Ensuring Cost Efficient and Secure Software through Student Case Studies in Risk and Requirements Prioritization

This paper presents a discussion of educational case studies used in security requirements assessment and requirements prioritization. Related to this, it introduces risk understanding as an added dimension to the requirements prioritization process. It should be self-evident that the final product should incorporate the requirements with the greatest value. Nevertheless, in a time when security is a preeminent concern it should also be clear that risk elements should also be considered. As such, activities to reconcile risk with value are always essential. However, since risk and value considerations are different, and sometimes opposed to each other, this paper presents a new process that will help decision makers reconcile these two factors within a single approach. This new process may also be incorporated into security requirements education and prioritization.

[1]  Nancy R. Mead,et al.  Software Security Engineering: A Guide for Project Managers , 2004 .

[2]  Søren Lauesen,et al.  Preventing Requirement Defects: An Experiment in Process Improvement , 2001, Requirements Engineering.

[3]  Vasudeva Varma,et al.  Security: Bridging the Academia-Industry Gap Using a Case Study , 2006, 2006 13th Asia Pacific Software Engineering Conference (APSEC'06).

[4]  Edward Colbert,et al.  Costing Secure Systems Workshop Report , 2005 .

[5]  Haralambos Mouratidis,et al.  Modelling security and trust with Secure Tropos , 2006 .

[6]  Barry W. Boehm,et al.  Software Risk Management , 1989, ESEC.

[7]  William Yurcik,et al.  Threat Modeling as a Basis for Security Requirements , 2005 .

[8]  Bhavani Palyagar A Framework for Validating Process Improvement in Requirements Engineering , 2004 .

[9]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[10]  Y. Haimes Risk Modeling, Assessment, and Management: Haimes/Risk Modeling, Assessment 2e , 2005 .

[11]  J. J. Carr Requirements engineering and management: the key to designing quality complex systems , 2000 .

[12]  HaleyCharles,et al.  Security Requirements Engineering , 2008 .

[13]  Joachim Karlsson,et al.  A Cost-Value Approach for Prioritizing Requirements , 1997, IEEE Softw..

[14]  Nancy R. Mead,et al.  Requirements Engineering for Survivable Systems , 2003 .

[15]  Yasuyuki Tahara,et al.  Top SE: Educating Superarchitects Who Can Apply Software Engineering Tools to Practical Development in Japan , 2007, 29th International Conference on Software Engineering (ICSE'07).

[16]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[17]  George W. Bush,et al.  National Strategy to Secure Cyberspace , 2003 .

[18]  Barry Boehm,et al.  Top 10 list [software development] , 2001 .

[19]  Axel van Lamsweerde,et al.  Reasoning about confidentiality at requirements engineering time , 2005, ESEC/FSE-13.

[20]  Nancy R. Mead,et al.  Security Requirements Engineering for Software Systems: Case Studies in Support of Software Engineering Education , 2006, 19th Conference on Software Engineering Education & Training (CSEET'06).

[21]  Nancy R. Mead,et al.  Security quality requirements engineering (SQUARE) methodology , 2005, SESS@ICSE.

[22]  T. Saaty,et al.  The Analytic Hierarchy Process , 1985 .

[23]  Joachim Karlsson,et al.  Software requirements prioritizing , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[24]  Ian F. Alexander,et al.  Misuse Cases: Use Cases with Hostile Intent , 2003, IEEE Softw..

[25]  Bhavani Palyagar,et al.  Validating Requirements Engineering Process Improvements - A Case Study , 2006, 2006 First International Workshop on Requirements Engineering Visualization (REV'06 - RE'06 Workshop).

[26]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[27]  S.L. Cornford,et al.  DDP: a tool for life-cycle risk management , 2006, IEEE Aerospace and Electronic Systems Magazine.

[28]  Herbert Hecht Myron HOW RELIABLE ARE REQUIREMENTS FOR RELIABLE SOFTWARE , 2000 .

[29]  M. Hecht,et al.  Reliability-Related Requirements in Software-Intensive Systems , 2007, 2007 Annual Reliability and Maintainability Symposium.

[30]  Frank Swiderski,et al.  Threat Modeling , 2018, Hacking Connected Cars.