Requirements Engineering

, Volume 15, Issue 1, pp 7–40 | Cite as

A comparison of security requirements engineering methods

  • Benjamin Fabian
  • Seda Gürses
  • Maritta Heisel
  • Thomas Santen
  • Holger SchmidtEmail author
Special Issue - Security Requirements Engineering


This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.


Security requirement Security requirement engineering Comparison Framework for security requirement engineering 



We thank the anonymous reviewers for their helpful comments and suggestions.


  1. 1.
    Common Criteria for Information Technology Security Evaluation, Version 3.1. (2006) [Online]. Available:
  2. 2.
    Bishop M (2003) Computer security. Addison-Wesley, New YorkGoogle Scholar
  3. 3.
    Viega J, McGraw G (2001) Building secure software: how to avoid security problems the right way. Addison-Wesley, New YorkGoogle Scholar
  4. 4.
    Eckert C (2004) IT-Sicherheit, 3rd edn. Oldenbourg-Verlag, MünchenGoogle Scholar
  5. 5.
    Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. Carnegie Melon University. Technical report SEI-2003-TN-033Google Scholar
  6. 6.
    Rupp C, SOPHIST GROUP (2003) Requirements-engineering und -management, 3rd edn. Carl Hanser VerlagGoogle Scholar
  7. 7.
    Rannenberg K, Pfitzmann A, Müller G (1999) IT security and multilateral security. In: Müller G, Rannenberg K (eds) Multilateral security in communications—technology, infrastructure. Economy Addison-Wesley, pp 21–29Google Scholar
  8. 8.
    Zave P, Jackson M (1997) Four dark corners of requirements engineering. ACM Trans Softw Eng Methodol 6(1):1–30CrossRefGoogle Scholar
  9. 9.
    Fricker S, Gorschek T, Glinz M (2008) Goal-oriented requirements communication in new product development. In: Proceedings of the international workshop on software product management. IEEE Computer Society, Los Alamitos, pp 27–34Google Scholar
  10. 10.
    Liu L, Yu E (2001) From requirements to architectural design using goals and scenarios. In: Proceedings of the international workshop from software requirements to architectures (STRAW). TorontoGoogle Scholar
  11. 11.
    Antòn AI, Earp JB (2000) Strategies for developing policies and requirements for secure electronic commerce systems. Department of Computer Science, North Carolina State University. Technical report TR-2000-09. [Online]. Available: Scholar
  12. 12.
    Mylopoulos J, Chung L, Nixon B (1992) Representing and using non-functional requirements: a process-oriented approach. IEEE Transactions on Software Engineering pp 483–497Google Scholar
  13. 13.
    Sommerville I (2007) Software Engineering, 8th edn. Addison Wesley, New YorkGoogle Scholar
  14. 14.
    Glinz M (2007) On non-functional requirements. In: Proceedings of 15th IEEE international requirements engineering conference (RE ’07), pp 21–26Google Scholar
  15. 15.
    Jureta I, Mylopoulos J, Faulkner S (2008) Revisiting the core ontology and problem in requirements engineering. In: Proceedings of 16th IEEE international requirements engineering conference (RE ’08), pp 71–80Google Scholar
  16. 16.
    Information technology—security techniques—code of practice for information security management (ISO/IEC FDIS 17799:2005) (2005) International Organization for StandardizationGoogle Scholar
  17. 17.
    Information technology—security techniques—management of information and communications technology security—part 1: Concepts and models for information and communications technology security management (ISO/IEC 13335-1:2004)(2004) International Organization for StandardizationGoogle Scholar
  18. 18.
    NIST SP 800-26: Security Self-Assessment Guide for Information Technology Systems (2001) National institute of standards and technologyGoogle Scholar
  19. 19.
    Berry DM, Lawrence B (1998) Guest editors’ introduction: requirements engineering. IEEE Softw 15(2):26–29CrossRefGoogle Scholar
