On Software Security Requirements Elicitation and Analysis Methods

Javed Ahmad, Chaudhary Wali Mohammad and Mohd. Sadiq


Security requirements play an important role to protect valuable data and information from unauthorized users. The elicitation of the security requirements in the early phase of the software development process can help the software engineers to successfully develop the secure information system. Different methods have been developed for the elicitation of the security requirements like multilateral security requirements analysis, software quality requirements engineering, knowledge acquisition for automated specifications, etc. The objective of this paper is to evaluate the different software Security Requirements Elicitation and Analysis (SecREA) methods based on the following parameters: (a) stakeholders’ participation, (b) identification of the functional requirements which needs more security, (c) selection and prioritization of the security requirements under crisp and fuzzy environment, (d) common activities in SecREA methods. After evaluating the SecREA methods, we discuss the scope for future work.


Security engineering methods, Security requirements, Security requirements elicitation.


Beckers K., Côté I., Goeke L., SelimGüler S., and Heisel M., “A structured method for security requirements elicitation concerning the cloud computing domain”.InternationalJournal of Secure Software Engineering, pp. 1-24, 2014.

Cherdantseva Y., Burnap P., Blyth A., Eden P., Jones K., Soulsby H., Stoddart K., “A review of cyber security risk assessment methods for SCADA systems”.Computers and Security, Vol. S6, pp. 1-27, 2016.

Venkateswarlu, I. B. and Kakarla, J., “Password security by encryption using an extended ADFGVX cipher”,International Journal of Information and Computer Security. Vol. 11, No.4/5, pp. 510-523, 2019.

Firesmith D. G., “Engineering security requirements”.Journal of Object Technology, Vol. 2, No. 1, pp. 53-68, 2003.

Kouraogo Y., Orhanou G, and Elhajji S., “Advanced security of two-factor authentication system using stego QR code”, International Journal of Information and Computer Security. Vol. 12, No.4, pp. 436-449, 2020.

Sadiq M. and Jain S. K., “An insight into requirements engineering processes”.3rd International Conference on Advances in Communication, Network, and Computing, LNICST, pp. 313-318, 2012.

Sadiq M., “A fuzzy-set based approach for the prioritization of stakeholders on the basis of the importance of software requirements”.IETE Journal of Research, Vol. 63, Issue 5, pp. 616-629, 2017.

Mairiza D. and Zowghi D., “Constructing a catalogue of conflicts among non-functional requirements”. In: Maciaszek, L.A., Loucopoulos, P. (eds.) ENASE 2010, CCIS 230, pp. 31– 44, 2011.

Harris K. D., California Data Breach Report: https://oag.ca.gov/sites/all/files/agweb/pdfs/dbr/2016-data-breach-report.pdf. Accessed on January5, 2021.

Breitman, K.K., Leite J. C. P., and Finkelstein A., “The World’s Stage: A survey on Requirements Engineering using a real-life case Study”.Journal of Brazilian Computer Society, Vol. 6, pp. 1-57, 1999.

Finkelestein A. and Dowel J., “A Comedy of Errors: the London Ambulance Service case study”.8th International Workshop on Software Specification and Design, pp. 2-5, 1996.

Boehm B.W. and In H., “Identifying quality-requirements conflicts”. IEEE Software, pp. 25-35, 1996.

Carvalho R.M., “Dealing with conflicts between non-functional requirements of Ubicomp and IOT applications”.IEEE 25th International Requirements Engineering Conference, pp. 544-549, 2017.

Fabian B., Gurses S., Heisel M., Santen T., Schmidt H., “A Comparison of Security Requirements Engineering Methods”.Requirements Engineering, Vol. 15,pp. 7-40, 2010.

Pacheco C. and Garcia I., “A systematic literature review of stakeholder identification methods in requirements elicitation”.Journal of Systems and Software, Vol. 85, Issue 9, pp. 2171-2181, 2012.

Hujainah F., Bakar R.B.U., Abdulgabber M.A.A., Zamli K., “Software requirements prioritization: a systematic literature review on significance, stakeholders, techniques and challenges”.IEEE Access, vol. 6, pp. 71497-71523, 2018.

Misaghian N. and Motameni H., “An approach for requirements prioritization based on tensor decomposition”.Requirements Engineering, Vol. 23, pp. 169-188, 2018.

Sadiq M. and Jain S. K., “Applying fuzzy preference relation for requirements prioritization in goal-oriented requirements elicitation process”.International Journal of Systems Assurance Engineering and Management, Vol. 5, Issue 4, pp. 711-723, 2014.

Mellado D., Blanco C., Sánchez L. E., and Fernández-Medina E., “A systematic review of security requirements engineering”.Computer Standards and Interfaces, Vol. 32, pp. 153-165, 2010.

Salini P. and Kanmani S., “Survey and analysis on Security Requirements Engineering”.Computers and Electrical Engineering, Vol. 38, pp. 1785-1797, 2012.

Ramesh M. R. R. and Reddy C. S., “A survey on security requirements elicitation methods: classification, merits, and demerits”.International Journal of Applied Engineering Research, Vol. 11, Issue 1,pp. 64-70, 2016.

