A Systematic Mapping Study on Security Requirements Engineering Frameworks for Cyber-Physical Systems

  • Shafiq RehmanEmail author
  • Volker Gruhn
  • Saad Shafiq
  • Irum Inayat
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11342)


Since the world is moving towards secure systems which makes security a primary concern and not an afterthought in software development. Secure software development involves security at each step of development lifecycle from requirements phase to testing. With surging focus on security requirements, we can see an increase in frameworks/methods/techniques proposed to deal with security requirements for variable applications. However, to summarise the literature findings till date and to propose further ways to handle security requirements a systematic and comprehensive review is needed. Our objective is to conduct a systematic mapping study for cyber-physical systems: (i) to explore and analyse security requirements engineering frameworks/methods/techniques proposed till date, (ii) to investigate on their strengths and weaknesses, and (iii) to determine the security threats and requirements reported in literature. We conducted a systematic mapping study for which we defined our goals and determined research questions, defined inclusion/exclusion criteria, and designed the map systematically based on the research questions. The search yielded 337 articles after deploying the query on multiple databases and refining the search iteratively through a multistep process. The mapping study identified and categorised the existing security requirements engineering frameworks/methods/techniques focused on their implementation and evaluation mechanisms. Second, we identified and categorised the proposed to deal with security requirements for multiple domains, determined their strengths/weaknesses, and also security requirements and threats reports in the selected studies. The study provides an overall view of the state-of-the-art frameworks/methods/techniques proposed till date to deal with security requirements. The results of this study provide insights to researchers to focus more on developing frameworks to deal with security requirements for particular kinds of systems like cyber-physical systems. Also, it motivates future work to devise methods to cater domain specific security risks and requirements.


Security requirements Security requirements engineering Security requirements engineering frameworks Threat Security goal Cyber-physical systems 



This work has been supported by the European Community through project CPS.HUB NRW, EFRE Nr. 0-4000-17.


