Enhancing security requirements engineering by organizational learning

Requirements Engineering

Volumn 17, Issue 1, 2012, Pages 35-56

  Schneider, Kurt ^a   Knauss, Eric ^a   Houmb, Siv ^b   Islam, Shareeful ^c   Jürjens, Jan ^d  

^a LEIBNIZ UNIVERSITY HANNOVER   (Germany)

^b Secure NOK AS   (Norway)

^c UNIVERSITY OF EAST LONDON   (United Kingdom)

^d TU DORTMUND UNIVERSITY   (Germany)

Author keywords

Organizational learning; Requirements analysis; Requirements workflow modeling; Secure software engineering

Indexed keywords

BAYESIAN CLASSIFIER; DOMAIN SPECIFIC; ERROR PRONES; EUROPEAN TELECOMMUNICATIONS STANDARDS INSTITUTES; ORGANIZATIONAL LEARNING; ORGANIZATIONAL LEVELS; PROJECT REQUIREMENT; REQUIREMENTS ANALYSIS; REQUIREMENTS ENGINEERS; SECURE SOFTWARE ENGINEERING; SECURITY AWARENESS; SECURITY REQUIREMENTS; SECURITY REQUIREMENTS ENGINEERING; SECURITY VULNERABILITIES; SOCIOTECHNICAL; SOFTWARE PROJECT; STEP-BY-STEP; WORKFLOW MODELING;

KNOWLEDGE MANAGEMENT; SOFTWARE ENGINEERING;

REQUIREMENTS ENGINEERING;

EID: 84857362096     PISSN: 09473602     EISSN: 1432010X     Source Type: Journal    
DOI: 10.1007/s00766-011-0141-0     Document Type: Article

References (57)