  20. 20.
    Robinson WN, Pawlowski SD, Volkov V (2003) Requirements interaction management. ACM Comput Surv 35(2):132–190CrossRefGoogle Scholar
  21. 21.
    Finkelstein A, Baggay D, Hunter A, Kramer J, Nuseibeh B (1994) Inconsistency handling in multi-perspective specifications. IEEE Trans Softw Eng (20):569–578CrossRefGoogle Scholar
  22. 22.
    Easterbrook S, Nuseibeh B (1996) Using viewpoints for inconsistency management. Softw Eng J 31–43Google Scholar
  23. 23.
    Kotonya G, Sommerville I (1996) Requirements engineering with viewpoints. BCS/IEE Softw Eng J 11(1):5–18CrossRefGoogle Scholar
  24. 24.
    Giorgini P, Massacci F, Mylopoulos J, Zannone N (2006) Detecting conflicts of interest. In: Proceedings 14th IEEE international requirements engineering conference (RE ’06). IEEE Computer Society, pp 308–311Google Scholar
  25. 25.
    van Lamsweerde A, Darimont R, Massonet P (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24Google Scholar
  26. 26.
    Jackson M, Zave P (1995) Deriving specifications from requirements: an example. In: Proceedings 17th international conference on software engineering. ACM Press, Seattle, pp 15–24Google Scholar
  27. 27.
    Haley B, Laney C, Moffett D, Nuseibeh B (2006) Using trust assumptions with security requirements. Requir Eng 11(2):138–151CrossRefGoogle Scholar
  28. 28.
    Haley CB, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153CrossRefGoogle Scholar
  29. 29.
    Santen T (2006) Stepwise development of secure systems. In Górski J (ed) International conference on computer safety, reliability and security (SAFECOMP), ser. LNCS 4166. Springer, pp 142–155Google Scholar
  30. 30.
    Moffett JD, Haley CB, Nuseibeh B (2004) Core security requirements artifacts. The Open University, UK (technical report)Google Scholar
  31. 31.
    Breaux TD, Antòn A (2005) Analyzing goal semantics for rights, permissions, and obligations. In: Requirements engineering, pp 177–188Google Scholar
  32. 32.
    Mayer N (2009) Model-based management of information system security risk. Ph.D. dissertation, University of Namur [Online]. Available:
  33. 33.
    Mayer N, Heymans P, Matulevičius R (2007) Design of a modelling language for information system security risk management. In: 1st International conference on research challenges in information science (RCIS 2007)Google Scholar
  34. 34.
    Mellado D, Fernandez-Medina E, Piattini M (2006) A comparison of the Common Criteria with proposals of information systems security requirements. In: ARES ’06: proceedings of the first international conference on availability, reliability and security (ARES’06). IEEE Computer Society, Washington, DC, pp 654–661Google Scholar
  35. 35.
    Kalloniatis C, Kavakli E, Gritzalis S (2004) Security requirements engineering for e-government applications: analysis of current frameworks. Springer, BerlinGoogle Scholar
  36. 36.
    Tøndel I, Jaatun M, Meland P (2008) Security requirements for the rest of us: asurvey. Softw IEEE 25(1):20–27CrossRefGoogle Scholar
  37. 37.
    van Lamsweerde A (2007) Engineering requirements for system reliability and security. In: Broy JGM, Hoare C (eds) Software system reliability and security, ser. NATO security through science series-D: information and communication security, vol 9. IOS Press, pp 196–238Google Scholar
  38. 38.
    Gürses S, Santen T (2006) Contextualizing security goals—a method for multilateral security requirements elicitation. In: Dittmann J (ed) Proceedings of Sicherheit 2006—Schutz und Zuverlässigkeit, ser. Lecture notes in Informatics. Gesellschaft für Informatik, pp 42–53Google Scholar
  39. 39.
    Gürses S, Berendt B, Santen T (2006) Multilateral security requirements analysis for preserving privacy in ubiquitous environments. In: Berendt B, Menasalvas E (eds) Proceedings of workshop on ubiquitous knowledge discovery for users (UKDU’06) [Online]. Available:
