Loading [MathJax]/extensions/tex2jax.js

Enhancing security requirements engineering by organizational learning

Research output: Contribution to journalArticleResearchpeer review

Authors

  • Kurt Schneider
  • Eric Knauss
  • Siv Houmb
  • Shareeful Islam

Research Organisations

External Research Organisations

  • Secure-NOK
  • University of East London
  • TU Dortmund University
  • Fraunhofer Institute for Software and Systems Engineering (ISST)
Plum Print visual indicator of research metrics
  • Citations
    • Citation Indexes: 42
  • Captures
    • Readers: 100
  • Social Media
    • Shares, Likes & Comments: 1
see details

Details

Original languageEnglish
Pages (from-to)35-56
Number of pages22
JournalRequirements engineering
Volume17
Issue number1
Early online date27 Nov 2011
Publication statusPublished - Mar 2012

Abstract

More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.

Keywords

    Organizational learning, Requirements analysis, Requirements workflow modeling, Secure software engineering

ASJC Scopus subject areas

Cite this

Enhancing security requirements engineering by organizational learning. / Schneider, Kurt; Knauss, Eric; Houmb, Siv et al.
In: Requirements engineering, Vol. 17, No. 1, 03.2012, p. 35-56.

Research output: Contribution to journalArticleResearchpeer review

Schneider K, Knauss E, Houmb S, Islam S, Jürjens J. Enhancing security requirements engineering by organizational learning. Requirements engineering. 2012 Mar;17(1):35-56. Epub 2011 Nov 27. doi: 10.1007/s00766-011-0141-0
Schneider, Kurt ; Knauss, Eric ; Houmb, Siv et al. / Enhancing security requirements engineering by organizational learning. In: Requirements engineering. 2012 ; Vol. 17, No. 1. pp. 35-56.
Download
@article{154df55125de45b79efdfa94cd6076ee,
title = "Enhancing security requirements engineering by organizational learning",
abstract = "More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.",
keywords = "Organizational learning, Requirements analysis, Requirements workflow modeling, Secure software engineering",
author = "Kurt Schneider and Eric Knauss and Siv Houmb and Shareeful Islam and Jan J{\"u}rjens",
note = "Funding Information: This work was partially funded by the German National Science Foundation (DFG InfoFLOW 2008–2011) and the EU project Secure Change (ICT-FET-231101).",
year = "2012",
month = mar,
doi = "10.1007/s00766-011-0141-0",
language = "English",
volume = "17",
pages = "35--56",
journal = "Requirements engineering",
issn = "0947-3602",
publisher = "Springer London",
number = "1",

}

Download

TY - JOUR

T1 - Enhancing security requirements engineering by organizational learning

AU - Schneider, Kurt

AU - Knauss, Eric

AU - Houmb, Siv

AU - Islam, Shareeful

AU - Jürjens, Jan

N1 - Funding Information: This work was partially funded by the German National Science Foundation (DFG InfoFLOW 2008–2011) and the EU project Secure Change (ICT-FET-231101).

PY - 2012/3

Y1 - 2012/3

N2 - More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.

AB - More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.

KW - Organizational learning

KW - Requirements analysis

KW - Requirements workflow modeling

KW - Secure software engineering

UR - http://www.scopus.com/inward/record.url?scp=84857362096&partnerID=8YFLogxK

U2 - 10.1007/s00766-011-0141-0

DO - 10.1007/s00766-011-0141-0

M3 - Article

AN - SCOPUS:84857362096

VL - 17

SP - 35

EP - 56

JO - Requirements engineering

JF - Requirements engineering

SN - 0947-3602

IS - 1

ER -

By the same author(s)