FAME: supporting continuous requirements elicitation by combining user feedback and monitoring

© 2018 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes,creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.Context: Software evolution ensures that software systems in use stay up to date and provide value for end-users. However, it is challenging for requirements engineers to continuously elicit needs for systems used by heterogeneous end-users who are out of organisational reach. Objective: We aim at supporting continuous requirements elicitation by combining user feedback and usage monitoring. Online feedback mechanisms enable end-users to remotely communicate problems, experiences, and opinions, while monitoring provides valuable information about runtime events. It is argued that bringing both information sources together can help requirements engineers to understand end-user needs better. Method/Tool: We present FAME, a framework for the combined and simultaneous collection of feedback and monitoring data in web and mobile contexts to support continuous requirements elicitation. In addition to a detailed discussion of our technical solution, we present the first evidence that FAME can be successfully introduced in real-world contexts. Therefore, we deployed FAME in a web application of a German small and medium-sized enterprise (SME) to collect user feedback and usage data. Results/Conclusion: Our results suggest that FAME not only can be successfully used in industrial environments but that bringing feedback and monitoring data together helps the SME to improve their understanding of end-user needs, ultimately supporting continuous requirements elicitation.Peer ReviewedPostprint (author's final draft

Design, implementation, and evaluation of an ICT-supported collaboration methodology for distributed requirements determination

As information systems development becomes more distributed, information and communication technology (ICT) has become crucial to overcome distance and to enable collaboration between system users and analysts. This study presents the design, implementation, and experimental evaluation of a new technology-supported collaborative methodology for requirements determination. The new ICT-supported methodology enables the elicitation, analysis, specification, and validation of requirements in a distributed environment. Its design follows the theoretical principles of Te’eni’s (2001) cognitiveaffective model of organizational communication for IT design and combines established methods as well as techniques for requirements identification, formulation, dependency determination, prioritization, and selection in a coherent and innovative way. The resulting prototype is professionally implemented and evaluated in an experiment. The experiment is the first to compare the performance of traditional ways of communication via interviews and document exchange with that of communication via an Internet-based collaboration platform for requirements determination. The results show that, both, the efficiency of the overall requirements determination process as well as the overall quality of the resulting requirements, are higher when using the new collaborative methodology. In terms of quality, efficiency, the user and analyst perspectives need to be distinguished. While the effort for requirements elicitation increases for the analysts, this up-front investment pays off in terms of significantly lower effort for the later specification and validation of requirements. In contrast, the users benefit in particular from lower effort during requirements elicitation and analysis

Practical requirements elicitation in modern product development: A multi-case study in discontinuous innovation

Practical modern product development, specifically rapid, lean efforts to create new disrupting or specialized products, face constraints that require modified requirements elicitation (RE) techniques. Requirements elicitation conventions have not been updated to address the challenges of these approaches, and industry practitioners lack the tools to select the most efficient techniques. This study examines the RE approaches performed by three resource-limited teams conducting discontinuous new product development through a multi-case study to identify gaps between the literature and practice, with suggestions to fill them. Our findings suggest modern RE practices and challenges closely reflect those found by studies on RE in agile development, highlighted by a limited variety of techniques and a focus on user feedback despite user unavailability, resulting in partially complete and validated requirements. We suggest further investigation into practical technique selection, development of technique metrics, and a technique selection literature review to practitioners prior to RE

SecREP : A Framework for Automating the Extraction and Prioritization of Security Requirements Using Machine Learning and NLP Techniques

Gathering and extracting security requirements adequately requires extensive effort, experience, and time, as large amounts of data need to be analyzed. While many manual and academic approaches have been developed to tackle the discipline of Security Requirements Engineering (SRE), a need still exists for automating the SRE process. This need stems mainly from the difficult, error-prone, and time-consuming nature of traditional and manual frameworks. Machine learning techniques have been widely used to facilitate and automate the extraction of useful information from software requirements documents and artifacts. Such approaches can be utilized to yield beneficial results in automating the process of extracting and eliciting security requirements. However, the extraction of security requirements alone leaves software engineers with yet another tedious task of prioritizing the most critical security requirements. The competitive and fast-paced nature of software development, in addition to resource constraints make the process of security requirements prioritization crucial for software engineers to make educated decisions in risk-analysis and trade-off analysis. To that end, this thesis presents an automated framework/pipeline for extracting and prioritizing security requirements. The proposed framework, called the Security Requirements Extraction and Prioritization Framework (SecREP) consists of two parts: SecREP Part 1: Proposes a machine learning approach for identifying/extracting security requirements from natural language software requirements artifacts (e.g., the Software Requirement Specification document, known as the SRS documents) SecREP Part 2: Proposes a scheme for prioritizing the security requirements identified in the previous step. For the first part of the SecREP framework, three machine learning models (SVM, Naive Bayes, and Random Forest) were trained using an enhanced dataset the “SecREP Dataset” that was created as a result of this work. Each model was validated using resampling (80% of for training and 20% for validation) and 5-folds cross validation techniques. For the second part of the SecREP framework, a prioritization scheme was established with the aid of NLP techniques. The proposed prioritization scheme analyzes each security requirement using Part-of-speech (POS) and Named Entity Recognition methods to extract assets, security attributes, and threats from the security requirement. Additionally, using a text similarity method, each security requirement is compared to a super-sentence that was defined based on the STRIDE threat model. This prioritization scheme was applied to the extracted list of security requirements obtained from the case study in part one, and the priority score for each requirement was calculated and showcase

Security Risk Management of E-commerce Systems

Turvariski juhtimine mängib iga süsteemi väljatöötamisel olulist rolli ja see kehtib ka elektrooniliste kaubandussüsteemide kohta. Kuna paljud inimesed kasutavad neid teenuseid, võivad nad kokku puutuda ebaadekvaatsete turvameetmetega ja see on kahjulik nii äritegevusele kui klientidele. Antud lõputöö toob uurimistöö tulemusena välja elektrooniliste kaubandussüsteemide toiminguid, mis on suunatud turvariskide vähendamisele, uurides ja analüüsides Webshop poodi.Antud meetod vaatleb turvariski juhtimise strateegiate hindamist, olles selle eriala ekspertide poolt heaks kiidetud ning ei käsitle mitte ainult elektrooniliste kaubandussüsteemide potentsiaalsete ohtude määratlemist, vaid tagab ka turvariski juhtimise struktureeritud kulgemise. Turvariski juhtimise protsess on esitatud sellisel kujul, et ta on asjakohastele elektrooniliste kaubandussüsteemide osanikele arusaadav.Security risk management is a vital part of any system development including e-commerce systems. As many people rely on these e-services, its inadequate security measures can be experienced, causing great losses to both businesses and customers. This thesis research work proposes a procedure that targets e-commerce system security and suggests the application of a threat-driven approach to security risk management by analysing an e-commerce system Webshop as a case study.This approach provides a useful assessment of the security risk management procedure that is validated by experts in the field. It not only identifies evolving threats to e-commerce systems but allows for a structured flow in security risk management. The risk management process is documented and reported in such a way that is easily understandable by concerned stakeholders of the e-commerce system