A Methodological Approach to Evaluate Security Requirements Engineering Methodologies: Application to the IREHDO2 Project Context

An effective network security requirement engineering is needed to help organizations in capturing cost-effective security solutions that protect networks against malicious attacks while meeting the business requirements. The diversity of currently available security requirement engineering methodologies leads security requirements engineers to an open question: How to choose one? We present a global evaluation methodology that we applied during the IREHDO2 project to find a requirement engineering method that could improve network security. Our evaluation methodology includes a process to determine pertinent evaluation criteria and a process to evaluate the requirement engineering methodologies. Our main contribution is to involve stakeholders (i.e., security requirements engineers) in the evaluation process by following a requirement engineering approach. We describe our experiments conducted during the project with security experts and the feedback we obtained. Although we applied it to evaluate three requirements engineering methods (KAOS, STS and SEPP) in the context of network security, our evaluation methodology can be instantiated in other contexts and other methods.

Software Security Requirement Engineering for Risk and Compliance Management

The objective of the research work is to propose a software based security requirement engineering model using categorical and morphisms theory. The earlier security requirement engineering models focus different viewpoints on parallel processing and develop rewrite based knowledge centred models but does not include different functional mappings between the security objects to select the best strategy. The security models have not considered the needed security functions that are to be implemented in different environments with different levels of executions. The proposed requirement engineering model is based on the formal theory of category of objects and the morphisms between them in addition to n categories and multiple morphisms that were used to organize the security requirement functional objects of different categories. The on demand security requirement objects, morphisms and the uncertain events in any one of the subsystems are considered to manage this security requirement category as an algebraic data types. The collection of security requirement objects using classification and clustering techniques are implicitly applied by the formation of category and morphism. The risk and compliances both in the form of direct and indirect categories are mapped so as to provide a security assurance functors with minimum risk on the requirements to the next design state. An ‘n’ category and ‘n’ morphic model for software security requirement model is proposed towards for minimum security risks through efficient compliance management techniques.