Gupta D. and Jaiswal S., “Security engineering methods- in- depth analysis”. International Journal of Information and Computer Security, Vol. 9, Issue 3, pp. 180-211, 2017.

Nixon B. A., “Dealing with performance requirements during the development of information systems”.IEEE International Symposium on Requirements Engineering, pp. 42-49, 1993.

Yamada S. and Osaki S., “Cost-reliability optimal release policies for software systems”. IEEE Transactions on Reliability, Vol. R-34, No. 5, pp. 422-424, 1985.

Haley C. B., Laney R., Moffett J. D., and Nuseibeh B., “Security requirements engineering: a framework for representation and analysis”.IEEE Transactions on Software Engineering, Vol. 34, No. 1, 2008.

Khan B. I., Olanrewaju R. F., Anwar F., Mir R. N., Yaacob M., “Scrutinising internet banking security solutions”.International Journal of Information and Computer Security, Vol.12 No.2/3, pp. 269-302, 2020.

Thakkar A., Patel K., “VIKAS: a new virtual keyboard-based simple and efficient text CAPTCHA verification scheme”.International Journal of Information and Computer Security, Vol.12 No.1, pp. 90-105, 2020.

Gürses S., BerendtB. andSantenT.,“Multilateral security requirements analysis for preserving privacy in ubiquitous environments”. 2006.

Gürses S. and Santen. T., “Contextualizing Security Goals: A Method for Multilateral Security Requirements Elicitation”. Sicherheit ,2006.

Mead N., Hough E., Stehny T., “Security quality requirements engineering (SQUARE) methodology”. Carnegie Mellon Software Engineering Institute, Technical report CMU/SEI- 2005- TR-009, 2005.

Sindre G., Opdahl A.L., “Eliciting security requirements with misuse cases”.Requirements Engineering, Vol. 10, pp. 34–44, 2005

Lodderstedt T., Basin D., and J¨urgen D., “SecureUML: A UML-based modeling language for model-driven security”.International Conference on the Unified Modeling Language, pp. 426–441, 2002.

Jan J¨urjens,. “Towards Development of Secure Systems Using UMLsec”. LNCS 2029, pp 187–200, 2001.

LamsweerdeA. V., "Goal-oriented requirements engineering: a guided tour”. Proceedings Fifth IEEE International Symposium on Requirements Engineering, Toronto, pp. 249-262, 2001.

Lamsweerde, A.V.,” Engineering requirements for system reliability and security”. NATO Secur. Through Sci. Ser. D-Inf. Commun. Secur. Vol9, 2007.

Mouratidis H., Giorgini P., “Secure tropos: a security-oriented extension of the tropos methodology”. International Journal Software Engineering Knowledge Engineering, Vol.17, Issue 2, pp. 285–309, 2007.

Anto`n A. I., Earp J. B., “Strategies for developing policies and requirements for secure electronic commerce systems”. Department of Computer Science, North Carolina State University. Technical report TR-2000-09, 2000.

Jackson M., “Analyzing and structuring software development problems”. Addison Wesley, 2001.

LinL.,NuseibehB.,InceD.,JacksonM., “Usingabuseframes to bound the scope of security problems”. In: Proceedings of 11th IEEE international requirements engineering conference(RE’04), pp.354–355,.2004

Hatebur D., Heisel M., Schmidt H., “Security engineering usingproblemframes”.In:Mu¨llerG(ed)Proceedingsofthe international conference on emerging trends in information and communication security (ETRICS’06), ser. LNCS 3995. Springer, pp-238–253., 2006.

Hatebur D., Heisel M., Schmidt H., “A pattern system for securityrequirementsengineering”.In:Proceedingsoftheinternational conference on availability, reliability and security (AReS). IEEE Computer Society, pp 356–365, 2007.

Mayer N., Rifaut A., Dubois E., “Towards a Risk-Based Security Requirements Engineering Framework”. 2005.

Braber F, Hogganvik I, Lund MS, Stølen K, and Vraalsen F, “Model-based security analysis in seven steps—a guided tourtotheCORASmethod”.BTTechnolJ, pp. 101–117, 2007

Asnar Y., Giorgini P., Massacci F., Zannone N.“Fromtrustto dependability through risk analysis”. In: Proceedings of the international conference on availability, reliability and security (AReS). IEEE Computer Society, 19–26, 2007.

YuE.S.K.,LiuL., modeling trust for system designusing the i* strategic actors framework”. In: Proceedings of the workshop on deception, fraud, and trust in agent societies held during the autonomous agents conference. Springer, London, pp 175–194, 2001.

ISO/IEC_JTC1/SC27, Information technology Security techniques Evaluation criteria for IT security, ISO/IEC 15408:2005 (Common Criteria v3.0). 2005.

Mellado D., Fernandez-Medina E., Piattini M., “Applying a security requirements engineering process”. In:ESORICS’06,pp192-206 2006

Al-Sarayreh K. T., Abran A., and Cuadrado-Gallego J. J., “A standards-based model of system maintainability requirements”.Journal of Software: Evolution and Process, pp. 1-47, 2012.

