Top

Arabian Journal for Science and Engineering

Published in:

06-08-2019 | Review Article - Computer Engineering and Computer Science

A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches

Authors: Malik Nadeem Anwar Mohammad, Mohammed Nazir, Khurram Mustafa

Published in: Arabian Journal for Science and Engineering | Issue 11/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Security is an inevitable concern in today’s scenario of software-based application’s pervasiveness and development practices. Researchers and practitioners frequently advocate that security-related aspects should be integrated and incorporated right from the beginning of SDLC. Security requirements engineering (SRE) plays an important role during the inceptive phases of software development. Thereby, we conducted a systematic review of the current state of the literature related to SRE. In total, we selected and analyzed 108 relevant studies. After analyzing the selected studies, we identified 20 different SRE approaches and compared them on different technical parameters like ‘performance in the requirements subphase,’ ‘usability with respect to size and complexity of the project,’ ‘notation used,’ ‘industry recognition/adoption,’ ‘tool support,’ ‘standards integration’ and ‘elicitation technique used.’ The results of this study are based on the comparative analysis of the SRE approaches, their analytical evaluation by the authors and trends observed during the course of the review. The major findings of this study indicate that SRE approaches like ‘Misuse case, Secure Tropos, SEPP and SQUARE’ are most popular among researchers while UML-based approaches like ‘Misuse Case, SecureUML and UMLsec’ are easily adaptable approaches. Threat modeling as an activity is adapted by most of the SRE approaches while few approaches support risk analysis. In addition, among several other findings, our study indicates that most of the SRE approaches fail to integrate security standards and formal methods. The contribution of this work is consequently that of supplying researchers with a summarized comparison of existing SRE approaches, along with the best practices adopted in the field of security requirements engineering. The insights provided here on selection appropriateness may prove to be instrumental for research in the area and may significantly facilitate both researchers and practitioners.

previous article Toward an Efficient Deployment of Open Source Software in the Internet of Vehicles Field

next article Framework for Agile Development Using Cloud Computing: A Survey

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

[S1]

Abdulrazeg, A.A.; Norwawi, N.M.; Basir, N.: Security metrics to improve Misuse case model. In: 2012 International Conference on Cyber Security, Cyber Warfare and Digital Forensic (CyberSec), pp. 94–99. IEEE (2012)

[S2]

Abukwaik, H.; Zhang, C.: eSQUARE: a formal methods enhanced SQUARE tool. In: Proceedings of the International Conference on Software Engineering Research and Practice (SERP), page 1. The Steering Committee of The World Congress in Computer Science, Computer Engineering and Applied Computing (WorldComp) (2012)

[S3]

Asnar, Y.; Giorgini, P.; Massacci, F.; Zannone, N.: From trust to dependability through risk analysis. In: The Second International Conference on Availability, Reliability and Security (ARES’07), pp. 19–26. IEEE (2007)

[S4]

Banerjee, C.; Banerjee, A.; Murarka, P.: Measuring software security using MACOQR (misuse and abuse case oriented quality requirement) metrics: defensive perspective. Int. J. Comput. Appl. 93(18), (2014)

[S5]

Banerjee, C.; Banerjee, A.; Poonia, A.S.; Sharma, S.: Proposed algorithm for identification of vulnerabilities and associated misuse cases using CVSS, CVE standards during security requirements elicitation phase. In: Soft Computing: Theories and Applications, pp. 651–658. Springer, New York (2018)

[S6]

Boström, G.; Wäyrynen, J.; Bodén, M.; Beznosov, K.; Kruchten, P.: Extending XP practices to support security requirements engineering. In: Proceedings of the 2006 International Workshop on Software Engineering for Secure Systems, pp. 11–18. ACM (2006)

[S7]

Chowdhury, M. J.M.; Matulevičius, R.; Sindre, G.; Karpati, P.: Aligning mal-activity diagrams and security risk management for security requirements definitions. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 132–139. Springer, New York (2012)

[S8]

Cruzes, D.S.; Jaatun, M.G.; Bernsmed, K.; Tøndel, I.A.: Challenges and experiences with applying Microsoft threat modeling in Agile development projects. In: 2018 25th Australasian Software Engineering Conference (ASWEC), pp. 111–120. IEEE (2018)

[S9]

