Skip to main content
SpringerLink
Log in

Enhancing security requirements engineering by organizational learning

  • REFSQ 2011
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

References

  1. Alberts C, Dorofee A (2002) Managing information security risks: the OCTAVE (TM) approach. Addison-Wesley, New York

    Google Scholar 

  2. Allmann C, Winkler L, Kölzow T (2006) The requirements engineering gap in the OEM-supplier relationship. J Univers Knowl Manag 1(2):103–111

    Google Scholar 

  3. Baeza-Yates R, Ribeiro-Neto B (1999) Modern information retrieval. ACM Press, Addison Wesley

    Google Scholar 

  4. Barber B, Davey J (1992) The use of the CCTA risk-analysis and management methodology [CRAMM] in health information systems. In: Degoulet P, Lun KC, Piemme TE, Rienhoff O (eds) MEDINFO ’92, Elsevier, North-Holland, pp 1589–1593

    Google Scholar 

  5. Berry DM, Kamsties E (2004) Perspectives on requirements engineering, chapter 2. Ambiguity in requirements specification. Kluwer, pp 7–44

  6. CEPSCO. Common electronic purse specification (ePurse). http://web.archive.org/web/*/http://www.cepsco.com. Accessed Apr 2007

  7. Chantree F, Nuseibeh B, de Roeck A, Willis A (2006) Identifying Nocuous ambiguities in natural language requirements. In: Proceedings of the 14th IEEE international requirements engineering conference, pp 56–65, Minneapolis, USA, 2006. IEEE Computer Society

  8. Chung L (1993) Dealing with security requirements during the development of information systems. In: Rolland C, Bodart F, Cauvet C (eds) CAiSE, vol 685 of lecture notes in computer science, pp 234–251. Springer

  9. Damian D, Marczak S, Kwan I (2007) Collaboration patterns and the impact of distance on awareness in requirements-centred social networks. In: Proceedings of 15th IEEE international requirements engineering conference (RE 2007), New Delhi, India

  10. De Marco T (1979) Structured analysis and system specification. Prentice-Hall, Englewood Cliffs

    Google Scholar 

  11. den Braber F, Hogganvik I, Lund MS, Stølen K, Vraalsen F (2007) Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117

    Article  Google Scholar 

  12. Fischer G (1994) Domain-oriented design environments. Autom Softw Eng 1:177–203

    Article  Google Scholar 

  13. Giorgini P, Massacci F, Mylopoulos J (2003) Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and mastercard. In: Song I-Y, Liddle SW, Ling TW, Scheuermann P (eds) ER, vol 2813 of lecture notes in computer science. Springer, pp 263–276

  14. Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) ST-Tool: a CASE tool for security requirements engineering. In: RE ’05: proceedings of the 13th IEEE international conference on requirements engineering, pp 451–452, Washington, DC, USA. IEEE Computer Society

  15. GlobalPlatform. Global platform specification (GPS). http://www.globalplatform.org. Accessed Aug 2010

  16. Höhn S, Jürjens J (2008) Rubacon: automated support for model-based compliance engineering. In: Robby (ed) ICSE, pp 875–878. ACM

  17. Houmb SH, Islam S, Knauss E, Jürjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir Eng J 15(1):63–93

    Article  Google Scholar 

  18. International Standardization Organization (2007) ISO 15408:2007 common criteria for information technology security evaluation, version 3.1, revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003, Sept 2007

  19. Ireson N, Ciravegna F, Califf ME, Freitag D, Kushmerick N, Lavelli A (2005) Evaluating machine learning for information extraction. In: ICML ’05: proceedings of the 22nd international conference on machine learning, pp 345–352, Bonn, Germany. ACM

  20. Islam S, Pavlidis M (2011) SecTro: a CASE tool for modelling security in requirements engineering using secure tropos. In: CAiSE ’11: Proceedings of the CAiSE forum 2011, pp 89–96, London. CEUR-WS, vol-734

  21. Jürjens J (2005) Secure systems development with UML. Springer, New York

    MATH  Google Scholar 

  22. Jürjens J, Shabalin P (2007) Tools for secure systems development with UML. Int J Softw Tools Technol Transf 9(5):527–544

