Skip to main content
SpringerLink
Log in

A comparison of security requirements engineering methods

  • Special Issue - Security Requirements Engineering
  • Published:
Requirements Engineering Aims and scope Submit manuscript

Abstract

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15

Similar content being viewed by others

Notes

  1. http://www.scholar.google.com

  2. http://www.ieeexplore.ieee.org

  3. http://www.citeseer.ist.psu.edu

  4. http://www.re09.org

  5. We propose to avoid the use of “context”, because it is an overloaded term within software engineering. Often in requirements engineering context is used to refer to the specific environment in which the machine is situated [19]. Context has also increasingly become a concept in newer branches of computer science. One example being “context-aware systems” modeling the properties of a given context, which may or may not be the physical environment. Context is then used to adapt the machine or the environment to the users’ needs.

  6. A non-monotonic logic in which defeasible rules can be overridden by others when certain conditions hold. For example, in the case of an emergency, certain confidentiality rules can be overridden.

  7. The definition of mal-activity diagrams [46] is based on a similar idea. In this recent work, malicious activities and actors are added to UML activity diagrams in order to model potential attacks.

  8. Details about the i *-modeling framework can be found online: http://www.istar.rwth-aachen.de/

  9. Details about Si *: http://www.sesa.dit.unitn.it/sistar_tool/

  10. http://www.troposproject.org/tools/grtool/

References

  1. Common Criteria for Information Technology Security Evaluation, Version 3.1. (2006) [Online]. Available: http://www.commoncriteriaportal.org/public/expert/

  2. Bishop M (2003) Computer security. Addison-Wesley, New York

    Google Scholar 

  3. Viega J, McGraw G (2001) Building secure software: how to avoid security problems the right way. Addison-Wesley, New York

    Google Scholar 

  4. Eckert C (2004) IT-Sicherheit, 3rd edn. Oldenbourg-Verlag, München

    Google Scholar 

  5. Firesmith DG (2003) Common concepts underlying safety, security, and survivability engineering. Carnegie Melon University. Technical report SEI-2003-TN-033

  6. Rupp C, SOPHIST GROUP (2003) Requirements-engineering und -management, 3rd edn. Carl Hanser Verlag

  7. Rannenberg K, Pfitzmann A, Müller G (1999) IT security and multilateral security. In: Müller G, Rannenberg K (eds) Multilateral security in communications—technology, infrastructure. Economy Addison-Wesley, pp 21–29

  8. Zave P, Jackson M (1997) Four dark corners of requirements engineering. ACM Trans Softw Eng Methodol 6(1):1–30

    Article  Google Scholar 

  9. Fricker S, Gorschek T, Glinz M (2008) Goal-oriented requirements communication in new product development. In: Proceedings of the international workshop on software product management. IEEE Computer Society, Los Alamitos, pp 27–34

  10. Liu L, Yu E (2001) From requirements to architectural design using goals and scenarios. In: Proceedings of the international workshop from software requirements to architectures (STRAW). Toronto

  11. Antòn AI, Earp JB (2000) Strategies for developing policies and requirements for secure electronic commerce systems. Department of Computer Science, North Carolina State University. Technical report TR-2000-09. [Online]. Available: citeseer.ist.psu.edu/anton00strategies.html

  12. Mylopoulos J, Chung L, Nixon B (1992) Representing and using non-functional requirements: a process-oriented approach. IEEE Transactions on Software Engineering pp 483–497

  13. Sommerville I (2007) Software Engineering, 8th edn. Addison Wesley, New York

    Google Scholar 

  14. Glinz M (2007) On non-functional requirements. In: Proceedings of 15th IEEE international requirements engineering conference (RE ’07), pp 21–26

  15. Jureta I, Mylopoulos J, Faulkner S (2008) Revisiting the core ontology and problem in requirements engineering. In: Proceedings of 16th IEEE international requirements engineering conference (RE ’08), pp 71–80

  16. Information technology—security techniques—code of practice for information security management (ISO/IEC FDIS 17799:2005) (2005) International Organization for Standardization