Dahl, H.E.I.; Stølen, K.; Hogganvik, I.: Structured semantics for the CORAS security risk modelling language. In: Pre-Proceedings of the 2nd International Workshop on Interoperability Solutions on Trust, Security, Policies and QoS for Enhanced Enterprise Systems(IS-TSPQ), Portugal, pp. 79–92. Helsingin yliopisto (2007)

[S10]

Den Braber, F.; Hogganvik, I.; Lund, M.S.; Stølen, K.; Vraalsen, F.: Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)CrossRef

[S11]

El-Attar, M.: A framework for improving quality in misuse case models. Bus. Process Manag. J. 18(2), 168–196 (2012a)CrossRef

[S12]

El-Attar, M.: Towards developing consistent misuse case models. J. Syst. Softw. 85(2), 323–339 (2012b)CrossRef

[S13]

El-Attar, M.: From misuse cases to mal-activity diagrams: bridging the gap between functional security analysis and design. Softw. Syst. Model. 13(1), 173–190 (2014)MathSciNetCrossRef

[S14]

El-Attar, M.; Luqman, H.; Karpati, P.; Sindre, G.; Opdahl, A.L.: Extending the UML statecharts notation to model security aspects. IEEE Trans. Softw. Eng. 41(7), 661–690 (2015)CrossRef

[S15]

El-Hadary, H.; El-Kassas, S.: Capturing security requirements for software systems. J. Adv. Res. 5(4), 463–472 (2014)CrossRef

[S16]

Elahi, G.; Yu, E.; Zannone, N.: A modeling ontology for integrating vulnerabilities into security requirements conceptual foundations. In: International Conference on Conceptual Modeling, pp. 99–114. Springer, New York (2009)

[S17]

Elahi, G.; Yu, E.; Zannone, N.: A vulnerability-centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities. Requir. Eng. 15(1), 41–62 (2010)CrossRef

[S18]

Fernandez, E.B.; Yoshioka, N.; Washizaki, H.: Modeling misuse patterns. In: Proceedings of the 4th International Conference on Availability, Reliability and Security (ARES), Fukuoka, Japan, pp. 566–571. IEEE Computer Society (2009)

[S19]

Firesmith, D.: Specifying reusable security requirements. J. Obj. Technol. 3(1), 61–75 (2004)CrossRef

[S20]

Fredriksen, R.; Kristiansen, M.; Gran, B.A.; Stølen, K.; Opperud, T.A.; Dimitrakos, T.: The CORAS framework for a model based risk management process. In: Proceedings of the 21st International Conference on Computer Safety, Reliabiltiy and Security, Catania, Italy, pp. 94–105. Springer, New York (2002)

[S21]

Giorgini, P.; Mouratidis, H.; Zannone, N.: Modelling security and trust with Secure Tropos. In: Integrating Security and Software Engineering: Advances and Future Vision, pp. 160–189. Idea Group Publishing (2006)

[S22]

Gregoire, J.; Buyens, K.; Win, B.D.; Scandariato, R.; Joosen, W.: On the secure software development process: CLASP and SDL compared. In: Proceedings of the 3rd International Workshop on Software Engineering for Secure Systems, Washington, DC, USA, pp. 1–7. IEEE Computer Society (2007)

[S23]

Gurses, S.F.; Berendt, B.; Santen, T.: Multilateral security requirements analysis for preserving privacy in ubiquitous environments. In: Proceedings of the UKDU Workshop in 17th European Conference on Machine Learning(EMCL), Berlin, Germany, pp. 51–64. Springer, New York (2006)

[S24]

Gurses, S.F.; Santen, T.: Contextualizing security goals: a method for multilateral security requirements elicitation. In: Proceedings of the 42nd Security Conference (SICHERHEIT), Magdeburg, Germany, pp. 42–53. LNI (2006)

[S25]

Haley, C.; Laney, R.; Moffett, J.; Nuseibeh, B.: Security requirements engineering: a framework for representation and analysis. IEEE Trans. Softw. Eng. 34(1), 133–153 (2008)CrossRef

[S26]

Haley, C.B.; Laney, R.C.; Moffett, J.D.; Nuseibeh, B.: Picking battles: the impact of trust assumptions on the elaboration of security requirements. In: Proceedings of the 2nd International conference on Trust Management(iTrust), Oxford, UK, pp. 347–354. Springer, New York (2004)

[S27]

