Supporting Requirements Engineers in Recognising Security Issues

  • Eric Knauss
  • Siv Houmb
  • Kurt Schneider
  • Shareeful Islam
  • Jan Jürjens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6606)


Context & motivation: More and more software projects today are security-related in one way or the other. Many environments are initially not considered security-related and no security experts are assigned. Requirements engineers often fail to recognise indicators for security problems. Question/problem: Ignoring security issues early in a project is a major source of recurring security problems in practice. Identifying security-relevant requirements is labour-intensive and error-prone. Security may be neglected in order to finish on time and in budget. Principal ideas/results: In this paper, we address this problem by presenting a tool-supported method that provides assistance for requirements engineering, with an emphasis on security requirements. We investigate whether security-relevant requirements can be automatically identified using a Bayesian classifier. Our results indicate that this is feasible, in particular if the classifier is trained with domain specific data and documents from previous projects. Contribution: We show how the ability to identify security-relevant requirements can be integrated in a workflow of requirements analysis and reuse of experience. In practice, this can increase security awareness within the software development process. We discuss limitations and potential of this approach.


secure software engineering requirements analysis natural language processing empirical study 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    International Standardization Organization. ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003 (September 2007)Google Scholar
  2. 2.
    Houmb, S.H., Islam, S., Knauss, E., Jürens, J., Schneider, K.: Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal 15(1), 63–93 (2010)CrossRefGoogle Scholar
  3. 3.
    Knauss, E., Lübke, D., Meyer, S.: Feedback-Driven Requirements Engineering: The Heuristic Requirements Assistant. In: International Conference on Software Engineering (ICSE 2009), Formal Research Demonstrations Track, Vancouver, Canada, pp. 587–590 (2009)Google Scholar
  4. 4.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)zbMATHGoogle Scholar
  5. 5.
    Schneider, K., Stapel, K., Knauss, E.: Beyond Documents: Visualizing Informal Communication. In: Proceedings of Third International Workshop on Requirements Engineering Visualization (REV 2008), Barcelona, Spain (2008)Google Scholar
  6. 6.
    den Braber, F., Hogganvik, I., Lund, M., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps - a guided tour to the CORAS method. BT Technology Journal 25(1), 101–117 (2007)CrossRefGoogle Scholar
  7. 7.
    Barber, B., Davey, J.: The use of the CCTA risk-analysis and management methodology [CRAMM] in health information systems. In: Degoulet, P., Lun, K., Piemme, T., Rienhoff, O. (eds.) MEDINFO 1992, pp. 1589–1593. Elsevier, North-Holland (1992)Google Scholar
  8. 8.
    Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE (TM) Approach. Addison-Wesley, New York (2002)Google Scholar
  9. 9.
    Chantree, F., Nuseibeh, B., de Roeck, A., Willis, A.: Identifying Nocuous Ambiguities in Natural Language Requirements. In: Proceedings of the 14th IEEE International Requirements Engineering Conference, Minneapolis, USA, pp. 56–65. IEEE Computer Society, Los Alamitos (2006)Google Scholar
  10. 10.
    Kiyavitskaya, N., Zeni, N., Mich, L., Berry, D.M.: Requirements for tools for ambiguity identification and measurement in natural language requirements specifications. Requirements Engineering Journal 13(3), 207–239 (2008)CrossRefGoogle Scholar
  11. 11.
    Graham, P.: A Plan for Spam (2002) Web (January 2011),
  12. 12.
    Rennie, J.D.M., Shih, L., Teevan, J., Karger, D.R.: Tackling the Poor Assumptions of Naive Bayes Text Classifiers. In: Proceedings of the Twentieth International Conference on Machine Learning (ICML 2003), Washington, DC (2003)Google Scholar
  13. 13.