    Article  Google Scholar 

  23. Jürjens J, Wimmel G (2001) Formally testing fail-safety of electronic purse protocols. In: 16th international conference on automated software engineering (ASE 2001), pp 408–411. IEEE Computer Society

  24. Jürjens J, Schreck J, Bartmann P (2008) Model-based security analysis for mobile communications. In: 30th intern. conference on software engineering (ICSE 2008). ACM

  25. Kelloway KE, Barling J (2000) Knowledge work as organizational behavior. Int J Manag Rev 2:287–304

    Article  Google Scholar 

  26. Kiyavitskaya N, Zeni N, Breaux TD, Antón AI, Cordy JR, Mich L, Mylopoulos J (2008) Automating the extraction of rights and obligations for regulatory compliance. In: Li Q, Spaccapietra S, Yu E, Olivé A (eds) Proceedings of 27th international conference on conceptual modeling, lecture notes in computer science, pp 154–168, Barcelona, Spain. Springer

  27. Kiyavitskaya N, Zeni N, Mich L, Berry DM (2008) Requirements for tools for ambiguity identification and measurement in natural language requirements specifications. Requir Eng J 13(3):207–239

    Article  Google Scholar 

  28. Knauss EW (2010) Verbesserung der Dokumentation von Anforderungen auf Basis von Erfahrungen und Heuristiken. Cuvillier Verlag, Göttingen, Germany. Phd thesis

  29. Knauss E, Flohr T (2007) Managing requirement engineering processes by adapted quality gateways and critique-based RE-Tools. In: Proceedings of workshop on measuring requirements for project and product success, Palma de Mallorca, Spain, November. in conjunction with the IWSM-Mensura conference

  30. Knauss E, Lübke D (2008) Using the friction between business processes and use cases in SOA requirements. In: Proceedings of the 32nd annual IEEE international computer software and applications conference (COMPSAC), workshop on requirements engineering for services, pp 601–606, Turku, Finland

  31. Knauss E, Lübke D, Meyer S (2009) Feedback-driven requirements engineering: the heuristic requirements assistant. In: International conference on software engineering (ICSE’09), formal research demonstrations track, pp 587–590, Vancouver, Canada

  32. Knauss E, Schneider K, Stapel K (2009) Learning to write better requirements through heuristic critiques. In: Proceedings of 17th IEEE requirementes engineering conference (RE 2009), Atlanta, USA

  33. Knauss E, Houmb S, Schneider K, Islam S, Jürjens J (2011) Supporting requirements engineers in recognising security issues. In: Berry D, Franch X (eds) Proceedings of the 17th international working conference on requirements engineering: foundation for software quality (REFSQ ’11), LNCS, Essen, Germany, Springer

  34. Kof L (2005) Text analysis for requirements engineering. PhD thesis, Technische Universität München, München

  35. Lee SK, Muthurajan D, Gandhi RA, Yavagal DS, Ahn G-J (2006) Building decision support problem domain ontology from natural language requirements for software assurance. Int J Softw Eng Knowl Eng 16(6):851–884

    Article  Google Scholar 

  36. Matulevicius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management in the early phases of information systems development. In: Bellahsene Z, Léonard M (eds) CAiSE, vol 5074 of lecture notes in computer science, pp 541–555. Springer

  37. Mellado D, Rodríguez J, Fernández-Medina E, Piattini M (2009) Automated support for security requirements engineering in software product line domain engineering. Availability, reliability and security, international conference on 0:224–231

    Google Scholar 

  38. Moody DL (2009) The "Physics" of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans Softw Eng 35(6):756–779

    Article  Google Scholar 

  39. Mouratidis H, Giorgini P, Manson GA (2003) Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder J, Missikoff M (eds) CAiSE, vol 2681 of lecture notes in computer science, pp 63–78. Springer

  40. Ouedraogo M, Mouratidis H, Khadraoui D, and Dubois E (2010) An agent-based system to support assurance of security requirements. In: SSIRI, pp 78–87. IEEE Computer Society

