A systematic review of security requirements engineering

Walton, 2002, Developing a enterprise information security policy Choo, K.-K.R., R.G. Smith, and R. McCusker, Future directions in technology-enabled crime: 2007–09, in Research and Public Policy Series, Australian_Government, Editor. 2007, Australian Institute of Criminology Zulkernine, 2006, Software security engineering: toward unifying software engineering and security engineering, 10.4018/978-1-59140-911-3.ch014 Konrad, S., B.H.C. Chengy, L.A. Campbell, and R. Wassermann, Using Security Patterns to Model and Analyze Security Requirements, in High Assurance Systems Workshop (RHAS 03) as part of the IEEE Joint International Conference on Requirements Engineering (RE 03): Monterey Bay, CA (USA). Viega, 2005, Building security requirements with CLASP, 1 Firesmith, 2004, Specifying reusable security requirements, 61 Kim, 2005, Goal and scenario bases domain requirements analysis environment, 926 Kotonya, 1998, Requirements engineering process and techniques, 294 McDermott, 1999, Using abuse case models for security requirements analysis, 10.1109/CSAC.1999.816013 Henning, 2006, Security engineering: it is all about control and assurance objectives Villarroel, 2005, Secure information systems development — a survey and comparison, 308 Mellado, 2006, A comparative study of proposals for establishing security requirements for the development of secure information systems, 3, 1044 Moffett, 2003, A framework for security requirements engineering, 368 Kitchenham, 2004, Procedures for Perfoming Systematic Review Brereton, 2007, Lessons from applying the systematic literature review process within the software engineering domain, J. Syst. Software, 80, 571, 10.1016/j.jss.2006.07.009 Kitchenham, B., Guideline for performing Systematic Literature Reviews in Software Engineering. Version 2.3. 2007, University of Keele (Software Engineering Group, School of Computer Science and Mathematics) and Durham (Department of Computer Science). Biolchini, 2005, Systematic review in software engineering Firesmith, 2003, Engineering security requirements, Journal of Object Technology, 2, 53, 10.5381/jot.2003.2.1.c6 Basin, 2003, Model-driven security for process-oriented systems. SACMAT'03, 100 Basin, 2006, Model driven security: from UML models to access control infrastructures, ACM Trans. Softw. Eng. Methodol., 15, 39, 10.1145/1125808.1125810 Bresciani, 2004, Tropos: agent-oriented software development methodology, 203 Giorgini, 2004, Requirements engineering meets trust management: model, methodology, and reasoning. iTrust 2004, 176 Giorgini, 2006 Ali, 2008, Location-based software modeling and analysis: Tropos-based approach, in 27th International Conference on Conceptual Modeling (ER 08) Ali, 2009, A goal modeling framework for self-contextualizable software, in 14th international conference on exploring modeling methods in systems analysis and design (EMMSAD09) Dalpiaz, 2009, 246 Massacci, 2005, Using a security requirements engineering methodology in practice: the compliance with the Italian data protection legislation, in Computers Standards and Interfaces, 445 Compagna, 2009, How to integrate legal requirements into a requirements engineering methodology for the development of security and privacy patterns, Artif. Intell. Law, 17, 1, 10.1007/s10506-008-9067-3 Firesmith, 2005, Engineering safety-related requirements for software-intensive systems, in Proceedings of the 27th international conference on Software engineering Firesmith, 2007, Engineering safety and security related requirements for software intensive systems, in international conference on software engineering, 169 Hussein, 2007, Intrusion detection aware component-based systems: a specification-based framework, J. Syst. Softw., 80, 700, 10.1016/j.jss.2006.08.017 Jennex, 2005, Modeling security requirements for information systems development Lee, 2003, A CC-based Security Engineering Process Evaluation Model. 