Haley, C.B.; Laney, R.C.; Moffett, J.D.; Nuseibeh, B.: Arguing security: validating security requirements using structured argumentation. In: Proceedings of the 3rd Symposium on Requirements Engineering for Information Security (SREIS) Held in Conjunction with the 13th International Requirements Engineering Conference, Paris, France. IEEE Computer Society (2005)

[S28]

Haley, C.B.; Moffett, J.D.; Laney, R.; Nuseibeh, B.: A framework for security requirements engineering. In: Proceedings of the International Workshop on Software Engineering for Secure Systems(ICSE), Shanghai, China, pp. 35–42. ACM (2006)

[S29]

Hassan, R.; Bohner, S.; El-Kassas, S.: Formal derivation of security design specifications from security requirements. In: Proceedings of the 4th Annual Workshop on Cyber Security and Information Intelligence Research: Developing Strategies to Meet the Cyber Security and Information Intelligence Challenges Ahead, pp. 10. ACM (2008)

[S30]

Hatebur, D.; Heisel, M.; Jürjens, J.; Schmidt, H.: Systematic development of UMLsec design models based on security requirements. In: Proceedings of the 14th International Conference on Fundamental Approaches to Software Engineering, Saarbrucken, Germany, pp. 232–246. Springer, New York (2011)

[S31]

Hatebur, D.; Heisel, M.; Schmidt, H.: Security engineering using problem frames. In: Proceedings of the International Conference on Emerging Trends in Information and Communication Security (ETRICS), Freiburg, Germany, pp. 238–253. Springer, New York (2006)

[S32]

Hatebur, D.; Heisel, M.; Schmidt, H.: A pattern system for security requirements engineering. In: Proceedings of the 2nd International Conference on Availability, Reliability and Security(ARE), Vienna, pp. 356–365. IEEE Computer Society (2007a)

[S33]

Hatebur, D.; Heisel, M.; Schmidt, H.: A security engineering process based on patterns. In: Proceedings of the 18th International Workshop on Database and Expert Systems Applications(DEXA), Regensburg, Germany, pp. 734–738. IEEE Computer Society (2007b)

[S34]

Hatebur, D.; Heisel, M.; Schmidt, H.: Analysis and component-based realization of security requirements. In: Proceedings of the 3rd International Conference on Availability, Reliability and Security(ARES), Barcelona, Spain, pp. 195–203. IEEE Computer Society (2008)

[S35]

He, Q.; Antón, A.I.: A framework for modeling privacy requirements in role engineering. In: Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ), Klagenfurt/Velden, Austria, pp. 137–146. IEEE Computer Society (2003)

[S36]

Johnstone, M.N.: Modelling misuse cases as a means of capturing security requirements. In: Proceedings of the 9th Australian Information Security Management Conference, Perth, Australia, pp. 14–147. Security Research Centre, Edith Cowan University (2011)

[S37]

Jürjens, J.: Towards development of secure systems using UMLsec. In: Proceedings of the 4th International Conference on Fundamental Approaches to Software Engineering (FASE), London, UK. Springer, pp. 187–200 (2001)

[S38]

Jürjens, J.: UMLsec: Extending UML for secure systems development. In: Proceedings of the 15th International Conference on the Unified Modeling Language, Dresden, Germany, pp. 412–425. Springer, New York (2002)

[S39]

Jürjens, J.: Secure Systems Development with UML. Springer, New York (2005)MATH

[S40]

Jurjens, J.; Schreck, J.; Yu, Y.: Automated analysis of permission-based security using UMLsec. In: Proceedings of the 11th European Joint Conferences on Theory and Practice of Software(ETAPS), Budapest, Hungary, pp. 292–295. Springer, New York (2008)

[S41]

Jürjens, J.; Shabalin, P.: Tools for secure systems development with UML. Int. J. Softw. Tools Technol. Transf. 9(5–6), 527–544 (2007)CrossRef

[S42]

Lamsweerde, A.V.: Elaborating security requirements by construction of intentional anti-models. In: Proceedings of the 26th International Conference on Software Engineering, Washington, DC, USA, pp. 148–157. IEEE Computer Society (2004)

[S43]

Lamsweerde, A.V.: Engineering requirements for system reliability and security. NATO Secur. Through Sci. Ser. D-Inf. Commun. Secur. 9(1), 196 (2007)MATH

