More and more software projects today are security-related in one way or the other.
Requirements engineers often fail to recognise indicators for security problems which is a major source
of security problems in practice. Identifying security-relevant requirements is labour-intensive and errorprone.
In order to facilitate the security requirements elicitation process, we present an approach
supporting organisational learning on security requirements by establishing company-wide experience
resources, and a socio-technical network to benefit from them. The approach is based on modelling the
flow of requirements and related experiences. Based on those models, we enable people to exchange
experiences about security-requirements while they write and discuss project requirements. At the same
time, the approach enables participating stakeholders to learn while they write requirements. This can
increase security awareness and facilitate learning on both individual and organisational levels. As a basis
for our approach, we introduce heuristic assistant tools which support reuse of existing security-related
experiences. In particular, they include Bayesian classifiers which issue a warning automatically when
new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if
the classifier is trained with domain specific data and documents from previous projects. We show how
the ability to identify security-relevant requirements can be improved using this approach. We illustrate
our approach by providing a step-by-step example of how we improved the security requirements
engineering process at the European Telecommunications Standards Institute (ETSI) and report on
experiences made in this application