27th Annual International Computer Software and Applications Conference (COMPSAC'03), 130 Lee, 2006, Building problem domain ontology from security requirements in regulatory documents, in Proceedings of the 2006 international workshop on Software engineering for secure systems Mead, 2005, Security Quality Requirements Engineering (SQUARE) Methodology. in Software Engineering for Secure Systems (SESS05), ICSE 2005 International Workshop on Requirements for High Assurance Systems Mead, 2006, 149 Abu-Nimeh, 2009, Integrating privacy requirements into security requirements engineering, SEKE, 542 Mellado, 2007, A common criteria based security requirements engineering process for the development of secure information systems, 244 Mellado, 2008, Towards security requirements management for software product lines: a security domain requirements engineering process, 361 Haley, 2008, Security requirements engineering: a framework for representation and analysis, IEEE Trans. Software Eng., 34, 133, 10.1109/TSE.2007.70754 Morimoto, 2006, A security requirement management database based on ISO/IEC 15408, 3, 1 Horie, 2008, ISEDS: an information security engineering database system based on ISO Standards, 1219 Myagmar, 2005, Threat modeling as a basis for security requirements Peeters, 2005, Agile security requirements engineering Popp, 2003, Security-critical system development with extended use cases, 478 Jürjens, 2002, UMLsec: extending UML for secure systems development. UML, 412 Jürjens, 2008, Automated analysis of permission-based security using UMLsec, 292 Shin, 2007, Software requirements and architecture modeling for evolving non-secure applications into secure applications, Sci. Comput. Program., 66, 60, 10.1016/j.scico.2006.10.009 Sindre, 2005, Eliciting security requirements with misuse cases, Requirements Eng., 10, 34, 10.1007/s00766-004-0194-4 Sindre, 2003, A reuse-based approach to determining security requirements. in Proc. 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03) Opdahl, A.L. and G. Sindre, Experimental comparison of attack trees and misuse cases for security threat identification. Information and Software Technology. In Press, Corrected Proof, 2008. Stalhane, 2008, Safety hazard identification by misuse cases: experimental comparison of text and diagrams, 721 Toval, 2001, Requirements reuse for improving information systems security: a practitioner's approach, 205 Martínez, 2006, An audit method of personal data based on requirements engineering Nicolás, 2006, A collaborative learning experience in modelling the requirements of teleoperated systems for ship hull maintenance, in workshop on learning software organizations and requirements engineering Lasheras, 2008, An ontology-based framework for modelling security requirements, in The 6th International Workshop on Security in Information Systems — WOSIS Tsoumas, 2006, Towards an ontology-based security management. Proceedings of the 20th International Conference on Advanced Information Networking and Applications. IEEE Computer Society Tsoumas, 2006, Security-by-ontology: a knowledge-centric approach, 99 Yu, 1997, Towards modelling and reasoning support for early-phase requirements engineering, 226 Yu, 2006, A social ontology for integrating security and software engineering, in integrating security and software engineering: advances and future visions Yu, 2009, Social modeling and i*, 99 Zuccato, 2004, Holistic security requirement engineering for electronic commerce, 63 Zuccato, 2007, Holistic security management framework applied in electronic commerce, Computer & Security, 26, 256, 10.1016/j.cose.2006.11.003 Zuccato, 2008, Security requirements engineering at a telecom provider, 1139 Lamsweerde, 2007, Engineering requirements for system reliability and security, in software system reliability and security, 196 Firesmith, 2003, Security use cases, Journal of Object Technology, 53, 10.5381/jot.2003.2.3.c6 Best, 2007, Model-based security engineering of distributed information systems using UMLSec, 581 Whittle, 2008, Executable misuse cases for modeling security concerns, 121 Braz, 2008, Eliciting security requirements through misuse activities, 328 CRAMM, 2005, CRAMM, United Kingdom Central Computer and Telecommunication Agency. CCTA Risk Analysis and Management Method: User Manual, ver. 5.1 COBIT, 2005, COBIT, IT Governance Institute. Control Objectives for Information and related Technology (COBIT 4.0) Khawaja, 2002, A synthesis of evaluation criteria for software specifications and specifications techniques, International Journal of Software Engineering and Knowledge Engineering, 12, 581, 10.1142/S0218194002001062 IEEE, 1998, IEEE 830: 1998 recommended practice for software requirements specifications Mead, 2007, How to compare the Security Quality Requirements Engineering (SQUARE) method with other methods Hatebur, 2008, A formal metamodel for problem frames, Vol. 5301, 68