  40. 40.
    Gürses S, Jahnke JH, Obry C, Onabajo A, Santen T, Price M (2005) Eliciting confidentiality requirements in practice. In: CASCON ’05: Proceedings of the 2005 conference of the centre for advanced studies on collaborative research. IBM Press, pp 101–116Google Scholar
  41. 41.
    Onabajo A, Weber-Jahnke J (2008) Stratified modeling and analysis of confidentiality requirements. In: 41st Annual Hawaii international conference on system sciencesGoogle Scholar
  42. 42.
    Mead N, Hough E, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. Carnegie Mellon Software Engineering Institute, Technical report CMU/SEI-2005-TR-009Google Scholar
  43. 43.
    Mead N, Viswanathan V, Padmanabhan D, Raveendran A (2008) Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. Carnegie Mellon Software Engineering Institute. Technical report CMU/SEI-2008-TN-006Google Scholar
  44. 44.
    UML Revision Task Force (2006) OMG unified modeling language: superstructure.
  45. 45.
    Sindre G, Opdahl AL (2001) Capturing security requirements by misuse cases. In: Proceedings of the 14th Norwegian informatics conference (NIK’2001)Google Scholar
  46. 46.
    Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. In: Sawyer P, Paech B, Heymanns P (eds) Proceedings of REFSQ 2007, ser. LNCS 4542. Springer, pp 355–366Google Scholar
  47. 47.
    Lodderstedt T, Basin DA, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language (UML’02). Springer, London, pp 426–441Google Scholar
  48. 48.
    UML Revision Task Force (2006) OMG object constraint language: reference.
  49. 49.
    Jürjens J (2003) Secure systems development with UML. Springer, New YorkGoogle Scholar
  50. 50.
    Bertrand P, Darimont R, Delor E, Massonet P, van Lamsweerde A (1998) GRAIL/KAOS: an environment for goal drivent requirements engineering. In: ICSE’98—20th international conference on software engineeringGoogle Scholar
  51. 51.
    Dardenne A, van Lamsweerde A, Fickas S (1993) Goal-directed requirements acquisition. Sci Comput Program 20(1–2):3–50zbMATHCrossRefGoogle Scholar
  52. 52.
    van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. ICSE pp. 148–157Google Scholar
  53. 53.
    Bresciani P, Perini A, Giorgini P, Giunchiglia F, Mylopoulos J (2004) Tropos: an agent-oriented software development methodology. Auton Agent Multi Agent Syst 8(3):203–236CrossRefGoogle Scholar
  54. 54.
    Giorgini P, Susi A, Perini A, Mylopoulos J (2005) The tropos metamodel and its use. Inf J 29:401–408Google Scholar
  55. 55.
    Fuxman A, Liu L, Mylopoulos J, Pistore M, Roveri M, Traverso P (2004) Specifying and analyzing early requirements in tropos. Requir Eng J 9(2):132–150Google Scholar
  56. 56.
    Yu ES-K (1996) Modelling strategic relationships for process reengineering. Ph.D. dissertation, University of Toronto, TorontoGoogle Scholar
  57. 57.
    Yu ESK (1997) Towards modeling and reasoning support for early-phase requirements engineering. In: RE ’97: proceedings of the 3rd IEEE international symposium on requirements engineering. IEEE Computer Society, Washington, DC, p 226Google Scholar
  58. 58.
    Yu ESK, Liu L (2001) Modelling trust for system design using the i * strategic actors framework. In: Proceedings of the workshop on deception, fraud, and trust in agent societies held during the autonomous agents conference. Springer, London, pp 175–194Google Scholar
  59. 59.
    Giorgini P, Mouratidis H, Zannone N (2007) Modelling security and trust with secure tropos. In: Integrating security and software engineering: advances and future vision. IDEAGoogle Scholar
  60. 60.
    Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309CrossRefGoogle Scholar
  61. 61.
    Mouratidis H, Giorgini P (2004) Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In: Proceedings of the 1st international workshop on safety and security in multiagent systems, SASEMASGoogle Scholar