  17. Information technology—security techniques—management of information and communications technology security—part 1: Concepts and models for information and communications technology security management (ISO/IEC 13335-1:2004)(2004) International Organization for Standardization

  18. NIST SP 800-26: Security Self-Assessment Guide for Information Technology Systems (2001) National institute of standards and technology

  19. Berry DM, Lawrence B (1998) Guest editors’ introduction: requirements engineering. IEEE Softw 15(2):26–29

    Article  Google Scholar 

  20. Robinson WN, Pawlowski SD, Volkov V (2003) Requirements interaction management. ACM Comput Surv 35(2):132–190

    Article  Google Scholar 

  21. Finkelstein A, Baggay D, Hunter A, Kramer J, Nuseibeh B (1994) Inconsistency handling in multi-perspective specifications. IEEE Trans Softw Eng (20):569–578

    Article  Google Scholar 

  22. Easterbrook S, Nuseibeh B (1996) Using viewpoints for inconsistency management. Softw Eng J 31–43

  23. Kotonya G, Sommerville I (1996) Requirements engineering with viewpoints. BCS/IEE Softw Eng J 11(1):5–18

    Article  Google Scholar 

  24. Giorgini P, Massacci F, Mylopoulos J, Zannone N (2006) Detecting conflicts of interest. In: Proceedings 14th IEEE international requirements engineering conference (RE ’06). IEEE Computer Society, pp 308–311

  25. van Lamsweerde A, Darimont R, Massonet P (1998) Managing conflicts in goal-driven requirements engineering. IEEE Trans Softw Eng 24

  26. Jackson M, Zave P (1995) Deriving specifications from requirements: an example. In: Proceedings 17th international conference on software engineering. ACM Press, Seattle, pp 15–24

  27. Haley B, Laney C, Moffett D, Nuseibeh B (2006) Using trust assumptions with security requirements. Requir Eng 11(2):138–151

    Article  Google Scholar 

  28. Haley CB, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153

    Article  Google Scholar 

  29. Santen T (2006) Stepwise development of secure systems. In Górski J (ed) International conference on computer safety, reliability and security (SAFECOMP), ser. LNCS 4166. Springer, pp 142–155

  30. Moffett JD, Haley CB, Nuseibeh B (2004) Core security requirements artifacts. The Open University, UK (technical report)

  31. Breaux TD, Antòn A (2005) Analyzing goal semantics for rights, permissions, and obligations. In: Requirements engineering, pp 177–188

  32. Mayer N (2009) Model-based management of information system security risk. Ph.D. dissertation, University of Namur [Online]. Available: http://www.nmayer.eu/publis/Thesis_Mayer_2.0.pdf

  33. Mayer N, Heymans P, Matulevičius R (2007) Design of a modelling language for information system security risk management. In: 1st International conference on research challenges in information science (RCIS 2007)

  34. Mellado D, Fernandez-Medina E, Piattini M (2006) A comparison of the Common Criteria with proposals of information systems security requirements. In: ARES ’06: proceedings of the first international conference on availability, reliability and security (ARES’06). IEEE Computer Society, Washington, DC, pp 654–661

  35. Kalloniatis C, Kavakli E, Gritzalis S (2004) Security requirements engineering for e-government applications: analysis of current frameworks. Springer, Berlin

  36. Tøndel I, Jaatun M, Meland P (2008) Security requirements for the rest of us: asurvey. Softw IEEE 25(1):20–27

    Article  Google Scholar 

  37. van Lamsweerde A (2007) Engineering requirements for system reliability and security. In: Broy JGM, Hoare C (eds) Software system reliability and security, ser. NATO security through science series-D: information and communication security, vol 9. IOS Press, pp 196–238

  38. Gürses S, Santen T (2006) Contextualizing security goals—a method for multilateral security requirements elicitation. In: Dittmann J (ed) Proceedings of Sicherheit 2006—Schutz und Zuverlässigkeit, ser. Lecture notes in Informatics. Gesellschaft für Informatik, pp 42–53