[S44]

Larionovs, A.; Teilans, A.; Grabusts, P.: CORAS for threat and risk modeling in social networks. Procedia Comput. Sci. 43, 26–32 (2015)CrossRef

[S45]

Lee, J.; Woo, J.; Lee, C.; Joo, K.: A software development methodology for secure web application. Int. J. Adv. Sci. Eng. Inf. Technol. 9(1), 336–341 (2019)CrossRef

[S46]

Lin, L.; Nuseibeh, B.; Ince, D.; Jackson, M.: Using abuse frames to bound the scope of security problems. In: Proceedings of the 12th IEEE International Requirements Engineering Conference, Kyoto, Japan, pp. 354–355. IEEE Computer Society (2004)

[S47]

Lin, L.; Nuseibeh, B.; Ince, D.; Jackson, M.; Moffett, J.: Analysing security threats and vulnerabilities using abuse frames. In: Proceedings of the 6th European Joint Conferences on Theory and Practice of Software (ETAPS), Warsaw, Poland, pp. 1–18. Springer, New York (2003a)

[S48]

Lin, L.; Nuseibeh, B.; Ince, D.; Jackson, M.; Moffett, J.: Introducing abuse frames for analysing security requirements. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, Los Alamitos, CA, USA, pp. 371–372. IEEE Computer Society (2003b)

[S49]

Liu, L.; Yu, E.; Jabeen, G.: Social threats modelling with i*. In: iStar, pp. 97–102 (2016)

[S50]

Liu, L.; Yu, E.; Mylopoulos, J.: Security and privacy requirements analysis within a social setting. In: Proceedings of the 11th IEEE International Conference on Requirements Engineering, Washington, DC, USA, pp. 151–162. IEEE Computer Society (2003)

[S51]

Lodderstedt, T.; David, B.; Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Proceedings of the 5th International Conference on Model Driven Engineering Languages and Systems, Dresden, Germany, pp. 426–441. Springer, New York (2002)

[S52]

Lund, M.S.; Solhaug, B.; Stølen, K.: Risk Analysis of Changing and Evolving Systems Using CORAS. Springer, New York (2011)MATHCrossRef

[S53]

Maher, Z.A.; Shah, A.; Shaikh, H.; Rahu, G.A.; Butt, P.K.; Chandio, S.; Shaikh, S.: A methodology for modeling and analysis of secure systems using security patterns and mitigation use cases. In: 7th International Conference on Computer and Communication Engineering (ICCCE), pp. 268–273. IEEE (2018)

[S54]

Mai, P.X.; Goknil, A.; Shar, L.K.; Pastore, F.; Briand, L.C.; Shaame, S.: Modeling security and privacy requirements: a use case-driven approach. Inf. Softw. Technol. 100, 165–182 (2018)CrossRef

[S55]

Massacci, F.; Mylopoulos, J.; Paci, F.; Tun, T.T.; Yu, Y.: An extended ontology for security requirements. In: International Conference on Advanced Information Systems Engineering, pp. 622–636. Springer, New York (2011)

[S56]

Matulevičius, R.: Security risk-aware Secure Tropos. In: Fundamentals of Secure System Modelling, pp. 77–91. Springer, New York (2017)

[S57]

Matulevičius, R.; Dumas, M.: A comparison of SecureUML and UMLsec for role-based access control. In: Proceedings of the 14th East European Conference on Databases and Information Systems, Novisad, Serbia, pp. 171–185. Springer, New York (2010)

[S58]

Matulevicius, R.; Dumas, M.: Towards model transformation between SecureUML and UMLsec for role-based access control. In: DB&IS, pp. 339–352 (2010)

[S59]

Matulevičius, R.; Mayer, N.; Mouratidis, H.; Dubois, E.; Heymans, P.; Genon, N.: Adapting Secure Tropos for security risk management in the early phases of information systems development. In: Proceedings of the 20th International Conference on Advanced Information Systems Engineering (CAiSE), Montpellier, France, pp. 541–555. Springer, New York (2008)

[S60]

Matulevicius, R.; Mouratidis, H.; Mayer, N.; Dubois, E.; Heymans, P.: Syntactic and semantic extensions to Secure Tropos to support security risk management. J. UCS 18(6), 816–844 (2012)

[S61]

