Security and Privacy Requirements Engineering

Security requirements engineering identifies security risks in software in the early stages of the development cycle. In this chapter, the authors present the SQUARE security requirements method. They integrate privacy requirements into SQUARE to identify privacy risks in addition to security risks. They then present a privacy elicitation technique and subsequently combine security risk assessment techniques with privacy risk assessment techniques. The authors discuss prototype tools that have been developed to support SQUARE for security and privacy as well as recent workshops that have focused on additional results in the security and privacy requirements area. Finally, the authors suggest future research and case studies needed to further contribute to early lifecycle activities that will address security and privacy-related issues.

[1]  Anne Adams,et al.  Privacy in Multimedia Communications: Protecting Users, Not Just Data , 2001, BCS HCI/IHM.

[2]  Pamela Zave Classification of research efforts in requirements engineering , 1997, ACM Comput. Surv..

[3]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[4]  Kimberly M. Green Perceptions and Framing of Risk, Uncertainty, Loss, and Failure in Entrepreneurship , 2014 .

[5]  Annie I. Antón,et al.  Prioritizing Legal Requirements , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[6]  Seiya Miyazaki,et al.  Computer-Aided Privacy Requirements Elicitation Technique , 2008, 2008 IEEE Asia-Pacific Services Computing Conference.

[7]  Marco R. Spruit,et al.  CITS: The Cost of IT Security Framework , 2012, Int. J. Inf. Secur. Priv..

[8]  Jeffrey A. Ingalsbe,et al.  Threat Modeling: Diving into the Deep End , 2008, IEEE Software.

[9]  Shari Lawrence Pfleeger,et al.  Harmonizing privacy with security principles and practices , 2009, IBM J. Res. Dev..

[10]  Lawrence Oliva Information Technology Security: Advice from Experts , 2004 .

[11]  Nancy R. Mead,et al.  Privacy Risk Assessment in Privacy Requirements Engineering , 2009, 2009 Second International Workshop on Requirements Engineering and Law.

[12]  Fabio Casati,et al.  Engineering Privacy Requirements in Business Intelligence Applications , 2008, Secure Data Management.

[13]  Hamid R. Nemati International Journal of Information Security and Privacy , 2007 .

[14]  Adam A. Porter,et al.  Comparing Detection Methods for Software Requirements Inspections: A Replicated Experiment , 1995, IEEE Trans. Software Eng..

[15]  Jose Andre Morales,et al.  Using malware analysis to improve security requirements on future systems , 2014, 2014 IEEE 1st International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE).

[16]  Y. Haimes Risk Modeling, Assessment, and Management: Haimes/Risk Modeling, Assessment 2e , 2005 .

[17]  Joachim Karlsson,et al.  Software requirements prioritizing , 1996, Proceedings of the Second International Conference on Requirements Engineering.