  39. Gürses S, Berendt B, Santen T (2006) Multilateral security requirements analysis for preserving privacy in ubiquitous environments. In: Berendt B, Menasalvas E (eds) Proceedings of workshop on ubiquitous knowledge discovery for users (UKDU’06) [Online]. Available:http://www.vasarely.wiwi.hu-berlin.de/UKDU06/Proceedings/UKDU06-proceedings.pdf

  40. Gürses S, Jahnke JH, Obry C, Onabajo A, Santen T, Price M (2005) Eliciting confidentiality requirements in practice. In: CASCON ’05: Proceedings of the 2005 conference of the centre for advanced studies on collaborative research. IBM Press, pp 101–116

  41. Onabajo A, Weber-Jahnke J (2008) Stratified modeling and analysis of confidentiality requirements. In: 41st Annual Hawaii international conference on system sciences

  42. Mead N, Hough E, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. Carnegie Mellon Software Engineering Institute, Technical report CMU/SEI-2005-TR-009

  43. Mead N, Viswanathan V, Padmanabhan D, Raveendran A (2008) Incorporating security quality requirements engineering (SQUARE) into standard life-cycle models. Carnegie Mellon Software Engineering Institute. Technical report CMU/SEI-2008-TN-006

  44. UML Revision Task Force (2006) OMG unified modeling language: superstructure. http://www.omg.org/docs/ptc/06-04-02.pdf

  45. Sindre G, Opdahl AL (2001) Capturing security requirements by misuse cases. In: Proceedings of the 14th Norwegian informatics conference (NIK’2001)

  46. Sindre G (2007) Mal-activity diagrams for capturing attacks on business processes. In: Sawyer P, Paech B, Heymanns P (eds) Proceedings of REFSQ 2007, ser. LNCS 4542. Springer, pp 355–366

  47. Lodderstedt T, Basin DA, Doser J (2002) SecureUML: a UML-based modeling language for model-driven security. In: Proceedings of the 5th international conference on the unified modeling language (UML’02). Springer, London, pp 426–441

  48. UML Revision Task Force (2006) OMG object constraint language: reference. http://www.omg.org/docs/formal/06-05-01.pdf

  49. Jürjens J (2003) Secure systems development with UML. Springer, New York

    Google Scholar 

  50. Bertrand P, Darimont R, Delor E, Massonet P, van Lamsweerde A (1998) GRAIL/KAOS: an environment for goal drivent requirements engineering. In: ICSE’98—20th international conference on software engineering

  51. Dardenne A, van Lamsweerde A, Fickas S (1993) Goal-directed requirements acquisition. Sci Comput Program 20(1–2):3–50

    Article  MATH  Google Scholar 

  52. van Lamsweerde A (2004) Elaborating security requirements by construction of intentional anti-models. ICSE pp. 148–157

  53. Bresciani P, Perini A, Giorgini P, Giunchiglia F, Mylopoulos J (2004) Tropos: an agent-oriented software development methodology. Auton Agent Multi Agent Syst 8(3):203–236

    Article  Google Scholar 

  54. Giorgini P, Susi A, Perini A, Mylopoulos J (2005) The tropos metamodel and its use. Inf J 29:401–408

    Google Scholar 

  55. Fuxman A, Liu L, Mylopoulos J, Pistore M, Roveri M, Traverso P (2004) Specifying and analyzing early requirements in tropos. Requir Eng J 9(2):132–150

    Google Scholar 

  56. Yu ES-K (1996) Modelling strategic relationships for process reengineering. Ph.D. dissertation, University of Toronto, Toronto

  57. Yu ESK (1997) Towards modeling and reasoning support for early-phase requirements engineering. In: RE ’97: proceedings of the 3rd IEEE international symposium on requirements engineering. IEEE Computer Society, Washington, DC, p 226

  58. Yu ESK, Liu L (2001) Modelling trust for system design using the i * strategic actors framework. In: Proceedings of the workshop on deception, fraud, and trust in agent societies held during the autonomous agents conference. Springer, London, pp 175–194

