Copyright © by the paper's authors.Security requirements engineering is an important part of many software projects. Practitioners consider security requirements from the early stages of software development processes, but most of them do not use any formal method for security requirements engineering. According to a recent survey, only about 9% security practitioners implement formal process of elicitation and analysis of security requirements and risks. However, a number of methods have been recently proposed in academia to support practitioners in collecting and analysing security requirements. Unfortunately, these methods are not widely adopted in practice because there is a lack of empirical evidence that they work. Only few papers in requirements engineering have a solid empirical evidence of efficiency of proposed solutions. So how can we know that security methods work in practice? In this paper we propose to conduct a series of empirical studies to build a basis that a) will provide security practitioners with guidelines for selection of security requirements methods, and b) will help methods designer understand how to improve their methods.
|CEUR Workshop Proceedings
|International Symposium on Engineering Secure Software and Systems, ESSoS-DS 2013
|27/02/13 → 1/03/13