1. Alberts C, Dorofee A (2002) Managing information security risks: the OCTAVE (TM) approach. Addison-Wesley, New York.
2. Allmann C, Winkler L, Kölzow T (2006) The requirements engineering gap in the OEM-supplier relationship. J Univers Knowl Manag 1(2): 103-111.
3. Baeza-Yates R, Ribeiro-Neto B (1999) Modern information retrieval. ACM Press, Addison Wesley.
4. Barber B, Davey J (1992) The use of the CCTA risk-analysis and management methodology [CRAMM] in health information systems. In: Degoulet P, Lun KC, Piemme TE, Rienhoff O (eds) MEDINFO '92, Elsevier, North-Holland, pp 1589-1593.
5. Berry DM, Kamsties E (2004) Perspectives on requirements engineering, chapter 2. Ambiguity in requirements specification. Kluwer, pp 7-44.
6. CEPSCO. Common electronic purse specification (ePurse). http://web. archive. org/web/*/http://www. cepsco. com. Accessed Apr 2007.
7. Chantree F, Nuseibeh B, de Roeck A, Willis A (2006) Identifying Nocuous ambiguities in natural language requirements. In: Proceedings of the 14th IEEE international requirements engineering conference, pp 56-65, Minneapolis, USA, 2006. IEEE Computer Society.
8. Chung L (1993) Dealing with security requirements during the development of information systems. In: Rolland C, Bodart F, Cauvet C (eds) CAiSE, vol 685 of lecture notes in computer science, pp 234-251. Springer.
9. Damian D, Marczak S, Kwan I (2007) Collaboration patterns and the impact of distance on awareness in requirements-centred social networks. In: Proceedings of 15th IEEE international requirements engineering conference (RE 2007), New Delhi, India.
10. De Marco T (1979) Structured analysis and system specification. Prentice-Hall, Englewood Cliffs.
11. den Braber F, Hogganvik I, Lund MS, Stølen K, Vraalsen F (2007) Model-based security analysis in seven steps-a guided tour to the CORAS method. BT Technol J 25(1): 101-117.
12. Fischer G (1994) Domain-oriented design environments. Autom Softw Eng 1: 177-203.
13. Giorgini P, Massacci F, Mylopoulos J (2003) Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and mastercard. In: Song I-Y, Liddle SW, Ling TW, Scheuermann P (eds) ER, vol 2813 of lecture notes in computer science. Springer, pp 263-276.
14. Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) ST-Tool: a CASE tool for security requirements engineering. In: RE '05: proceedings of the 13th IEEE international conference on requirements engineering, pp 451-452, Washington, DC, USA. IEEE Computer Society.
15. GlobalPlatform. Global platform specification (GPS). http://www. globalplatform. org. Accessed Aug 2010.
16. Höhn S, Jürjens J (2008) Rubacon: automated support for model-based compliance engineering. In: Robby (ed) ICSE, pp 875-878. ACM.
17. Houmb SH, Islam S, Knauss E, Jürjens J, Schneider K (2010) Eliciting security requirements and tracing them to design: an integration of common criteria, heuristics, and UMLsec. Requir Eng J 15(1): 63-93.
18. International Standardization Organization (2007) ISO 15408: 2007 common criteria for information technology security evaluation, version 3. 1, revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003, Sept 2007.
19. Ireson N, Ciravegna F, Califf ME, Freitag D, Kushmerick N, Lavelli A (2005) Evaluating machine learning for information extraction. In: ICML '05: proceedings of the 22nd international conference on machine learning, pp 345-352, Bonn, Germany. ACM.
20. Islam S, Pavlidis M (2011) SecTro: a CASE tool for modelling security in requirements engineering using secure tropos. In: CAiSE '11: Proceedings of the CAiSE forum 2011, pp 89-96, London. CEUR-WS, vol-734.
21. Jürjens J (2005) Secure systems development with UML. Springer, New York.
22. Jürjens J, Shabalin P (2007) Tools for secure systems development with UML. Int J Softw Tools Technol Transf 9(5): 527-544.
23. Jürjens J, Wimmel G (2001) Formally testing fail-safety of electronic purse protocols. In: 16th international conference on automated software engineering (ASE 2001), pp 408-411. IEEE Computer Society.
24. Jürjens J, Schreck J, Bartmann P (2008) Model-based security analysis for mobile communications. In: 30th intern. conference on software engineering (ICSE 2008). ACM.
25. Kelloway KE, Barling J (2000) Knowledge work as organizational behavior. Int J Manag Rev 2: 287-304.
26. Kiyavitskaya N, Zeni N, Breaux TD, Antón AI, Cordy JR, Mich L, Mylopoulos J (2008) Automating the extraction of rights and obligations for regulatory compliance. In: Li Q, Spaccapietra S, Yu E, Olivé A (eds) Proceedings of 27th international conference on conceptual modeling, lecture notes in computer science, pp 154-168, Barcelona, Spain. Springer.
27. Kiyavitskaya N, Zeni N, Mich L, Berry DM (2008) Requirements for tools for ambiguity identification and measurement in natural language requirements specifications. Requir Eng J 13(3): 207-239.
28. Knauss EW (2010) Verbesserung der Dokumentation von Anforderungen auf Basis von Erfahrungen und Heuristiken. Cuvillier Verlag, Göttingen, Germany. Phd thesis.
29. Knauss E, Flohr T (2007) Managing requirement engineering processes by adapted quality gateways and critique-based RE-Tools. In: Proceedings of workshop on measuring requirements for project and product success, Palma de Mallorca, Spain, November. in conjunction with the IWSM-Mensura conference.
