An Empirical Comparison of Approaches for Security Requirements Elicitation

Karl Kolk
The importance of security engineering in the development cycle is widely accepted. In spite of the large variety of security requirements elicitation techniques, organizations struggle to select the most suitable security requirements elicitation method that would enable the elicitation of security requirements with the most complete coverage. Two potential solutions exist to this problem; Security Quality Requirements Engineering (SQUARE) and Security Requirements Elicitation from Business Processes (SREBP). SQUARE is an already established and widely used security requirements elicitation method that addresses security early in the software development cycle. On the other hand, SREBP is a new approach that helps derive security requirements from operational business processes. To address the above mentioned issue, this thesis compares the two methods based on an empirical case study of the Estonian Football Association. The elicited security requirements are categorized and the completeness of their coverage is compared. As a result, it was determined that SREBP provides more coverage of the security requirements. Such a result contributes to the existing literature by further strengthening the validity of SREBP.
Graduation Thesis language
Graduation Thesis type
Master - Cyber Security
Dr. Raimundas Matulevicius
Defence year