Security Requirements Elicitation from Engineering Governance, Risk Management and Compliance

[Context and motivation:] There is a variety of sources from which security requirements may be derived, typically pertaining to fields such as software engineering, information systems risk assessment, security auditing, compliance management, IT governance etc. Several approaches, especially in the software engineering domain, have already investigated security requirements within a broader scope, including results from risk management. [Question/problem:] Identifying security requirements according to just one of these fields might not suffice – opportunities of integration and enrichment must be investigated. [Principal ideas/results:] Our proposal advocates a convergence of different security requirements sources towards their richer specification, based on semantic technology. [Contribution:] Through this vision paper, we sketch the outline for a new perspective on eliciting security requirements, based on knowledge-driven integration of approaches from software engineering, risk assessment, governance and compliance.

[1]  Martin Gilje Jaatun,et al.  Security Requirements for the Rest of Us: A Survey , 2008, IEEE Software.

[2]  Peter Liggesmeyer,et al.  Instantiating a model for structuring and reusing security requirements sources , 2015, 2015 IEEE 2nd Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[3]  Anil Kumar Thurimella,et al.  Managing Requirements Knowledge , 2013, Springer Berlin Heidelberg.

[4]  Jéssyka Vilela,et al.  Applications of ontologies in requirements engineering: a systematic review of the literature , 2015, Requirements Engineering.

[5]  Haralambos Mouratidis,et al.  Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management , 2012, J. Univers. Comput. Sci..

[6]  Peter Liggesmeyer,et al.  A Model for Structuring and Reusing Security Requirements Sources and Security Requirements , 2015, REFSQ Workshops.

[7]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[8]  Maritta Heisel,et al.  A comparison of security requirements engineering methods , 2010, Requirements Engineering.

[9]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[10]  Dimitris Karagiannis,et al.  How can Diagrammatic Conceptual modelling Support Knowledge Management? , 2017, ECIS.

[11]  Nicolas Mayer,et al.  A Framework for Assessing Organisational IT Governance, Risk and Compliance , 2017, SPICE.

[12]  Jan Jürjens,et al.  UMLsec: Extending UML for Secure Systems Development , 2002, UML.

[13]  Haralambos Mouratidis,et al.  Guest editorial: security requirements engineering: past, present and future , 2009, Requirements Engineering.

[14]  Dimitris Karagiannis,et al.  Linked Open Models: Extending Linked Open Data with conceptual model information , 2016, Inf. Syst..

[15]  Dimitris Karagiannis,et al.  Fundamental Conceptual Modeling Languages in OMiLAB , 2016, Domain-Specific Conceptual Modeling.