Reusable Knowledge in Security

Requirements Engineering
Research
Papers
 Available/Collected Data
SECURITY
Expose to Hack/Manipulation
Someone Else taking it Away

With Passage of Time

?
What’s the Solution Now ?
Early Development Stages
Considering Security Concern From Early
Development Stages
 EFFORTS PUTTED IN

AIM

Existing Surveys/Proposals/Techniques/Tools/Modelling
Frameworks & Considerable Methods Available for
Security Requirements Engineering from No Reference for Researchers
Last 2 DECADES. In Systematic Way.
 GOAL
Conducting Literature Review to:
- Identifying
- Analysing
- Categorising
By Covering more than 30 Approaches
4.1.3 Quality Criteria :Screening of Papers

• Inclusion of Electronically Available Papers Only

• English Publication

• Exclusion of Unsupported Claim/Existing work Papers

• Inclusion of (Re)Use/Automation of SRE methods Papers

• Same Author Similar Content Grouped into same Category

• Exclusion of Irrelevant Propositions

4.1.4 Data Classification of Paper Inclusions

References taken up which passed the quality criteria to

present the systematic SRE method for Security in
todays environment.
Additional Filter for Screening
To increase the CONFIDENCE regarding Relevance

Publication with focus on Security Requirement

+
Publication with Security Requirement as part of broader

Approach

Publication with focus on

Security Requirement
Statistical Result of Selected Papers with
Categories

Relative Share of Various Paper Types

Now we are Interested in Type of Research of
Selected Papers
• Solution Papers : New/Revised Techniques

• Philosophical Paper : New Conceptual Framework

• Evaluation Research : Learning Lessons from Implementation in Practice

• Validation Research : Properties of Solution and not deployed in Practice

• Opinion Papers : Opinion About Research/Practice

• Experience : How something was done in Practice.

 Labelling of Papers : Based on Categorisation
Some Papers Covering two Categories Paper without Category
(Representing Only Tools)

Solution Proposal Validation Research

Tool
Solution Proposal
+
Validation
Papers Classification

Summarizing the Results of Classification

4.2 Framework for Analysing & Comparing
Knowledge Reuse in SRE

In Depth surveying of different approaches for SRE in context of knowledge reuse, helped in
defining different Categories and CONSTRUCT of FRAMEWORK.

This framework makes it possible to organize the

• Different methods
• Techniques and
• Tools

For Knowledge reuse in SRE around different

axes
that were identified through the SMAP and
appeared to be relevant.
4.2.1 Knowledge

Identifies the different Knowledge Re(Use) in SRE.

Organised under Three sub-dimensions

• Organisation & Assets

• Risk : Different Threats & Vulnerabilities (Attackers & Methods)

• Risk Treatment : Risk Mitigation (Countermeasures/Policies)

4.2.2 Form of Representation

Different Types of Knowledges Form

along with Organization
4.2.3 Technique

The technique facet defines whether the knowledge (re)use

techniques can be

• Automated (e.g., queries)

• Semi-automated(e.g., process)

• Totally manual (e.g., guidelines)

4.2.4 Automated Support

Checks the existence of an automated support for

• Knowledge (re)use in SRE

• Technology features
 4.3 Systematic Mapping Details

Systematic Mapping Details for Security Reuse in SRE

Columns : Concepts Characterizing the Conceptual Coloured Cells : Existing Publication Proposing Reuse
Space of Security Approach
Lines : Different Reuse forms by SRE Methods Dark Cells : More number of Publications
White Cells : No Publication
Moving onto Different Methods
4.3.6 Methods that do not (re)use security
knowledge
The SMAP found that there are a wide variety of SRE methods that do not consider knowledge reuse during the
SRE process.

Secure I*