Implications of the Operational Environmental on Software Security Requirements Engineering

Christian Schmitt, Peter Liggesmeyer


After presenting an overview about the most commonly referred reasons and issues for bad practice in software security requirements engineering, this paper introduces a security interdependency model, illustrating the implications between software and its physical, technical and organizational environment. The model is described in detail and the mutual implication and interdependencies between software security (requirements) and the operational environment are explained, enhanced with illustrative examples. Conclusions and further research perspectives with respect to security requirements engineering, and security in general are drawn.


  1. Khaled El Emam and A. Günes Koru. A replicated survey of it software project failures. IEEE Software, 25(5):84-90, 2008.
  2. Department of Homeland Security. Requirements analysis for secure software, 2012.
  3. Andy Greenberg. A tax on buggy software, 2008. rice-cyber-security-tech-security-cx ag 0626rice.html. Visited on January 15th, 2014.
  4. Barry W. Boehm. Software engineering economics. Prentice-Hall advances in computing science and technology series. Prentice-Hall, Englewood Cliffs and N.J, 1981.
  5. G. McGraw. Testing for security during development: why we should scrap penetrate-andpatch. Aerospace and Electronic Systems Magazine, IEEE, 13(4):13-15, 1998.
  6. Golnaz, Elahi, Yu, Eric, Tong Li, Lin Liu. Security requirements engineering in the wild: A survey of common practices. In Proceedings of the 35th Annual IEEE International Computer Software and Applications Conference, Proceedings - International Computer Software & Applications Conference, pages 314-319, Danvers, 2011. IEEE.
  7. John Wilander and Jens Gustavsson. Security requirements - a field study of current practice, 2005.
  8. Nancy R. Mead. Security requirements engineering, 2006. https://buildsecurityin. Visited on January 15th, 2014.
  9. Theodore Winograd, Holly Lynne McKinley, Lyndon Oh, Michael Colon, Thomas McGibbon, Elaine Fedchak, and Robert Vienneau. Software security assurance: A State-of-the Art Report (SOAR). Information Assurance Technology Analysis Center, Herndon and Virginia, 2007.
  10. Donald G. Firesmith. Engineering security requirements. Journal of Object Technology, vol. 2, no. 1,, pages 53-68, 2003.
  11. Haralambos Mouratidis, Paolo Giorgini, and Gordon Manson. When security meets software engineering: a case of modelling secure information systems. Information Systems, 30(8):609-629, 2005.
  12. Eric Dubois and Haralambos Mouratidis. Guest editorial: security requirements engineering: past, present and future. Requirements Engineering, 15(1):1-5, 2010.
  13. Frank Swiderski and Window Snyder. Threat modeling. Microsoft Press, Redmond and Wash, 2004.
  14. PTA Technologies. Practical threat analysis for information security experts. http:// Visited on January 15th, 2014.
  15. Yue Chen. Software security economics and threat modeling based on attack path analysis; a stakeholder value driven approach. University of Southern California. Libraries, 2007.
  16. J. McDermott and C. Fox. Using abuse case models for security requirements analysis. In Computer Security Applications Conference, 1999. (ACSAC 7899) Proceedings. 15th Annual, pages 55-64, 1999.
  17. Ian F. Alexander. Initial industrial experience of misuse cases in trade-off analysis. In Proceedings of the 10th Anniversary IEEE Joint International Conference on Requirements Engineering, RE 7802, pages 61-70, Washington and DC and USA, 2002. IEEE Computer Society.
  18. Guttorm Sindre and Andreas L. Opdahl. Eliciting security requirements with misuse cases. Requir. Eng, 10(1):34-44, 2005.
  19. Axel van Lamsweerde. Elaborating security requirements by construction of intentional antimodels. In Proceedings of the 26th International Conference on Software Engineering, ICSE 7804, pages 148-157, Washington and DC and USA, 2004. IEEE Computer Society.
  20. Jaelson Castro, Manuel Kolp, and John Mylopoulos. Towards requirements-driven information systems engineering: The tropos project. Inf. Syst., 27(6):365-389, 2002.
  21. F. Braber, I. Hogganvik, M. S. Lund, K. Stølen, and F. Vraalsen. Model-based security analysis in seven steps - a guided tour to the coras method. BT Technology Journal, 25(1):101- 117, 2007.
  22. Jan Jü rjens. Towards development of secure systems using umlsec. Fundamental Approaches to Software Engineering, volume 2029 of Lecture Notes in Computer Science, pages 187- 200. Springer Berlin Heidelberg, 2001.
  23. Torsten Lodderstedt, David Basin, and Jü rgen Doser. Secureuml: A uml-based modeling language for model-driven security. UML 2002 - The Unified Modeling Language, volume 2460 of Lecture Notes in Computer Science, pages 426-441. Springer Berlin Heidelberg, 2002.
  24. I. A Tondel, M. G Jaatun, and P. H Meland. Security requirements for the rest of us: A survey. Software, IEEE (Volume: 25 , Issue: 1 ), pages 20-27, 2008.
  25. T. Grandison and M. Sloman. A survey of trust in internet applications. Communications Surveys & Tutorials, IEEE, 3(4):2-16, 2000.
  26. Charles B. Haley, Robin C. Laney, Jonathan D. Moffett, and Bashar Nuseibeh. Picking battles: The impact of trust assumptions on the elaboration of security requirements. Trust Management, volume 2995 of Lecture Notes in Computer Science, pages 347-354. Springer Berlin Heidelberg, 2004.
  27. A. van Lamsweerde. Goal-oriented requirements engineering: a guided tour. In Fifth IEEE International Symposium on Requirements Engineering, pages 249-262, 27-31 Aug. 2001.
  28. John Viega and Gary McGraw. Building secure software: How to avoid security problems the right way. Addison-Wesley professional computing series. Addison-Wesley, Boston, 2002.
  29. Donald G. Firesmith. Analyzing and specifying reusable security requirements. Journal of Object Technology, (Vol. 3, No. 1):61-75, 2004.
  30. NIST. Glossary of key information security terms. U.S. Deptartment of Commerce, National Institute of Standards and Technology, [Gaithersburg and Md.], 1 edition, 2011.

Paper Citation

in Harvard Style

Schmitt C. and Liggesmeyer P. (2014). Implications of the Operational Environmental on Software Security Requirements Engineering . In Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014) ISBN 978-989-758-031-4, pages 63-74. DOI: 10.5220/0004966400630074

in Bibtex Style

author={Christian Schmitt and Peter Liggesmeyer},
title={Implications of the Operational Environmental on Software Security Requirements Engineering},
booktitle={Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)},

in EndNote Style

JO - Proceedings of the 11th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2014)
TI - Implications of the Operational Environmental on Software Security Requirements Engineering
SN - 978-989-758-031-4
AU - Schmitt C.
AU - Liggesmeyer P.
PY - 2014
SP - 63
EP - 74
DO - 10.5220/0004966400630074