Lauesen S. and Younessi H., “Six styles for usability requirements”. Proceedings of REFSQ’98, pp. 1-12, 1998.

Jokela T., Koivumaa J., Pirkola J., Salminen P., and Kantola N., “Methods for quantitative usability requirements: a case study on the development of the user interface of a mobile phone”. Personal and Ubiquitous Computing, Vol. 10, pp. 345-355, 2006.

ISO/IEC, 9241-11 Ergonomic requirements for office work with visual display terminals(VDT), Part 11 Guidance on usability. ISO/IEC 9241-11 :1998 (E)

Gu¨rses S. and Santen T., “Contextualizing security goals—a method for multilateral security requirements elicitation”. In: Dittmann J (ed) Proceedings of SicherheitSchutz und Zuverla¨ssigkeit, ser. Lecture notes in Informatics. Gesellschaftfu¨rInformatik, pp 42–53, 2006.

Mayer N., Rifaut A., Dubois E., “Towards a risk-based security requirement engineering framework”International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ’05), in conjunction with the 17th conference on advanced information systems engineering, pp. 1-15, 2005.

Sadiq M., “Selection of goal with incomplete preference relations,International Journal of Business Information System”. pp. 1-18, 2020.

Faßbender S., Heisel M., and Meis R., “Problem-based security requirements elicitation and refinement with PresSuRE”.International Conference on Software Technologies, pp. 311-330, 2015.

Saeki M., Hayashi S and Kaiya H. (2013), “Enhancing goal-oriented security requirements analysis using common criteria-based knowledge”.International Journal of Software Engineering and Knowledge Engineering, Vol. 23, No. 5 (2013) 695-720, 2013.

Saeki M. and Kaiya H., “Security requirements elicitation using method weaving and common criteria”.MODELS Workshop, pp. 185-196, 2009.

Fuchs A., Rieke R., “Identification of Security Requirements in Systems of Systems by Functional Security Analysis”.Architecting Dependable Systems VII, 2010.

Ahmed N. and Matulevičius R., “Presentation and Validation of Method for Security Requirements Elicitation from Business Processes”. International Conference on Advanced Information Systems Engineering, pp. 20-35, 2014.

Mead N. R., Miyazaki S., Zhan J., “Integrating privacy requirements considerations into a security requirement engineering method and tool”. International Journal of Information, Privacy, and Security, Vol. 1, Issue 1, 2011.

Houmb S. H., Islam S., Knauss E. Jan Ju¨rjens J., Schneider K., “Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec”. Requirements Engineering, Vol. 53, pp. 63-93, 2010.

Raspotnig C. and Opdahl A. , “Comparing risk identification techniques for safety and security requirements”. The Journal of Systems and Software, The Journal of Systems and Software, Vol. 86, pp. 1124– 1151, 2013.

Ionita D., Bullee J. W., and Wieringa R. J., “Argumentation-based security requirements elicitation: the next round”. ESPRE, pp. 7-12, 2014.

Suleiman H. and Svetinovic D., “Evaluating the effectiveness of the security quality requirements engineering (SQUARE) method: a case study using smart grid advanced metering infrastructure”. Requirements Engineering, Vol. 18, pp. 251-279, 2013.

Elahi G., Yu E., and Zannone N., “A vulnerability centric requirements engineering framework: analyzing security attacks, countermeasures, and requirements based on vulnerabilities”.Requirements Engineering, Vol. 15, pp. 41-62, 2010.

Ansari M. T. A., Pandey D., and Alenezi M, “STORE: Security Threat Oriented Requirements Engineering Methodology”. Journal of King Saud University – Computer and Information Sciences, pp. 1-13, 2018.

El-Hadary H. and El-Kassas S., “Capturing security requirements for software systems”. Cairo University Journal of Advanced Research, Vol. 5, pp. 463-472, 2014.

Mouratidis H. and Jurjens J., “From goal‐driven security requirements engineering to secure design”, International Journal of Intelligent Systems, 2010.

Riaz M., Slankas J., King J., Williams L., “Using templates to elicit implied security requirements from functional requirements - a controlled experiment”. ESEM, pp. 1-10, 2014.

Rudolph M., Feth D., Doerr J., Spilker J., “Requirements elicitation and derivation of security policy templates”. IEEE 24th International Requirements Engineering Conference, pp. 283-292, 2016.

Ikram N., Siddiqui S., Khan N. F., “Security requirement elicitation techniques: the comparison of misuse cases and issue-based information systems”.EmpiRE 2014, pp. 36-43, 2014.

Opdahl A. L. and Sindre G., “Experimental comparison of attack trees and misuse cases for security threat identification”.Information and Software Technology, Vol. 51, pp. 916-932, 2009.

Full Text: PDF


  • There are currently no refbacks.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 License.

IT in Innovation IT in Business IT in Engineering IT in Health IT in Science IT in Design IT in Fashion

IT in Industry @ http://www.it-in-industry.com . ISSN (Online): 2203-1731; ISSN (Print): 2204-0595