Security Requirements Elicitation from Engineering Governance, Risk Management and Compliance

  • Ana-Maria Ghiran
  • Robert Andrei Buchmann
  • Cristina-Claudia Osman
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10753)


[Context and motivation:] There is a variety of sources from which security requirements may be derived, typically pertaining to fields such as software engineering, information systems risk assessment, security auditing, compliance management, IT governance etc. Several approaches, especially in the software engineering domain, have already investigated security requirements within a broader scope, including results from risk management. [Question/problem:] Identifying security requirements according to just one of these fields might not suffice – opportunities of integration and enrichment must be investigated. [Principal ideas/results:] Our proposal advocates a convergence of different security requirements sources towards their richer specification, based on semantic technology. [Contribution:] Through this vision paper, we sketch the outline for a new perspective on eliciting security requirements, based on knowledge-driven integration of approaches from software engineering, risk assessment, governance and compliance.


Security requirements Risk assessment Governance Compliance GRC framework Resource Description Framework 



The work presented in this paper is supported by the Romanian National Research Authority, UEFISCDI, grant PN-III-P2-2.1-PED-2016-1140.


  1. 1.
    Maalej, W., Thurimella, A.K. (eds.): Managing Requirements Knowledge. Springer, Heidelberg (2013). Google Scholar
  2. 2.
    W3C: RDF 1.1 concepts and abstract syntax (2014). Accessed 17 Sept 2017
  3. 3.
    Mellado, D., Blanco, C., Sánchez, L.E., Fernández-Medina, E.: A systematic review of security requirements engineering. Comput. Stand. Interfaces 32(4), 153–165 (2010). CrossRefGoogle Scholar
  4. 4.
    Tondel, I.A., Jaatun, M.G., Meland, P.H.: Security requirements for the rest of us: a survey. IEEE Softw. 25(1), 20–27 (2008). CrossRefGoogle Scholar
  5. 5.
    Dubois, E., Mouratidis, H.: Guest editorial: security requirements engineering: past, present and future. Requirements Eng. 15(1), 1–5 (2010). Special Issue on Security Requirements EngineeringCrossRefGoogle Scholar
  6. 6.
    Fabian, B., Gürses, S., Heisel, M., Santen, T., Schmidt, H.: A comparison of security requirements engineering methods. Requirements Eng. 15(1), 7–40 (2010). CrossRefGoogle Scholar
  7. 7.
    Vunk, M., Mayer, N., Matulevičius, R.: A framework for assessing organisational IT governance, risk and compliance. In: Mas, A., Mesquida, A., O’Connor, R.V., Rout, T., Dorling, A. (eds.) SPICE 2017. CCIS, vol. 770, pp. 337–350. Springer, Cham (2017). CrossRefGoogle Scholar
  8. 8.
    Schmitt, C., Liggesmeyer, P.: A model for structuring and reusing security requirements sources and security requirements. In: REFSQ Workshops, pp. 34–43 (2015)Google Scholar
  9. 9.
    Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). CrossRefGoogle Scholar
  10. 10.
    Mouratidis, H., Giorgini, P.: Secure Tropos: a security-oriented extension of the Tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(02), 285–309 (2007). CrossRefGoogle Scholar
  11. 11.
    Matulevicius, R., Mouratidis, H., Mayer, N., Dubois, E., Heymans, P.: Syntactic and semantic extensions to secure Tropos to support security risk management. J. Univ. Comput. Sci. 18(6), 816–844 (2012). Google Scholar
  12. 12.
    Dermeval, D., Vilela, J., Bittencourt, I.I., Castro, J., Isotani, S., Brito, P., Silva, A.: Applications of ontologies in requirements engineering: a systematic review of the literature. Requirements Eng. 21(4), 405–437 (2016)CrossRefGoogle Scholar
  13. 13.
    Karagiannis, D., Buchmann, R.A., Walch, M.: How can diagrammatic conceptual modelling support knowledge management? In: Proceedings of the 25th European Conference on Information Systems (ECIS), AISel, pp. 1568–1583, Guimarães (2017)Google Scholar
  14. 14.
    OMiLAB: Bee-Up tool. Accessed 17 Sept 2017
  15. 15.
    Karagiannis, D., Buchmann, R.A., Burzynski, P., Reimer, U., Walch, M.: Fundamental conceptual modeling languages in OMiLAB. Domain-Specific Conceptual Modeling, pp. 3–30. Springer, Cham (2016). CrossRefGoogle Scholar
  16. 16.
    SecureTropos Modelling Toolkit. Accessed 17 Sept 2017
  17. 17.
    BOC-Group, ADOxx tool. Accessed 17 Sept 2017
  18. 18.
    Karagiannis, D., Buchmann, R.A.: Linked open models: extending linked open data with conceptual model information. Inf. Syst. 56, 174–197 (2016). CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Business Informatics Research CenterBabeș-Bolyai UniversityCluj-NapocaRomania

Personalised recommendations