  62. 62.
    Mouratidis H, Giorgini P (2005) Secure tropos: dealing effectively with security requirements in the development of multiagent systems. In: Proceedings of the 2nd international workshop on safety and security in multi-agent systems, SASEMAS, ser. Computers & Security, vol 24, no.8. Elsevier, pp 614–617Google Scholar
  63. 63.
    Massacci F, Mylopoulos J, Zannone N (2007) Ontologies for business interaction. Information science reference, ch. An ontology for secure socio-technical systems pp 188–207Google Scholar
  64. 64.
    Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. University of Toronto, Department of Computer Science. Technical reportGoogle Scholar
  65. 65.
    Matulevičius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management in the early phases of information systems development. In: CAiSE ’08: proceedings of the 20th international conference on advanced information systems engineering. Springer, Berlin, pp 541–555Google Scholar
  66. 66.
    Mayer N, Rifaut A, Dubois E (2005) Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th international workshop on requirements engineering: foundation for software quality (REFSQ’05), in conjunction with the 17th conference on advanced information systems engineering (CAiSE’05)Google Scholar
  67. 67.
    Bauer B, Müller JP, Odell J (2001) Agent UML: a formalism for specifying multiagent software systems. Int J Softw Eng Knowl Eng 11(3):207–230CrossRefGoogle Scholar
  68. 68.
    Giorgini P, Manson G, Mouratidis H (2004) Using security attack scenarios to analyse security during information systems design. In: The 6th international conference on enterprise information systems. PortoGoogle Scholar
  69. 69.
    Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of 11th IEEE requirements engineering conference. IEEE Press, pp 151–161Google Scholar
  70. 70.
    Abiteboul S, Hull R, Vianu V (1995) Foundations of databases. Addison-Wesley, New YorkzbMATHGoogle Scholar
  71. 71.
    Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) St-tool: a case tool for security requirements engineering. In: RE-05. IEEEP, pp 451–452Google Scholar
  72. 72.
    Massacci F, Zannone N (2006) Detecting conflicts between functional and security requirements with secure tropos: John rusnak and the allied irish bankGoogle Scholar
  73. 73.
    Leone N, Pfeifer G, Faber W, Eiter T, Gottlob G, Perri S, Scarcello F (2006) The DLV system for knowledge representation and reasoning. ACM Trans Comput Logic 7(3):499–562CrossRefMathSciNetGoogle Scholar
  74. 74.
    He Q, Antòn AI (2003) A framework for modeling privacy requirements in role engineering. In: International workshop on requirements engineering for software quality (REFSQ 2003)Google Scholar
  75. 75.
    CERIAS Technical Report (1999) Policy framework for interpreting risk in ecommerce securityGoogle Scholar
  76. 76.
    Hauser J, Clausing D (1988) The house of quality. Harv Bus Rev 32(5)Google Scholar
  77. 77.
    Jackson M (2001) Problem frames. Analyzing and structuring software development problems. Addison-Wesley, New YorkGoogle Scholar
  78. 78.
    Lin L, Nuseibeh B, Ince D, Jackson M (2004) Using abuse frames to bound the scope of security problems. In: Proceedings of 11th IEEE international requirements engineering conference (RE’04). pp 354–355Google Scholar
  79. 79.
    Hatebur D, Heisel M, Schmidt H (2006) Security engineering using problem frames. In: Müller G (ed) Proceedings of the international conference on emerging trends in information and communication security (ETRICS’06), ser. LNCS 3995. Springer, pp 238–253Google Scholar
  80. 80.
    Hatebur D, Heisel M, Schmidt H, (2007) A pattern system for security requirements engineering. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 356–365Google Scholar
  81. 81.