  59. Giorgini P, Mouratidis H, Zannone N (2007) Modelling security and trust with secure tropos. In: Integrating security and software engineering: advances and future vision. IDEA

  60. Mouratidis H, Giorgini P (2007) Secure tropos: a security-oriented extension of the tropos methodology. Int J Softw Eng Knowl Eng 17(2):285–309

    Article  Google Scholar 

  61. Mouratidis H, Giorgini P (2004) Enhancing secure tropos to effectively deal with security requirements in the development of multiagent systems. In: Proceedings of the 1st international workshop on safety and security in multiagent systems, SASEMAS

  62. Mouratidis H, Giorgini P (2005) Secure tropos: dealing effectively with security requirements in the development of multiagent systems. In: Proceedings of the 2nd international workshop on safety and security in multi-agent systems, SASEMAS, ser. Computers & Security, vol 24, no.8. Elsevier, pp 614–617

  63. Massacci F, Mylopoulos J, Zannone N (2007) Ontologies for business interaction. Information science reference, ch. An ontology for secure socio-technical systems pp 188–207

  64. Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. University of Toronto, Department of Computer Science. Technical report

  65. Matulevičius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management in the early phases of information systems development. In: CAiSE ’08: proceedings of the 20th international conference on advanced information systems engineering. Springer, Berlin, pp 541–555

  66. Mayer N, Rifaut A, Dubois E (2005) Towards a risk-based security requirements engineering framework. In: Proceedings of the 11th international workshop on requirements engineering: foundation for software quality (REFSQ’05), in conjunction with the 17th conference on advanced information systems engineering (CAiSE’05)

  67. Bauer B, Müller JP, Odell J (2001) Agent UML: a formalism for specifying multiagent software systems. Int J Softw Eng Knowl Eng 11(3):207–230

    Article  Google Scholar 

  68. Giorgini P, Manson G, Mouratidis H (2004) Using security attack scenarios to analyse security during information systems design. In: The 6th international conference on enterprise information systems. Porto

  69. Liu L, Yu E, Mylopoulos J (2003) Security and privacy requirements analysis within a social setting. In: Proceedings of 11th IEEE requirements engineering conference. IEEE Press, pp 151–161

  70. Abiteboul S, Hull R, Vianu V (1995) Foundations of databases. Addison-Wesley, New York

    MATH  Google Scholar 

  71. Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) St-tool: a case tool for security requirements engineering. In: RE-05. IEEEP, pp 451–452

  72. Massacci F, Zannone N (2006) Detecting conflicts between functional and security requirements with secure tropos: John rusnak and the allied irish bank

  73. Leone N, Pfeifer G, Faber W, Eiter T, Gottlob G, Perri S, Scarcello F (2006) The DLV system for knowledge representation and reasoning. ACM Trans Comput Logic 7(3):499–562

    Article  MathSciNet  Google Scholar 

  74. He Q, Antòn AI (2003) A framework for modeling privacy requirements in role engineering. In: International workshop on requirements engineering for software quality (REFSQ 2003)

  75. CERIAS Technical Report (1999) Policy framework for interpreting risk in ecommerce security

  76. Hauser J, Clausing D (1988) The house of quality. Harv Bus Rev 32(5)

  77. Jackson M (2001) Problem frames. Analyzing and structuring software development problems. Addison-Wesley, New York

    Google Scholar 

  78. Lin L, Nuseibeh B, Ince D, Jackson M (2004) Using abuse frames to bound the scope of security problems. In: Proceedings of 11th IEEE international requirements engineering conference (RE’04). pp 354–355

  79. Hatebur D, Heisel M, Schmidt H (2006) Security engineering using problem frames. In: Müller G (ed) Proceedings of the international conference on emerging trends in information and communication security (ETRICS’06), ser. LNCS 3995. Springer, pp 238–253

  80. Hatebur D, Heisel M, Schmidt H, (2007) A pattern system for security requirements engineering. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 356–365

  81. Hatebur D, Heisel M, Schmidt H (2007) A security engineering process based on patterns. In: Proceedings of the international workshop on secure systems methodologies using patterns (SPatterns). IEEE Computer Society, pp 734–738

