Risk and Business Goal Based Security Requirement and Countermeasure Prioritization

Companies are under pressure to be in control of their assets but at the same time they must operate as efficiently as possible. This means that they aim to implement “good-enough security” but need to be able to justify their security investment plans. Currently companies achieve this by means of checklist-based security assessments, but these methods are a way to achieve consensus without being able to provide justifications of countermeasures in terms of business goals. But such justifications are needed to operate securely and effectively in networked businesses. In this paper, we first compare a Risk-Based Requirements Prioritization method (RiskREP) with some requirements engineering and risk assessment methods based on their requirements elicitation and prioritization properties. RiskREP extends misuse case-based requirements engineering methods with IT architecture-based risk assessment and countermeasure definition and prioritization. Then, we present how RiskREP prioritizes countermeasures by linking business goals to countermeasure specification. Prioritizing countermeasures based on business goals is especially important to provide the stakeholders with structured arguments for choosing a set of countermeasures to implement. We illustrate RiskREP and how it prioritizes the countermeasures it elicits by an application to an action case

SecREP : A Framework for Automating the Extraction and Prioritization of Security Requirements Using Machine Learning and NLP Techniques

Gathering and extracting security requirements adequately requires extensive effort, experience, and time, as large amounts of data need to be analyzed. While many manual and academic approaches have been developed to tackle the discipline of Security Requirements Engineering (SRE), a need still exists for automating the SRE process. This need stems mainly from the difficult, error-prone, and time-consuming nature of traditional and manual frameworks. Machine learning techniques have been widely used to facilitate and automate the extraction of useful information from software requirements documents and artifacts. Such approaches can be utilized to yield beneficial results in automating the process of extracting and eliciting security requirements. However, the extraction of security requirements alone leaves software engineers with yet another tedious task of prioritizing the most critical security requirements. The competitive and fast-paced nature of software development, in addition to resource constraints make the process of security requirements prioritization crucial for software engineers to make educated decisions in risk-analysis and trade-off analysis. To that end, this thesis presents an automated framework/pipeline for extracting and prioritizing security requirements. The proposed framework, called the Security Requirements Extraction and Prioritization Framework (SecREP) consists of two parts: SecREP Part 1: Proposes a machine learning approach for identifying/extracting security requirements from natural language software requirements artifacts (e.g., the Software Requirement Specification document, known as the SRS documents) SecREP Part 2: Proposes a scheme for prioritizing the security requirements identified in the previous step. For the first part of the SecREP framework, three machine learning models (SVM, Naive Bayes, and Random Forest) were trained using an enhanced dataset the “SecREP Dataset” that was created as a result of this work. Each model was validated using resampling (80% of for training and 20% for validation) and 5-folds cross validation techniques. For the second part of the SecREP framework, a prioritization scheme was established with the aid of NLP techniques. The proposed prioritization scheme analyzes each security requirement using Part-of-speech (POS) and Named Entity Recognition methods to extract assets, security attributes, and threats from the security requirement. Additionally, using a text similarity method, each security requirement is compared to a super-sentence that was defined based on the STRIDE threat model. This prioritization scheme was applied to the extracted list of security requirements obtained from the case study in part one, and the priority score for each requirement was calculated and showcase

Requirements Prioritization Based on Benefit and Cost Prediction: An Agenda for Future Research

In early phases of the software cycle, requirements prioritization necessarily relies on the specified requirements and on predictions of benefit and cost of individual requirements. This paper presents results of a systematic review of literature, which investigates how existing methods approach the problem of requirements prioritization based on benefit and cost. From this review, it derives a set of under-researched issues which warrant future efforts and sketches an agenda for future research in this area

Exploiting a Goal-Decomposition Technique to Prioritize Non-functional Requirements

Business stakeholders need to have clear and realistic goals if they want to meet commitments in application development. As a consequence, at early stages they prioritize requirements. However, requirements do change. The effect of change forces the stakeholders to balance alternatives and reprioritize requirements accordingly. In this paper we discuss the problem of priorities to non-functional requirements subjected to change. We, then, propose an approach to help smooth the impact of such changes. Our approach favors the translation of nonoperational specifications into operational definitions that can be evaluated once the system is developed. It uses the goal-question-metric method as the major support to decompose non-operational specifications into operational ones. We claim that the effort invested in operationalizing NFRs helps dealing with changing requirements during system development. Based on\ud this transformation and in our experience, we provide guidelines to prioritize volatile non-functional requirements

Scope Management of Non-Functional Requirements

In order to meet commitments in software projects, a realistic assessment must be made of project scope. Such an assessment relies on the availability of knowledge on the user-defined project requirements and their effort estimates and priorities, as well as their risk. This knowledge enables analysts, managers and software engineers to identify the most significant requirements from the list of requirements initially defined by the user. In practice, this scope assessment is applied to the Functional Requirements (FRs) provided by users who are unaware of, or ignore, the Non-Functional Requirements (NFRs). This paper presents ongoing research which aims at managing NFRs during the software development process. Establishing the relative priority of each NFR, and obtaining a rough estimate of the effort and risk associated with it, is integral to the software development process and to resource management. Our work extends the taxonomy of the NFR framework by integrating the concept of the "hardgoal". A functional size measure of NFRs is applied to facilitate the effort estimation process. The functional size measurement method we have chosen is COSMICFFP, which is theoretically sound and the de facto standard in the software industry

Requirement prioritization based on non-functional requirement classification using hierarchy analytic hierarchy process

This Requirement prioritization is the process in requirement engineering which in one stage in SDLC. Requirements engineering process aid to increase the excellence of software systems. Software system requirements are often classified as functional requirements (FR) or non-functional requirement (NFR). To produce a high-quality software system, both functional and non-functional requirement must be considered during requirement prioritization process. Most of the existing requirement prioritization method is only considering functional requirements since but neglecting the effect of NFR on specified FR. The aim of this paper to propose requirement prioritization technique that embed the non-functional requirements using existing RALIC dataset. Implementation of this paper, RALIC dataset hierarchy (a) use pairwise comparison and consistency ratio check for accuracy. Classified the percentage of NFR for hierarchy (a). Hierarchy (a) pairwise comparison result of weights (a.1) was (0.60) which is highest prioritized. Classified the NFR for hierarchy (a) requirements was efficiency (60%), security was (31%) and usability was (11%). Efficiency was the highest in hierarchy (a). Oppositely, highest percentage of NFR for hierarchy (a to j) was Portability requirement (92%) from hierarchy (e). The finding, when make the pairwise comparison for hierarchy (a to j) requirements input was (15, 051), in contrast, hierarchically pairwise comparison for (a to j) requirements input was (403). Therefore, hierarchically comparison can be reduced the number of requirements (97.33 %)

Workforce Innovation and Opportunity Act (WIOA) of 2014: A Preliminary Analysis

A preliminary analysis of provisions contained in the Workforce Innovation and Opportunity Act (WIOA) of 2014 related to employment, training, education, supports, and prioritization of workforce services for adults and youth with barriers to employment