Mayer, N.; Dubois, E.; Matulevicius, R.; Heymans, P.: Towards a measurement framework for security risk management. In: Proceedings of Modeling Security Workshop (2008)

[S62]

Mayer, N.; Heymans, P.; Matulevicius, R.: Design of a modelling language for information system security risk management. In: RCIS, pp. 121–132 (2007)

[S63]

Mead, N.R.: How to compare the security quality requirements engineering (SQUARE) method with other methods. Technical report, Software Engineering Institute, Carnegie Mellon University (2007)

[S64]

Mead, N.R.: Measuring the software security requirements engineering process. In: 36th Annual IEEE Computer Software and Applications Conference Workshops (COMPSACW), pp. 583–588. IEEE (2012)

[S65]

Mead, N.R.; Abu-Nimeh, S.: Security and privacy requirements engineering. In: Cyber Law, Privacy, and Security: Concepts, Methodologies, Tools, and Applications, pp. 1711–1729. IGI Global (2019)

[S66]

Mead, N.R.; Miyazaki, S.; Zhan, J.: Integrating privacy requirements considerations into a security requirements engineering method and tool. Int. J. Inf. Priv. Secur. Integr. 1(1), 106–126 (2011)

[S67]

Mead, N.R.; Stehney, T.: Security quality requirements engineering (SQUARE) methodology. In: Proceedings of the Workshop on Software Engineering for Secure Systems Building Trustworthy Applications, St. Louis, Missouri, pp. 1–7. ACM (2005)

[S68]

Mead, N.R.; Viswanathan, V.; Padmanabhan, D.; Raveendran, A.: Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. Technical report, Software Engineering Institute, Carnegie Mellon University (2008)

[S69]

Mellado, D.; Fernández-Medina, E.; Piattini, M.: Applying a security requirements engineering process. In: European Symposium on Research in Computer Security, pp. 192–206. Springer, New York (2006)

[S70]

Mellado, D.; Fernández-Medina, E.; Piattini, M.: A common criteria based security requirements engineering process for the development of secure information systems. Comput. Stand. Interfaces 29(2), 244–253 (2007)CrossRef

[S71]

Mellado, D.; Mouratidis, H.; Fernández-Medina, E.: Secure Tropos framework for software product lines requirements engineering. Comput. Stand. Interfaces 36(4), 711–722 (2014)CrossRef

[S72]

Mouratidis, H.; Giorgini, P.: Secure Tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007)CrossRef

[S73]

Mouratidis, H.; Giorgini, P.: Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. Saf. Secur. Multiagent Syst. 4324(1), 8–26 (2009)CrossRef

[S74]

Oueslati, H.; Rahman, M.M.; ben Othmane, L.: Literature review of the challenges of developing secure software using the Agile approach. In: Proceedings of the 10th International Conference on Availability, Reliability and Security(ARES), Toulouse, France, pp. 540–547. IEEE Computer Society (2015)

[S75]

Pavlidis, M.; Islam, S.: SecTro: A CASE tool for modelling security in requirements engineering using Secure Tropos. In: CAiSE Forum, pp. 89–96 (2011)

[S76]

Pavlidis, M.; Mouratidis, H.; Panaousis, E.; Argyropoulos, N.: Selecting security mechanisms in Secure Tropos. In: International Conference on Trust and Privacy in Digital Business, pp. 99–114. Springer, New York (2017)

[S77]

Peeters, J.: Agile security requirements engineering. In: Proceedings of the Symposium on Requirements Engineering for Information Security, pp. 1–4. IEEE Computer Society, Paris, France (2005)

[S78]

Poonia, A.S.; Banerjee, C.; Banerjee, A.; Sharma, S.: Aligning misuse case oriented quality requirements metrics with machine learning approach. In: Soft Computing: Theories and Applications, pp. 687–692. Springer, New York (2019)

[S79]

Rees, J.; Bandyopadhayay, S.; Spafford, E.H.: PFIRES: a policy framework for information security. Commun. ACM 46(7), 101–106 (2003)CrossRef

[S80]

Rehman, S.; Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018)CrossRef

[S81]

Riaz, M.; Stallings, J.; Singh, M.P.; Slankas, J.; Williams, L.: DIGS: a framework for discovering goals for security requirements engineering. In: Proceedings of the 10th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement, p. 35. ACM (2016)

[S82]