    Hatebur D, Heisel M, Schmidt H (2007) A security engineering process based on patterns. In: Proceedings of the international workshop on secure systems methodologies using patterns (SPatterns). IEEE Computer Society, pp 734–738Google Scholar
  82. 82.
    Hatebur D, Heisel M, Schmidt H (2008) Analysis and component-based realization of security requirements. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 195–203Google Scholar
  83. 83.
    Schmidt H (2009) Pattern-based confidentiality-preserving refinement. In: Engineering secure software and systems—first international symposium (ESSoS), ser. LNCS, vol 5429. Springer, Berlin, pp 43–59Google Scholar
  84. 84.
    Schmidt H, Wentzlaff I (2006) Preserving software quality characteristics from requirements analysis to architectural design. In: Proceedings of the European workshop on software architectures (EWSA), vol 4344/2006. Springer, Berlin, pp 189–203Google Scholar
  85. 85.
    Haley CB, Moffett JD, Laney R, Nuseibeh B (2006) A framework for security requirements engineering. In: SESS ’06: proceedings of the 2006 international workshop on Software engineering for secure systems. ACM Press, New York, pp 35–42Google Scholar
  86. 86.
    Haley C, Laney R, Moffett J, Nuseibeh B (2004) Picking battles: the impact of trust assumptions on the elaboration of security requirements. In: Jensen CD, Poslad S, Dimitrakos T (eds) iTrust’04, pp 347–354Google Scholar
  87. 87.
    Haley CB, Moffett JD, Laney R, Nuseibeh B (2005) Arguing security: validating security requirements using structured argumentation. In: Proceedings of the 3rd symposium on requirements engineering for information security (SREIS’05). ParisGoogle Scholar
  88. 88.
    Braber F, Hogganvik I, Lund MS, Stølen K, and Vraalsen F (2007) Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117CrossRefGoogle Scholar
  89. 89.
    Dahl HEI, Hogganvik I, Stølen K (2007) Structured semantics for the CORAS security risk modelling language. SINTEF information and communication technology Technical report STF07 A970Google Scholar
  90. 90.
    Asnar Y, Giorgini P, Massacci F, Zannone N (2007) From trust to dependability through risk analysis. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 19–26Google Scholar
  91. 91.
    Asnar Y, Giorgini P, Mylopoulos J (2006) Risk modelling and reasoning in goal models. University of Trento. Technical report DIT-06-008Google Scholar
  92. 92.
    Keblawi F, Sullivan D (2006) Applying the common criteria in systems engineering. IEEE Secur Priv 4(2):50–55CrossRefGoogle Scholar
  93. 93.
    Mellado D, Fernandez-Medina E, Piattini M (2006) Applying a security requirements engineering process. In: ESORICS’06Google Scholar
  94. 94.
    Mellado D, Fernander-Medina E, Piattini M (2006) A comparison of the common criteria with proposals of information systems security requirements. In: First international conference on availability, reliability, and security (ARES’06). pp 654–661Google Scholar
  95. 95.
    Booch G, Rumbaugh J, Jacobson I (1999) The Unified Software Development Process. Addison-Wesley, New YorkGoogle Scholar
  96. 96.
    Sindre G, Firesmith DG, Opdahl AL (2003) A reuse-based approach to determining security requirements. In: Ninth international workshop on requirements engineering (REFSQ’03).
  97. 97.
    MAP (2005) Metodologìa de anàlisis y gestiòn de riesgos de los sistemas de informaciòn (magerit-v 2)Google Scholar

Copyright information

© Springer-Verlag London Limited 2009

Authors and Affiliations

  • Benjamin Fabian
    • 1
  • Seda Gürses
    • 2
  • Maritta Heisel
    • 3
  • Thomas Santen
    • 4
  • Holger Schmidt
    • 3
    Email author
  1. 1.Institute of Information SystemsHumboldt-Universität zu BerlinBerlinGermany
  2. 2.ESAT/COSIC, K.U. LeuvenLeuven-HeverleeBelgium
  3. 3.Software EngineeringUniversity of Duisburg-EssenDuisburgGermany
  4. 4.European Microsoft Innovation CenterAachenGermany

Personalised recommendations