COMPUTER STANDARDS & INTERFACES 32 (2010) 153–165

Contents lists available at ScienceDirect

Computer Standards & Interfaces

journal homepage: www. elsevier.com/locate/csi

A systematic review of security requirements engineering

ARTICLE INFO ABSTRACT

Article history: This paper addresses the issue that Security Requirements Engineering is an
Received 7 January 2009 important aspect of secure systems and should be carried out with caution in the
Received in revised form 25 January 2010
Accepted 27 January 2010 software development process. The article is in fact a systematic review of the
Available online 2 February 2010 existing literature concerning security requirements engineering since then. The
Keywords: paper highlights the fact that no systematic review has been performed regarding
Security requirements secure systems and claims to provide a framework where new research can be
Security requirements engineering carried out.
Requirements engineering
© 2010 Elsevier B.V. All rights reserved.

start of the development process and this is the main

1. Introduction
This paper, Mellado, D., Blanco, C., Sánchez, L. E., &
Fernández-Medina, E. (2010). A systematic review of
security requirements engineering. Computer Standards
& Interfaces, 32(4), 153-165, addresses the issue that
Security Requirements Engineering is an important
aspect of secure systems and should be carried out with
caution in the software development process.
The fact that our lives are getting dependent on
information systems (IS) and we are living in a highly
inter-connected world, implies that we have to deal
with the security breaches as a result of being so much
connected.
This structured review has been conducted due to
the lack of such reviews in Software Engineering, in
particular. Security requirements are not paid sufficient
attention and are considered at the end of the
development based on the functional requirements
alone. These requirements should be considered at the
issue of this paper.
The authors have stated the research objective with
so much detail which makes the paper easy to
comprehend. All the core research issues have been
highlighted. The main terms (keywords) have been
defined as well with sufficient detail.
There is a review of twenty-two existing studies that
contributed to the topic usefully. It has been mentioned
multiple times that the main focus of the research is to
bring to light the studies which consider security
requirements at the initial step of software
development process. There is nothing new presented
but the fact that such structured reviews are lacking in
Software Engineering is itself an effective step.

* Corresponding author.
E-mail address: tehreem.qureshi945@gmail.com
.
2 COMPUTER STANDARDS & INTERFACES 32 (2010) 153–165

2. Sections Evaluation 2.5. Results and discussion

Each section of the paper is evaluated as follows:
2.1. Introduction
The introduction section is very well-written; not
only in terms of covering the need to write such a
systematic review but also in a manner that is
conducive to reading. It is easy to understand what the
paper will be focusing on just by giving a one-time
reading to it. No technical terms are used and no
abbreviations are used without explanation of their
long terms.
2.2. Question formalization
The research questions are explicitly stated unlike
other reviews where it is hard to understand the actual
question underlying the research. In order for the
reader to remember the objectives of the paper,
keywords formulating the research question are
already defined in this section.
2.3. Review method
In this section, the authors have included subsections
for sources selection, studies selection and selection
execution.
In the section for sources selection, there is a list of
all sources that were used to gather articles from. The
studies were selected from the mentioned sources on
the basis of their extent to address security
requirements as a core area of research. The execution
section, listed the bibliography style from EndNote.
The review is very well structured and organized to
be a structures review. It lists all activities carried out
in the effort of presenting such a review.
The section illustrates with the help of tables, the
findings of this review. Through the tables, it is
envisioned that the authors did identify the initiatives
for addressing security requirements, find out how
many researches have provided the initiatives and a
comparison of these initiatives based on certain
features that contribute to efficiently gathering security
requirements.
The problems identified in this section are so
detailed and are overcoming the research conducted.
While reading this section, it seems for a while that the
problem of incorporating security requirements may
never be solved. As a part of this detailed review, there
should have been a model introduced to overcome the
bigger problems and if not a model, then a separate
section dealing with the problems to keep all positive
aspects intact.
2.6. Conclusion
The paper concludes with mentioning its main
objective to present security requirements related
literature. This section also points out what could be
biased about the review. Some of the future related
work and existing problems overpowering the
identified initiatives have been incorporated as a part of
the ‘Results and discussion’ section, which should have
been included in this section.

2.4. Information extraction

This section lists information from all the selected

studies of this review. The studies include the
techniques followed in them, methods used, the
processes executed or if a new initiative that
contributes catering security requirements since the
start of the software development process.
The section has been structured well but it may be a
point to raise that the studies are mentioned without
the year of being published. It may be hard for a reader
to find out the most recent technique or initiatives out
of the twenty-two mentioned studies.
 ARAB ECONOMIC AND BUSINESS JOURNAL 00 (2014) 000–000
3. Conclusion
The paper has discussed in sufficient detail, the
issues regarding security in Information Systems. There
is an introduction to a neglected area and to consider it
as a part of software development process throughout
the process has been focused on. The review of existing
literature shows that it is possible to cater security at
the start of development.
However, there are some issues such as
organizational cultures and the inability to generalize
the selection on the basis of some parameters. The
positive results get mixed up with the problems and
seem to overcome the positive results. Moreover, the
3
future work has also been included in the results
sections. This could have been separated and made a
part of the conclusion section instead.
The overall paper is structured very well and it is
the first time I have read such a well-written review.
There are no technical terms used and the paper kept
focusing on the research objective throughout the
paper. What I found as a major negative point was the
missing years in the existing literature which can
confuse the reader in finding out the oldest or the most
recent research and the mixture of problems and
results in the Results section.