Rrenja, A.; Matulevičius, R.: Pattern-based security requirements derivation from Secure Tropos models. In: IFIP Working Conference on The Practice of Enterprise Modeling, pp. 59–74. Springer, New York (2015)

[S83]

Saleh, F.; El-Attar, M.: A scientific evaluation of the misuse case diagrams visual syntax. Inf. Softw. Technol. 66, 73–96 (2015)CrossRef

[S84]

Salini, P.; Kanmani, S.: Application of model oriented security requirements engineering framework for secure e-voting. In: 2012 CSI Sixth International Conference on Software Engineering (CONSEG), pp. 1–6. IEEE (2012a)

[S85]

Salini, P.; Kanmani, S.: Elicitation of security requirements for e-health system by applying model oriented security requirements engineering (MOSRE) framework. In: Proceedings of the Second International Conference on Computational Science, Engineering and Information Technology, pp. 126–131. ACM (2012b)

[S86]

Salini, P.; Kanmani, S.: Security requirements engineering process for web applications. Procedia Eng. 38, 2799–2807 (2012c)CrossRef

[S87]

Salini, P.; Kanmani, S.: Effectiveness and performance analysis of model-oriented security requirements engineering to elicit security requirements: a systematic solution for developing secure software systems. Int. J. Inf. Secur. 15(3), 319–334 (2016)CrossRef

[S88]

Salini, P.; Kanmani, S.: Performance analysis of security requirements engineering framework by measuring the vulnerabilities. Int. Arab J. Inf. Technol. 15(3), 435–444 (2018)

[S89]

Salva, S.; Regainia, L.: A catalogue associating security patterns and attack steps to design secure applications. J. Comput. Secur. 1(Preprint), 1–26 (2019)

[S90]

Scandariato, R.; Wuyts, K.; Joosen, W.: A descriptive study of Microsoft’s threat modeling technique. Requir. Eng. 20(2), 163–180 (2015)CrossRef

[S91]

Schmidt, H.: Threat and risk-analysis during early security requirements engineering. In: Proceedings of the 5th International Conference on Availability, Reliability and Security (ARES), Krakow, Poland, pp. 188–195. IEEE Computer Society (2010)

[S92]

Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. Springer, New York (2001)MATH

[S93]

Shostack, A.: Experiences threat modeling at Microsoft. In: Proceedings of the 1st International Modeling Security Workshop(MODSEC), Lancaster, UK, pp. 1–11. Springer (2008)

[S94]

Sindre, G.; Firesmith, D.G.; Opdahl, A.L.: A reuse-based approach to determining security requirements. In: Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality(REFSQ), Velden, Austria, pp. 127–136. Springer, New York (2003)

[S95]

Sindre, G.; Opdahl, A.L.: Capturing security requirements through misuse cases. In: Proceedings of the 14th Norwegian Informatics Conference (NIK), Tromso, Norway, pp. 1–12. Academic Press, London (2001)

[S96]

Sindre, G.; Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRef

[S97]

Sindre, G.; Opdahl, A.L.: Misuse cases for identifying system dependability threats. J. Inf. Priv. Secur. 4(2), 3–22 (2008)

[S98]

Singhal, A.: Development of Agile security framework using a hybrid technique for requirements elicitation. In: Advances in Computing, Communication and Control, pp. 178–188. Springer, New York (2011)

[S99]

Sonia, A.S.; Balwani, J.: Analysing security and software requirements using multi-layered iterative model. Int. J. Comput. Sci. Inf. Technol. (IJCSIT) 5(2), 1283–1287 (2014)

[S100]

Soomro, I.; Ahmed, N.: Towards security risk-oriented misuse cases. In: Proceedings of the 10th International Conference on Business Process Management, Tallinn, Estonia, pp. 689–700. Springer, New York (2012)

[S101]

Souag, A.; Salinesi, C.; Mazo, R.; Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: International Symposium on Engineering Secure Software and Systems, pp. 157–177. Springer, New York (2015)

[S102]

Suleiman, H.; Svetinovic, D.: Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure. Requir. Eng. 18(3), 251–279 (2013)CrossRef

[S103]

Susi, A.; Perini, A.; Mylopoulos, J.; Giorgini, P.: The Tropos metamodel and its use. Informatica 29(4), 1–8 (2005)

[S104]

