Applying a Security Requirements Engineering Process

  • Daniel Mellado
  • Eduardo Fernández-Medina
  • Mario Piattini
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4189)


Nowadays, security solutions are mainly focused on providing security defences, instead of solving one of the main reasons for security problems that refers to an appropriate Information Systems (IS) design. In fact, requirements engineering often neglects enough attention to security concerns. In this paper it will be presented a case study of our proposal, called SREP (Security Requirements Engineering Process), which is a standard-centred process and a reuse-based approach which deals with the security requirements at the earlier stages of software development in a systematic and intuitive way by providing a security resources repository and by integrating the Common Criteria into the software development lifecycle. In brief, a case study is shown in this paper demonstrating how the security requirements for a security critical IS can be obtained in a guided and systematic way by applying SREP.


Information System Security Requirement Social Security Number Security Function Misuse Case 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baskeville, R.: The development duality of information systems security. Journal of Management Systems 4(1), 1–12 (1992)Google Scholar
  2. 2.
    Booch, G., Rumbaugh, J., Jacobson, I. (eds.): The Unified Software Development Process. Addison-Wesley, Reading (1999)Google Scholar
  3. 3.
    Breu, R., Burger, K., Hafner, M., Popp, G.: Towards a Systematic Development of Secure Systems. In: Proceedings WOSIS 2004, pp. 1–12 (2004)Google Scholar
  4. 4.
    Firesmith, D.G.: Engineering Security Requirements. Journal of Object Technology 2(1), 53–68 (2003)CrossRefGoogle Scholar
  5. 5.
    Firesmith, D.G.: Security Use Cases. Journal of Object Technology, 53–64 (2003)Google Scholar
  6. 6.
    ISO/IEC_JTC1/SC27. Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management. ISO/IEC 13335 (2004)Google Scholar
  7. 7.
    ISO/IEC_JTC1/SC27. Information technology - Security techniques - Code of practice for information security management. ISO/IEC 17799 (2005)Google Scholar
  8. 8.
    ISO/IEC_JTC1/SC27. Information technology - Security techniques - Evaluation criteria for IT security. ISO/IEC 15408:2005 (Common Criteria v3.0) (2005)Google Scholar
  9. 9.
    Kim, H.-k., Chung, Y.-K.: Automatic Translation Form Requirements Model into Use Cases Modeling on UML. In: Gervasi, O., Gavrilova, M.L., Kumar, V., Laganá, A., Lee, H.P., Mun, Y., Taniar, D., Tan, C.J.K. (eds.) ICCSA 2005. LNCS, vol. 3482, pp. 769–777. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Kotonya, G., Sommerville, I.: Requirements Engineering Process and Techniques. Hardcovered, 294 (1998)Google Scholar
  11. 11.
    MAP. Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información (MAGERIT - v 2) (2005) (Ministry for Public dministration of Spain)Google Scholar
  12. 12.
    Massacci, F., Prest, M., Zannone, N.: Using a security requirements engineering methodology in practice: The compliance with the Italian data protection legislation. Computers Standards and Interfaces 27, 445–455 (2005)CrossRefGoogle Scholar
  13. 13.
    Dermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Annual Computer Security Applications Conference. Phoenix (Arizona) (1999)Google Scholar
  14. 14.
    Mellado, D., Fernández-Medina, E., Piattini, M.: A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems. Computer Standards and Interfaces (2006)Google Scholar
  15. 15.
    Mellado, D., Fernández-Medina, E., Piattini, M.: A Comparative Study of Proposals for Establishing Security Requirements for the Development of Secure Information Systems. In: Gavrilova, M.L., Gervasi, O., Kumar, V., Tan, C.J.K., Taniar, D., Laganá, A., Mun, Y., Choo, H. (eds.) ICCSA 2006. LNCS, vol. 3982, pp. 1044–1053. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  16. 16.
    Mouratidis, H., Giorgini, P., Manson, G., Philp, I.: A Natural Extension of Tropos Methodology for Modelling Security. In: Workshop on Agent-oriented methodologies, at OOPSLA 2002. Seattle (WA) (2003)Google Scholar
  17. 17.
    Popp, G., Jürjens, J., Wimmel, G., Breu, R.: Security-Critical System Development with Extended Use Cases. In: 10th Asia-Pacific Software Engineering Conference, pp. 478–487 (2003)Google Scholar
  18. 18.
    Sindre, G., Firesmith, D.G., Opdahl, A.L.: A Reuse-Based Approach to Determining Security Requirements. In: 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ 2003), Austria (2003)Google Scholar
  19. 19.
    Toval, A., Nicolás, J., Moros, B., García, F.: Requirements Reuse for Improving Information Systems Security: A Practitioner’s Approach. Requirements Engineering Journal, 205–219 (2001)Google Scholar
  20. 20.
    Walton, J.P.: Developing a Enterprise Information Security Policy. In: Proceedings of the 30th annual ACM SIGUCCS conference on User services. ACM Press, New York (2002)Google Scholar
  21. 21.
    Yu, E.: Towards Modelling and Reasoning Support for Early-Phase Requirements Engineering. In: A3rd IEEE International Symposium on Requirements Engineering (RE 1997), pp. 226–235 (1997)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Daniel Mellado
    • 1
  • Eduardo Fernández-Medina
    • 2
  • Mario Piattini
    • 2
  1. 1.Information Technology Center of the National Social Security InstituteMinistry of Labour and Social AffairsMadridSpain
  2. 2.Alarcos Research Group, Information Systems and Technologies Department, UCLM-Soluziona Research and Development InstituteUniversity of Castilla-La ManchaCiudad RealSpain

Personalised recommendations