Problem-based Elicitation of Security Requirements - The ProCOR Method

Roman Wirtz, Maritta Heisel, Rene Meis, Aida Omerovic, Ketil Stølen
2018 Proceedings of the 13th International Conference on Evaluation of Novel Approaches to Software Engineering  
Security is of great importance for many software systems. The security of a software system can be compromised by threats, which may harm assets with a certain likelihood, thus constituting a risk. All such risks should be identified, and unacceptable risks should be reduced, which gives rise to security requirements. The relevant security requirements should be known right from the beginning of the software development process. Eliciting security requirements should be done in a systematic
more » ... . We propse a method to elicit security requirements that address unacceptable risks. They require a reduction of the risk to an acceptable level. Our method combines the CORAS risk management method with Jackson's problem-based requirements analysis approach. Based on the functional requirements for a software system, security risks are identified and evaluated. Unacceptable risks give rise to high-level security requirements. To reduce the risk, treatments are selected. Based on the selected treatments, concretized security requirements are set up and represented in a similar way as functional requirements. Thus, both functional and security requirements can then drive the software development process.
doi:10.5220/0006669400260038 dblp:conf/enase/WirtzHMOS18 fatcat:6zxtfdldqjephpdrdsd4taq4gq