Using templates to elicit implied security requirements from functional requirements - a controlled experiment

Context: Security requirements for software systems can be challenging to identify and are often overlooked during the requirements engineering process. Existing functional requirements of a system can imply the need for security requirements. Systems having similar security objectives (e.g., confidentiality) often also share security requirements that can be captured in the form of reusable templates and instantiated in the context of a system to specify security requirements. Goal: We seek to improve the security requirements elicitation process by automatically suggesting appropriate security requirement templates implied by existing functional requirements. Method: We conducted a controlled experiment involving 50 graduate students enrolled in a software security course to evaluate the use of automatically-suggested templates in eliciting implied security requirements. Participants were divided into treatment (automatically-suggested templates) and control groups (no templates provided). Results: Participants using our templates identified 42% of all the implied security requirements in the oracle as compared to the control group, which identified only 16% of the implied security requirements. Template usage increased the efficiency of security requirements identified per unit of time. Conclusion: Automatically-suggested templates helped participants (security non-experts) think about security implications for the software system and consider more security requirements than they would have otherwise. We found that participants need more incentive than just a participatory grade when completing the task. Further, we recommend to ensure task completeness, participants either need a step-driven (i.e., wizard) approach or progress indicators to identify remaining work.

[1]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[2]  Gary Stoneburner,et al.  Underlying technical models for information technology security :: recommendations of the National Institute of Standards and Technology , 2001 .

[3]  Jan Jürjens,et al.  Enhancing security requirements engineering by organizational learning , 2012, Requirements Engineering.

[4]  Pearl Brereton,et al.  Performing systematic literature reviews in software engineering , 2006, ICSE.

[5]  Wouter Joosen,et al.  Does organizing security patterns focus architectural choices? , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[6]  Daniel Mellado,et al.  A systematic review of security requirements engineering , 2010, Comput. Stand. Interfaces.

[7]  A. Viera,et al.  Understanding interobserver agreement: the kappa statistic. , 2005, Family medicine.

[8]  Murray Turoff,et al.  The Delphi Method: Techniques and Applications , 1976 .

[9]  S. Kanmani,et al.  Survey and analysis on Security Requirements Engineering , 2012, Comput. Electr. Eng..

[10]  Marianne M. Swanson,et al.  Standards for Security Categorization of Federal Information and Information Systems , 2004 .

[11]  Standard Glossary of Software Engineering Terminology , 1990 .

[12]  Claes Wohlin,et al.  Experimentation in software engineering: an introduction , 2000 .

[13]  Laurie A. Williams,et al.  Hidden in plain sight: Automatically identifying security requirements from natural language artifacts , 2014, 2014 IEEE 22nd International Requirements Engineering Conference (RE).

[14]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[15]  J. R. Landis,et al.  The measurement of observer agreement for categorical data. , 1977, Biometrics.

[16]  Dietmar Pfahl,et al.  Reporting Experiments in Software Engineering , 2008, Guide to Advanced Empirical Software Engineering.

[17]  Janice Singer,et al.  Guide to Advanced Empirical Software Engineering , 2007 .

[18]  Gerhard Nahler,et al.  Pearson Correlation Coefficient , 2020, Definitions.