  82. Hatebur D, Heisel M, Schmidt H (2008) Analysis and component-based realization of security requirements. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 195–203

  83. Schmidt H (2009) Pattern-based confidentiality-preserving refinement. In: Engineering secure software and systems—first international symposium (ESSoS), ser. LNCS, vol 5429. Springer, Berlin, pp 43–59

  84. Schmidt H, Wentzlaff I (2006) Preserving software quality characteristics from requirements analysis to architectural design. In: Proceedings of the European workshop on software architectures (EWSA), vol 4344/2006. Springer, Berlin, pp 189–203

  85. Haley CB, Moffett JD, Laney R, Nuseibeh B (2006) A framework for security requirements engineering. In: SESS ’06: proceedings of the 2006 international workshop on Software engineering for secure systems. ACM Press, New York, pp 35–42

  86. Haley C, Laney R, Moffett J, Nuseibeh B (2004) Picking battles: the impact of trust assumptions on the elaboration of security requirements. In: Jensen CD, Poslad S, Dimitrakos T (eds) iTrust’04, pp 347–354

  87. Haley CB, Moffett JD, Laney R, Nuseibeh B (2005) Arguing security: validating security requirements using structured argumentation. In: Proceedings of the 3rd symposium on requirements engineering for information security (SREIS’05). Paris

  88. Braber F, Hogganvik I, Lund MS, Stølen K, and Vraalsen F (2007) Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol J 25(1):101–117

    Article  Google Scholar 

  89. Dahl HEI, Hogganvik I, Stølen K (2007) Structured semantics for the CORAS security risk modelling language. SINTEF information and communication technology Technical report STF07 A970

  90. Asnar Y, Giorgini P, Massacci F, Zannone N (2007) From trust to dependability through risk analysis. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, pp 19–26

  91. Asnar Y, Giorgini P, Mylopoulos J (2006) Risk modelling and reasoning in goal models. University of Trento. Technical report DIT-06-008

  92. Keblawi F, Sullivan D (2006) Applying the common criteria in systems engineering. IEEE Secur Priv 4(2):50–55

    Article  Google Scholar 

  93. Mellado D, Fernandez-Medina E, Piattini M (2006) Applying a security requirements engineering process. In: ESORICS’06

  94. Mellado D, Fernander-Medina E, Piattini M (2006) A comparison of the common criteria with proposals of information systems security requirements. In: First international conference on availability, reliability, and security (ARES’06). pp 654–661

  95. Booch G, Rumbaugh J, Jacobson I (1999) The Unified Software Development Process. Addison-Wesley, New York

    Google Scholar 

  96. Sindre G, Firesmith DG, Opdahl AL (2003) A reuse-based approach to determining security requirements. In: Ninth international workshop on requirements engineering (REFSQ’03). http://www.citeseer.ist.psu.edu/580371.html

  97. MAP (2005) Metodologìa de anàlisis y gestiòn de riesgos de los sistemas de informaciòn (magerit-v 2)

Download references

Acknowledgments

We thank the anonymous reviewers for their helpful comments and suggestions.

Author information

Authors and Affiliations

  1. Institute of Information Systems, Humboldt-Universität zu Berlin, Berlin, Germany

    Benjamin Fabian

  2. ESAT/COSIC, K.U. Leuven, Leuven-Heverlee, Belgium

    Seda Gürses

  3. Software Engineering, University of Duisburg-Essen, Duisburg, Germany

    Maritta Heisel & Holger Schmidt

  4. European Microsoft Innovation Center, Aachen, Germany

    Thomas Santen

Authors
  1. Benjamin Fabian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seda Gürses
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Maritta Heisel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Thomas Santen
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Holger Schmidt
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Holger Schmidt.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Fabian, B., Gürses, S., Heisel, M. et al. A comparison of security requirements engineering methods. Requirements Eng 15, 7–40 (2010). https://doi.org/10.1007/s00766-009-0092-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s00766-009-0092-x

Keywords

Search

Navigation