCS 3995. Springer, pp 238–253
Hatebur D, Heisel M, Schmidt H, (2007) A pattern system for security requirements engineering. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 356–365
Hatebur D, Heisel M, Schmidt H (2007) A security engineering process based on patterns. In: Proceedings of the international workshop on secure systems methodologies using patterns (SPatterns). IEEE Computer Society, pp 734–738
Hatebur D, Heisel M, Schmidt H (2008) Analysis and component-based realization of security requirements. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 195–203
Schmidt H (2009) Pattern-based confidentiality-preserving refinement. In: Engineering secure software and systems—first international symposium (ESSoS), ser. LNCS, vol 5429. Springer, Berlin, pp 43–59
Schmidt H, Wentzlaff I (2006) Preserving software quality characteristics from requirements analysis to architectural design. In: Proceedings of the European workshop on software architectures (EWSA), vol 4344/2006. Springer, Berlin, pp 189–203
Haley CB, Moffett JD, Laney R, Nuseibeh B (2006) A framework for security requirements engineering. In: SESS ’06: proceedings of the 2006 international workshop on Software engineering for secure systems. ACM Press, New York, pp 35–42
Haley C, Laney R, Moffett J, Nuseibeh B (2004) Picking battles: the impact of trust assumptions on the elaboration of security requirements. In: Jensen CD, Poslad S, Dimitrakos T (eds) iTrust’04, pp 347–354
Haley CB, Moffett JD, Laney R, Nuseibeh B (2005) Arguing security: validating security requirements using structured argumentation. In: Proceedings of the 3rd symposium on requirements engineering for information security (SREIS’05). Paris
Braber F, Hogganvik I, Lund MS, Stølen K, and Vraalsen F (2007) Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117
Dahl HEI, Hogganvik I, Stølen K (2007) Structured semantics for the CORAS security risk modelling language. SINTEF information and communication technology Technical report STF07 A970
Asnar Y, Giorgini P, Massacci F, Zannone N (2007) From trust to dependability through risk analysis. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 19–26
Asnar Y, Giorgini P, Mylopoulos J (2006) Risk modelling and reasoning in goal models. University of Trento. Technical report DIT-06-008
Keblawi F, Sullivan D (2006) Applying the common criteria in systems engineering. IEEE Secur Priv 4(2):50–55
Mellado D, Fernandez-Medina E, Piattini M (2006) Applying a security requirements engineering process. In: ESORICS’06
Mellado D, Fernander-Medina E, Piattini M (2006) A comparison of the common criteria with proposals of information systems security requirements. In: First international conference on availability, reliability, and security (ARES’06). pp 654–661
Booch G, Rumbaugh J, Jacobson I (1999) The Unified Software Development Process. Addison-Wesley, New York
Sindre G, Firesmith DG, Opdahl AL (2003) A reuse-based approach to determining security requirements. In: Ninth international workshop on requirements engineering (REFSQ’03). http://www.citeseer.ist.psu.edu/580371.html
MAP (2005) Metodologìa de anàlisis y gestiòn de riesgos de los sistemas de informaciòn (magerit-v 2)
Acknowledgments
We thank the anonymous reviewers for their helpful comments and suggestions.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Fabian, B., Gürses, S., Heisel, M. et al. A comparison of security requirements engineering methods. Requirements Eng 15, 7–40 (2010). https://doi.org/10.1007/s00766-009-0092-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00766-009-0092-x