Velasco, J.L.; Valencia-García, R.; Fernández-Breis, J.T.; Toval, A.; et al.: Modelling reusable security requirements based on an ontology framework. J. Res. Pract. Inf. Technol. 41(2), 119 (2009)

[S105]

Viega, J.: Building security requirements with CLASP. SIGSOFT Softw. Eng. Not. 30(4), 1–7 (2005)CrossRef

[S106]

Wang, W.; Gupta, A.; Niu, N.: Mining security requirements from common vulnerabilities and exposures for Agile projects. In: 2018 IEEE 1st International Workshop on Quality Requirements in Agile Projects (QuaRAP), pp. 6–9. IEEE (2018)

[S107]

Williams, I.: An ontology based collaborative recommender system for security requirements elicitation. In: 2018 IEEE 26th International Requirements Engineering Conference (RE), pp. 448–453. IEEE (2018)

[S108]

Wirtz, R.; Heisel, M.: A systematic method to describe and identify security threats based on functional requirements. In: International Conference on Risks and Security of Internet and Systems, Vol. 11391, pp. 205–221. Springer, New York (2019)

[1]

Walton, J.P.: Developing an enterprise information security policy. In: Proceedings of the 30th Annual ACM SIGUCCS Conference on User Services, pp. 153–156. ACM, New York (2002)

[2]

Team, S.: Secunia vulnerability review 2014. Tech. rep., Secunia (2014)

[3]

Mellado, D.; Blanco, C.; Crespo, L.E.S.; Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)CrossRef

[4]

Viega, J.: Building security requirements with CLASP. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems Building Trustworthy Applications, pp. 1–7 . ACM, New York (2005)

[5]

Elahi, G.: Security requirements engineering: State of the art and practice and challenges. Tech. rep., Department of Computer Science, University of Toronto (2009)

[6]

Torr, P.: Demystifying the threat-modeling process. IEEE Secur. Priv. 3(5), 66–70 (2005)CrossRef

[7]

Fabian, B.; Gürses, S.; Heisel, M.; Santen, T.; Schmidt, H.: A comparison of security requirements engineering methods. Requir. Eng. 15(1), 7–40 (2010)CrossRef

[8]

Hope, P.; McGraw, G.; Antón, A.I.: Misuse and abuse cases: getting past the positive. IEEE Secur. Priv. 2(3), 90–92 (2004)CrossRef

[9]

Mohammed, N.M.; Niazi, M.; Alshayeb, M.; Mahmood, S.: Exploring software security approaches in software development lifecycle: a systematic mapping study. Comput. Stand. Interfaces 50, 107–115 (2017)CrossRef

[10]

Kitchenham: Guidelines for performing systematic literature reviews in software engineering. Tech. rep., Software Engineering Group, School of Computer Science and Mathematics, Keele University, Keele, UK (2007)

[11]

Moffett, J.D.; Haley, C.B.; Nuseibeh, B.: Core security requirements artefacts. Tech. rep., Department of Computing, The Open University, Milton Keynes, UK (2004)

[12]

Nsa, T.: Common criteria for information technology security evaluation. Tech. rep., National Security Agency (2009)

[13]

Salini, P.; Kanmani, S.: Survey and analysis on security requirements engineering. Comput. Electr. Eng. 38(6), 1785–1797 (2012)CrossRef

[14]

Karpati, P.; Sindre, G.; Opdahl, A.L.: Characterising and analysing security requirements modelling initiatives. In: 2011 Sixth International Conference on Availability, Reliability and Security, IEEE, pp. 710–715 (2011)

[15]

Iankoulova, I.; Daneva, M.: Cloud computing security requirements: a systematic review. In: 2012 Sixth International Conference on Research Challenges in Information Science (RCIS), IEEE, pp. 1–7 (2012)

[16]

Raspotnig, C.; Opdahl, A.: Comparing risk identification techniques for safety and security requirements. J. Syst. Softw. 86(4), 1124–1151 (2013)CrossRef

[17]

Munante, D.; Chiprianov, V.; Gallon, L.; Aniorté, P.: A review of security requirements engineering methods with respect to risk analysis and model-driven engineering. In: International Conference on Availability, Reliability, and Security, pp. 79–93. Springer, New York (2014)

[18]

Kriaa, S.; Pietre-Cambacedes, L.; Bouissou, M.; Halgand, Y.: A survey of approaches combining safety and security for industrial control systems. Reliab. Eng. Syst. Saf. 139, 156–178 (2015)CrossRef

