A Requirements Engineering-Based Approach for Evaluating Security Requirements Engineering Methodologies
The significance of security requirements in building safety and security critical systems is widely acknowledged. However, given the multitude of security requirements engineering methodologies that exists today, selecting the best suitable methodology remains challenging. In a previous work, we proposed a generic evaluation methodology to elicit and evaluate the anticipated characteristics of a security requirements engineering methodology with regards to the stakeholders’ working context. In this article, we provide the empirical evaluation of three security requirements engineering methodologies KAOS, STS and SEPP with respect to the evaluation criteria elicited for network SRE context. The study show that none of them provide good support to derive network security requirements.
KeywordsSecurity requirements engineering Evaluation methodology
This work is part of project IREHDO2 funded by DGA/DGAC. The authors thank the security experts at Airbus and the anonymous reviewers for their useful comments.
- 1.A. Van Lamsweerde, S. Brohez, R. De Landtsheer, D. Janssens, From system goals to intruder anti-goals: attack generation and resolution for security requirements engineering, in Proceedings of the RE’03 Workshop on Requirements for High Assurance Systems (RHAS’03), Monterey (CA), Sept. 2003Google Scholar
- 2.M. Salnitri, E. Paja, P. Giorgini, From socio-technical requirements to technical security design: an sts-based framework, Technical report, DISI-University of TrentoGoogle Scholar
- 3.D. Hatebur, M. Heisel, H. Schmidt, A pattern system for security requirements engineering, in ARES 2007, the Second International Conference Google Scholar
- 4.S.T. Bulusu, R. Laborde, F. Barrère, A. Benzekri, A. Samer Wazan, Which security requirements engineering methodology should I choose? Towards a requirements engineering-based evaluation approach, presented at the ARES’2017Google Scholar
- 5.S.T. Bulusu, R. Laborde, F. Barrère, A. Benzekri, A. Samer Wazan, Applying a requirement engineering based approach to evaluate the security requirements engineering methodologies, in ACM SAC’2018 (To appear) (Pau, France, 2018)Google Scholar
- 6.KAOS Tool—Objectiver: HomePage, http://www.objectiver.com/index.php?id=4
- 7.E. Paja, F. Dalpiaz, P. Giorgini, Sts-tool: Security requirements engineering for socio-technical systems, in Engineering Secure Future Internet Services and Systems (Springer, 2014), pp. 65–96Google Scholar
- 8.T.A. Kletz, Hazop and Hazan: Identifying and Assessing Process Industry Hazards (IChemE, 1999)Google Scholar