  41. Polanyi M (1966) The Tacit dimension. Doubleday, Garden City

    Google Scholar 

  42. Russell N, Hofstede AHMt, Aalst WMPvd (2007) newYAWL: specifying a workflow reference language using coloured petri nets. In: Eighth workshop and tutorial on practical use of coloured petri nets and the CPN tools

  43. Schneider K (2005) Software process improvement from a FLOW perspective. In: Learning software organizations workshop, 2005

  44. Schneider K (2007) Generating fast feedback in requirements elicitation. In: Requirements engineering: foundation for software quality (REFSQ 2007)

  45. Schneider K (2009) Experience and knowledge management in software engineering. Springer, Berlin

  46. Schneider K, Lübke D (2005) Systematic tailoring of quality techniques. In: World congress of software quality 2005, vol 3/3

  47. Schneider K, Stapel K, Knauss E (2008) Beyond documents: visualizing informal communication. In: Proceedings of third international workshop on requirements engineering visualization (REV 08), Barcelona, Spain

  48. Schön DA (1983) The reflective practitioner: how professionals think in action. Basic Books, New York

    Google Scholar 

  49. Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44

    Article  Google Scholar 

  50. Stapel K, Schneider K, Lübke D, Flohr T (2007) Improving an industrial reference process by information flow analysis: a case study. In: Proceedings of PROFES 2007, vol 4589 of LNCS, pp 147–159, Riga, Latvia, 2007. Springer, Berlin

  51. Stapel K, Knauss E, Allmann C (2008) Lightweight process documentation: just enough structure in automotive pre-development. In: O’Connor RV, Baddoo N, Smolander K, Messnarz R (eds) Proceedings of the 15th european conference, EuroSPI, communications in computer and information science, pp 142–151, Dublin, Ireland, 9 2008. Springer

  52. Stapel K, Knauss E, Schneider K (2009) Using FLOW to improve communication of requirements in globally distributed software projects. In: Workshop on collaboration and intercultural issues on requirements: communication, understanding and softskills (CIRCUS ’09), Atlanta, USA, Nov 2009

  53. TISPAN, ETSI (2010) Telecommunications and internet converged services and protocols for advanced networking (TISPAN); services requirements and capabilities for customer networks connected to TISPAN NGN. Technical report, European Telecommunications Standards Institute

  54. Weiss SM, Kulikowski CA (1991) Computer systems that learn: classification and prediction methods from statistics, neural nets, machine learning, and expert systems. M. Kaufmann Publishers, San Mateo

  55. Winkler S (2007) Information flow between requirement artifacts. In: Proceedings of REFSQ 2007 international working conference on requirements engineering: foundation for software quality, vol 4542 of lecture notes in computer science, pp 232–246, Trondheim, Norway, 2007. Springer, Berlin

  56. Wise A (2006) Little-JIL 1.5 Language Report. Technical report, Department of Computer Science, University of Massachusetts

  57. Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wesslén A (2000) Experimentation in software engineering: an introduction. Kluwer Academic Publishers, Boston

    Book  MATH  Google Scholar 

Download references

Acknowledgments

This work was partially funded by the German National Science Foundation (DFG InfoFLOW 2008–2011) and the EU project Secure Change (ICT-FET-231101).

Author information

Authors and Affiliations

  1. Software Engineering Group, Leibniz Universität Hannover, Welfengarten 1, 30167, Hannover, Germany

    Kurt Schneider & Eric Knauss

  2. Secure-NOK AS, Sandnes, Norway

    Siv Houmb

  3. School of Computing, IT and Engineering, University of East London, 4-6 University way, London, E16 2RD, UK

    Shareeful Islam

  4. Chair for Software Engineering, TU Dortmund and Fraunhofer ISST, Baroper Strasse 301, 44227, Dortmund, Germany

    Jan Jürjens

Authors
  1. Kurt Schneider
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Eric Knauss
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Siv Houmb
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Shareeful Islam
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Jan Jürjens
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Knauss.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Schneider, K., Knauss, E., Houmb, S. et al. Enhancing security requirements engineering by organizational learning. Requirements Eng 17, 35–56 (2012). https://doi.org/10.1007/s00766-011-0141-0

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-011-0141-0

Keywords

Search

Navigation