  1. 1.
    Anderson, R.J.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, Hoboken (2010)Google Scholar
  2. 2.
    Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010)CrossRefGoogle Scholar
  3. 3.
    Muñante, D., Chiprianov, V., Gallon, L., Aniorté, P.: A review of security requirements engineering methods with respect to risk analysis and model-driven engineering. In: Teufel, S., Min, T.A., You, I., Weippl, E. (eds.) CD-ARES 2014. LNCS, vol. 8708, pp. 79–93. Springer, Cham (2014). Scholar
  4. 4.
    Yahya, S., Kamalrudin, M., Sidek, S.: A review on tool supports for security requirements engineering. In: IEEE Conference on Open Systems, ICOS 2013, pp. 190–194 (2013)Google Scholar
  5. 5.
    Yadav, S.A., Kumar, S.R., Sharma, S., Singh, A.: A review of possibilities and solutions of cyber attacks in smart grids. In: 1st International Conference on Innovation and Challenges in Cyber Security, ICICCS 2016, pp. 60–63 (2016)Google Scholar
  6. 6.
    Petersen, K., Feldt, R., Mujtaba, S., Mattsson, M.: Systematic mapping studies in software engineering. In: EASE, vol. 8, pp. 68–77 (2008)Google Scholar
  7. 7.
    Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 270–283. Springer, Heidelberg (2013). Scholar
  8. 8.
    Wimmel, G., Wisspeintner, A.: Extended description techniques for security engineering. In: Dupuy, M., Paradinas, P. (eds.) SEC 2001. IIFIP, vol. 65, pp. 469–485. Springer, Boston, MA (2002). Scholar
  9. 9.
    Vivas, J.L., Montenegro, J.A., López, J.: Towards a business process-driven framework for security engineering with the UML. In: Boyd, C., Mao, W. (eds.) ISC 2003. LNCS, vol. 2851, pp. 381–395. Springer, Heidelberg (2003). Scholar
  10. 10.
    Srivatanakul, T., Clark, J.A., Polack, F.: Effective security requirements analysis: HAZOP and use cases. In: Zhang, K., Zheng, Y. (eds.) ISC 2004. LNCS, vol. 3225, pp. 416–427. Springer, Heidelberg (2004). Scholar
  11. 11.
    Giorgini, P., Massacci, F., Zannone, N.: Security and trust requirements engineering. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 237–272. Springer, Heidelberg (2005). Scholar
  12. 12.
    Mellado, D., Fernández-Medina, E., Piattini, M.: Applying a security requirements engineering process. In: Gollmann, D., Meier, J., Sabelfeld, A. (eds.) ESORICS 2006. LNCS, vol. 4189, pp. 192–206. Springer, Heidelberg (2006). Scholar
  13. 13.
    Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Using trust assumptions with security requirements. Requir. Eng. 11(2), 138–151 (2006)CrossRefGoogle Scholar
  14. 14.
    Bryl, V., Massacci, F., Mylopoulos, J., Zannone, N.: Designing security requirements models through planning. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 33–47. Springer, Heidelberg (2006). Scholar
  15. 15.
    Herrmann, A., Paech, B.: MOQARE: misuse-oriented quality requirements engineering. Requir. Eng. 13(1), 73–86 (2008)CrossRefGoogle Scholar
  16. 16.
    Moradian, E., Håkansson, A.: Controlling security of software development with multi-agent system. In: Setchi, R., Jordanov, I., Howlett, R.J., Jain, L.C. (eds.) KES 2010. LNCS (LNAI), vol. 6279, pp. 98–107. Springer, Heidelberg (2010). Scholar
  17. 17.
    Rieke, R., Coppolino, L., Hutchison, A., Prieto, E., Gaber, C.: Security and reliability requirements for advanced security event management. In: Kotenko, I., Skormin, V. (eds.) MMM-ACNS 2012. LNCS, vol. 7531, pp. 171–180. Springer, Heidelberg (2012). Scholar
  18. 18.
    Li, T., Horkoff, J.: Dealing with security requirements for socio-technical systems: a holistic approach. In: Jarke, M., et al. (eds.) CAiSE 2014. LNCS, vol. 8484, pp. 285–300. Springer, Cham (2014). Scholar
  19. 19.
    Souag, A., Salinesi, C., Mazo, R., Comyn-Wattiau, I.: A security ontology for security requirements elicitation. In: Piessens, F., Caballero, J., Bielova, N. (eds.) ESSoS 2015. LNCS, vol. 8978, pp. 157–177. Springer, Cham (2015). Scholar
  20. 20.
    Neureiter, C., Eibl, G., Engel, D., Schlegel, S., Uslar, M.: A concept for engineering smart grid security requirements based on SGAM models. Comput. Sci.-Res. Dev. 31(1–2), 65–71 (2016)CrossRefGoogle Scholar
  21. 21.
    Rosa, N.S., Justo, G.R.R., Cunha, P.R.F.: A framework for building non-functional software architectures. In: Proceedings of the 2001 ACM Symposium on Applied Computing, pp. 141–147 (2001)Google Scholar
  22. 22.
    Jürjens, J.: Using UMLsec and goal trees for secure systems development. In: Proceedings of the 2002 ACM Symposium on Applied Computing, pp. 1026–1030 (2002)Google Scholar
  23. 23.
    Basin, D., Doser, J., Lodderstedt, T.: Model driven security for process-oriented systems. In: Proceedings of the Eighth ACM Symposium on Access Control Models and Technologies, pp. 100–109 (2003)Google Scholar
  24. 24.
    De Landtsheer, R., Van Lamsweerde, A.: Reasoning about confidentiality at requirements engineering time. In: Proceedings of the 10th European Software Engineering Conference Held Jointly with 13th ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 41–49 (2005)Google Scholar
  25. 25.
    Romero-Mariona, J.: Secure and usable requirements engineering. In: Proceedings of the 2009 IEEE/ACM International Conference on Automated Software Engineering, pp. 703–706 (2009)Google Scholar
  26. 26.
    Cui, J.-S., Zhang, D.: The research and application of security requirements analysis methodology of information systems. In: 2nd International Conference on Anti-counterfeiting, Security and Identification, ASID, pp. 30–36 (2008)Google Scholar
  27. 27.
    Howard, G., Butler, M., Colley, J., Sassone, V.: Formal analysis of safety and security requirements of critical systems supported by an extended STPA methodology. In: 2017 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), pp. 174–180 (2017)Google Scholar
  28. 28.
    Gao, Y., et al.: Analysis of security threats and vulnerability for cyber-physical systems. In: 2013 3rd International Conference on Computer Science and Network Technology (ICCSNT), pp. 50–55. IEEE (2013)Google Scholar
  29. 29.
  30. 30.
    Rehman, S., Gruhn, V.: Security requirements engineering (SRE) framework for cyber-physical systems (CPS): SRE for CPS. In: Proceedings of the 16th International Conference on New Trends in Intelligent Software Methodologies, Tools and Techniques, SoMeT_17, vol. 297, p. 153 (2017)Google Scholar
  31. 31.
    Rehman, S., Gruhn, V.: An effective security requirements engineering framework for cyber-physical systems. Technologies 6(3), 65 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  • Shafiq Rehman
    • 1
    Email author
  • Volker Gruhn
    • 1
  • Saad Shafiq
    • 2
  • Irum Inayat
    • 2
  1. 1.Institute of Software TechnologyUniversity of Duisburg-EssenEssenGermany
  2. 2.National University of Computer and Emerging SciencesIslamabadPakistan

Personalised recommendations