[19]

Silva, P.; Noël, R.; Matalonga, S.; Astudillo, H.; Gatica, D.; Marquez, G.: Software development initiatives to identify and mitigate security threats-two systematic mapping studies. CLEI Electron. J. 19(3), 5 (2016)

[20]

Biolchini, J.C.D.A.; Mian, P.G.; Natali, A.C.C.; Conte, T.U.; Travassos, G.H.: Scientific research ontology to support systematic review in software engineering. Adv. Eng. Inf. 21(2), 133–151 (2007)CrossRef

[21]

Allen, I.E.; Seaman, C.A.: Likert-scales and data-analyses. Tech. rep., ASQ Statistics Division (2007)

[22]

Lapouchnian, A.: Goal-oriented requirements engineering: an overview of the current research. Tech. rep., University of Toronto (2005)

[23]

Darimont, R.; Delor, E.; Massonet, P.; Lamsweerde, A.V.: GRAIL/KAOS: An environment for goal-driven requirements engineering. In: Proceedings of the 19th International Conference on Software Engineering (ICSE), ACM, Boston, USA, pp. 612–613 (1997)

[24]

Dardenne, A.; Lamsweerde, A.V.; Fickas, S.: Goal-directed requirements acquisition. Sci. Comput. Prog. 20(1–2), 3–50 (1993)MATHCrossRef

[25]

Lamsweerde, A.V.; Letier, E.; Darimont, R.: Managing conflicts in goal-driven requirements engineering. IEEE Trans. Softw. Eng. 24(11), 908–926 (1998)CrossRef

[26]

Yu, E.S.; Liu, L.: Modelling trust for system design using the i* strategic actors framework. In: Proceedings of the Workshop on Deception, Fraud, and Trust in Agent Societies Held During the Autonomous Agents Conference: Trust in Cyber-societies, Integrating the Human and Artificial Perspectives, Springer, London, UK, pp. 175–194 (2001)

[27]

Bresciani, P.; Perini, A.; Giorgini, P.; Giunchiglia, F.; Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)MATHCrossRef

[28]

Yu, E.S.: Modelling strategic relationships for process reengineering. PhD thesis, The University of Toronto, Canada (1995)

[29]

Fuxman, A.; Liu, L.; Mylopoulos, J.; Pistore, M.; Roveri, M.; Traverso, P.: Specifying and analyzing early requirements in tropos. Requir. Eng. 9(2), 132–150 (2004)CrossRef

[30]

Mouratidis, H.; Giorgini, P.: Secure Tropos: Dealing effectively with security requirements in the development of multiagent systems. In: Proceedings of the 2nd International Workshop on Safety and Security in Multi-agent Systems(SASEMAS). Springer, Utrecht (2005)

[31]

Team, C.: Common vulnerability scoring system v3. 0: Specification document. First org (2015)

[32]

Alexander, I.: Misuse cases: use cases with hostile intent. IEEE Softw. 20(1), 58–66 (2003)CrossRef

[33]

Faily, S.; Fléchais, I.: Finding and resolving security misusability with misusability cases. Requir. Eng. 21(2), 209–223 (2016)CrossRef

[34]

Mayer, N.: Model-based management of information system security risk. PhD thesis, University of Namur (2009)

Title: A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches
Authors: Malik Nadeem Anwar Mohammad
Mohammed Nazir
Khurram Mustafa
Publication date: 06-08-2019
Publisher: Springer Berlin Heidelberg
Published in: Arabian Journal for Science and Engineering / Issue 11/2019
Print ISSN: 2193-567X
Electronic ISSN: 2191-4281
DOI: https://doi.org/10.1007/s13369-019-04067-3

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Other articles of this Issue 11/2019

Massive Point Cloud Space Management Method Based on Octree-Like Encoding

An Improved Illumination Normalization and Robust Feature Extraction Technique for Face Recognition Under Varying Illuminations

An Empirical Study on Using Class Stability as an Indicator of Class Similarity

Passage-Based Text Summarization for Legal Information Retrieval

Non-singular Terminal Sliding Mode Control of Robot Manipulators with Trajectory Tracking Performance

Developing a Portable Human–Robot Interaction (HRI) Framework for Outdoor Robots Through Selective Compartmentalization

Premium Partners