Professional Documents
Culture Documents
Security Quality Requirements Engineering Revised
Security Quality Requirements Engineering Revised
cost/benefit
analysis, etc.
6 Elicit security Artifacts, risk Joint Application Stakeholders Initial cut at
requirements assessment Development facilitated by security
results, selected (JAD), interviews, requirements requirements
techniques surveys, model- engineer
based analysis,
checklists, lists of
reusable
requirements
types, document
reviews
7 Categorize Initial Work session Requirements Categorized
requirements as requirements, using a standard engineer, other requirements
to level (system, architecture set of categories specialists as
software, etc.) needed
and whether
they are
requirements or
other kinds of
constraints
8 Prioritize Categorized Prioritization Stakeholders Prioritized
requirements requirements and methods such as facilitated by requirements
risk assessment Analytical requirements
results Hierarchy Process engineer
(AHP), Triage,
Win-Win
9 Inspect Prioritized Inspection method Inspection Initial selected
requirements requirements, such as Fagan, team requirements,
candidate formal peer reviews documentation of
inspection decision-making
technique process and
rationale
Sources such as the Institute for Electrical and Electronics Engineers and the Software
Engineering Body of Knowledge provide a range of definitions to select from or tailor. A focus
group meeting with the interested parties most likely enables the selection of a consistent set
of definitions for the security requirements activity.
Step 2, Identify Assets and Security Goals, should be done at the organizational it involves
identifying assets that need protection in the system and their corresponding security and
quality goals is the next objective. Initially, different stakeholders will have different security
and quality goals. Development teams need to formally agree on a set of prioritized security
goals for the project. Without overall security goals for the project, it is impossible to identify
the priority and relevance of any security and quality requirements that are generated. The
quality goals of the project must be in clear support of the project's overall business goal, which
also must be identified and enumerated in this step.
Once the goals of the various stakeholders are identified, they must be reviewed, prioritized,
and documented. In the absence of consensus, an executive decision may be needed to
prioritize the goals.
The exit criteria for this step is to document a single business goal for the project and several
prioritized security and quality goals for the overall software system.
Step 6, Elicit Security Requirements, is the actual elicitation process using the selected
technique. Most elicitation techniques provide detailed guidance on how to perform elicitation.
This builds on the artifacts that were developed in earlier steps, such as misuse and abuse
cases, attack trees, threats, and scenarios. Prior to this step, the requirements engineering
team must select an elicitation technique that is suitable for the client organization and project.
Multiple techniques may work for the same project. The difficulty with selecting a technique is
choosing one that can adapt to the number and expertise of the stakeholders, the size and
scope of the client project, and the expertise of the requirements engineering team.
CMU has done an extensive evaluation and analysis of the different types of elicitation methods
and has shown that the Accelerated Requirements Method (ARM) has been successful for
eliciting security requirements. The evaluation criteria include:
Though results will vary from one organization to another, CMU's approach is worth
considering as a choice for your organization.
AKINOLA DANIEL ERI-IFE 19/0189 SENG 204(GROUP A)
The Security Elicitation step is the heart of the SQUARE process. This step describes the
execution of the elicitation technique that was previously selected.