30. Knauss E, Lübke D (2008) Using the friction between business processes and use cases in SOA requirements. In: Proceedings of the 32nd annual IEEE international computer software and applications conference (COMPSAC), workshop on requirements engineering for services, pp 601-606, Turku, Finland.
31. Knauss E, Lübke D, Meyer S (2009) Feedback-driven requirements engineering: the heuristic requirements assistant. In: International conference on software engineering (ICSE'09), formal research demonstrations track, pp 587-590, Vancouver, Canada.
32. Knauss E, Schneider K, Stapel K (2009) Learning to write better requirements through heuristic critiques. In: Proceedings of 17th IEEE requirementes engineering conference (RE 2009), Atlanta, USA.
33. Knauss E, Houmb S, Schneider K, Islam S, Jürjens J (2011) Supporting requirements engineers in recognising security issues. In: Berry D, Franch X (eds) Proceedings of the 17th international working conference on requirements engineering: foundation for software quality (REFSQ '11), LNCS, Essen, Germany, Springer.
34. Kof L (2005) Text analysis for requirements engineering. PhD thesis, Technische Universität München, München.
35. Lee SK, Muthurajan D, Gandhi RA, Yavagal DS, Ahn G-J (2006) Building decision support problem domain ontology from natural language requirements for software assurance. Int J Softw Eng Knowl Eng 16(6): 851-884.
36. Matulevicius R, Mayer N, Mouratidis H, Dubois E, Heymans P, Genon N (2008) Adapting secure tropos for security risk management in the early phases of information systems development. In: Bellahsene Z, Léonard M (eds) CAiSE, vol 5074 of lecture notes in computer science, pp 541-555. Springer.
37. Mellado D, Rodríguez J, Fernández-Medina E, Piattini M (2009) Automated support for security requirements engineering in software product line domain engineering. Availability, reliability and security, international conference on 0: 224-231.
38. Moody DL (2009) The "Physics" of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans Softw Eng 35(6): 756-779.
39. Mouratidis H, Giorgini P, Manson GA (2003) Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder J, Missikoff M (eds) CAiSE, vol 2681 of lecture notes in computer science, pp 63-78. Springer.
40. Ouedraogo M, Mouratidis H, Khadraoui D, and Dubois E (2010) An agent-based system to support assurance of security requirements. In: SSIRI, pp 78-87. IEEE Computer Society.
41. Polanyi M (1966) The Tacit dimension. Doubleday, Garden City.
42. Russell N, Hofstede AHMt, Aalst WMPvd (2007) newYAWL: specifying a workflow reference language using coloured petri nets. In: Eighth workshop and tutorial on practical use of coloured petri nets and the CPN tools.
43. Schneider K (2005) Software process improvement from a FLOW perspective. In: Learning software organizations workshop, 2005.
44. Schneider K (2007) Generating fast feedback in requirements elicitation. In: Requirements engineering: foundation for software quality (REFSQ 2007).
45. Schneider K (2009) Experience and knowledge management in software engineering. Springer, Berlin.
46. Schneider K, Lübke D (2005) Systematic tailoring of quality techniques. In: World congress of software quality 2005, vol 3/3.
47. Schneider K, Stapel K, Knauss E (2008) Beyond documents: visualizing informal communication. In: Proceedings of third international workshop on requirements engineering visualization (REV 08), Barcelona, Spain.
48. Schön DA (1983) The reflective practitioner: how professionals think in action. Basic Books, New York.
49. Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1): 34-44.
50. Stapel K, Schneider K, Lübke D, Flohr T (2007) Improving an industrial reference process by information flow analysis: a case study. In: Proceedings of PROFES 2007, vol 4589 of LNCS, pp 147-159, Riga, Latvia, 2007. Springer, Berlin.
51. Stapel K, Knauss E, Allmann C (2008) Lightweight process documentation: just enough structure in automotive pre-development. In: O'Connor RV, Baddoo N, Smolander K, Messnarz R (eds) Proceedings of the 15th european conference, EuroSPI, communications in computer and information science, pp 142-151, Dublin, Ireland, 9 2008. Springer.
52. Stapel K, Knauss E, Schneider K (2009) Using FLOW to improve communication of requirements in globally distributed software projects. In: Workshop on collaboration and intercultural issues on requirements: communication, understanding and softskills (CIRCUS '09), Atlanta, USA, Nov 2009.
53. TISPAN, ETSI (2010) Telecommunications and internet converged services and protocols for advanced networking (TISPAN); services requirements and capabilities for customer networks connected to TISPAN NGN. Technical report, European Telecommunications Standards Institute.
54. Weiss SM, Kulikowski CA (1991) Computer systems that learn: classification and prediction methods from statistics, neural nets, machine learning, and expert systems. M. Kaufmann Publishers, San Mateo.
55. Winkler S (2007) Information flow between requirement artifacts. In: Proceedings of REFSQ 2007 international working conference on requirements engineering: foundation for software quality, vol 4542 of lecture notes in computer science, pp 232-246, Trondheim, Norway, 2007. Springer, Berlin.
56. Wise A (2006) Little-JIL 1. 5 Language Report. Technical report, Department of Computer Science, University of Massachusetts.
57. Wohlin C, Runeson P, Höst M, Ohlsson MC, Regnell B, Wesslén A (2000) Experimentation in software engineering: an introduction. Kluwer Academic Publishers, Boston.