    Russell, S., Norvig, P.: Artificial Intelligence: a Modern Approach. Prentice Hall, New Jersey (1995)zbMATHGoogle Scholar
  14. 14.
    Ireson, N., Ciravegna, F., Califf, M.E., Freitag, D., Kushmerick, N., Lavelli, A.: Evaluating machine learning for information extraction. In: ICML 2005: Proceedings of the 22nd International Conference on Machine Learning, Bonn, Germany, pp. 345–352. ACM, New York (2005)Google Scholar
  15. 15.
    Weiss, S.M., Kulikowski, C.A.: Computer systems that learn: classification and prediction methods from statistics, neural nets, machine learning, and expert systems. M. Kaufmann Publishers, San Mateo (1991)Google Scholar
  16. 16.
    Baeza-Yates, R., Ribeiro-Neto, B.: Modern Information Retrieval. ACM Press, Addison Wesley (1999)Google Scholar
  17. 17.
    CEPSCO: Common Electronic Purse Specification (ePurse),, (accessed April 2007)
  18. 18.
    TISPAN, ETSI: Telecommunications and Internet converged Services and Protocols for Advanced Networking (TISPAN); Services requirements and capabilities for customer networks connected to TISPAN NGN. Technical report, European Telecommunications Standards InstituteGoogle Scholar
  19. 19.
    GlobalPlatform: Global Platform Specification (GPS), (accessed August 2010)
  20. 20.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslén, A.: Experimentation In Software Engineering: An Introduction. Kluwer Academic Publishers, Boston (2000)CrossRefzbMATHGoogle Scholar
  21. 21.
    Chung, L.: Dealing with Security Requirements During the Development of Information Systems. In: Rolland, C., Cauvet, C., Bodart, F. (eds.) CAiSE 1993. LNCS, vol. 685, pp. 234–251. Springer, Heidelberg (1993)CrossRefGoogle Scholar
  22. 22.
    Dubois, E., Wu, S.: A framework for dealing with and specifying security requirements in information systems. In: Katsikas, S.K., Gritzalis, D. (eds.) SEC. IFIP Conference Proceedings, vol. 54, pp. 88–99. Chapman & Hall, Boca Raton (1996)Google Scholar
  23. 23.
    Lin, L., Nuseibeh, B., Ince, D.C., Jackson, M., Moffett, J.D.: Introducing Abuse Frames for Analysing Security Requirements. In: RE, pp. 371–372. IEEE Computer Society, Los Alamitos (2003)Google Scholar
  24. 24.
    Giorgini, P., Massacci, F., Mylopoulos, J.: Requirement engineering meets security: A case study on modelling secure electronic transactions by VISA and mastercard. In: Song, I.-Y., Liddle, S.W., Ling, T.-W., Scheuermann, P. (eds.) ER 2003. LNCS, vol. 2813, pp. 263–276. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  25. 25.
    Heitmeyer, C.L., Archer, M., Leonard, E.I., McLean, J.: Applying Formal Methods to a Certifiably Secure Software System. IEEE Trans. Software Eng. 34(1), 82–98 (2008)CrossRefGoogle Scholar
  26. 26.
    Berry, D., Kamsties, E.: 2. Ambiguity in Requirements Specification. In: Perspectives on Requirements Engineering, pp. 7–44. Kluwer, Dordrecht (2004)CrossRefGoogle Scholar
  27. 27.
    Kof, L.: Text Analysis for Requirements Engineering. PhD thesis, Technische Universität München, München (2005)Google Scholar
  28. 28.
    Lee, S.W., Muthurajan, D., Gandhi, R.A., Yavagal, D.S., Ahn, G.J.: Building Decision Support Problem Domain Ontology from Natural Language Requirements for Software Assurance. International Journal of Software Engineering and Knowledge Engineering 16(6), 851–884 (2006)CrossRefGoogle Scholar
  29. 29.
    Kiyavitskaya, N., Zeni, N., Breaux, T.D., Antón, A.I., Cordy, J.R., Mich, L., Mylopoulos, J.: Automating the extraction of rights and obligations for regulatory compliance. In: Li, Q., Spaccapietra, S., Yu, E., Olivé, A. (eds.) ER 2008. LNCS, vol. 5231, pp. 154–168. Springer, Heidelberg (2008)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Eric Knauss
    • 1
  • Siv Houmb
    • 2
  • Kurt Schneider
    • 1
  • Shareeful Islam
    • 3
  • Jan Jürjens
    • 4
  1. 1.Software Engineering GroupLeibniz Universität HannoverGermany
  2. 2.SecureNOK Ltd.Norway
  3. 3.School of Computing, IT and EngineeringUniversity of East LondonUK
  4. 4.Software EngineeringTechnische Universität Dortmund and Fraunhofer ISSTGermany

Personalised recommendations