Enhancing security requirements engineering by organizational learning

More and more software projects today are security-related in one way or the other. Requirements engineers without expertise in security are at risk of overlooking security requirements, which often leads to security vulnerabilities that can later be exploited in practice. Identifying security-relevant requirements is labor-intensive and error-prone. In order to facilitate the security requirements elicitation process, we present an approach supporting organizational learning on security requirements by establishing company-wide experience resources and a socio-technical network to benefit from them. The approach is based on modeling the flow of requirements and related experiences. Based on those models, we enable people to exchange experiences about security-relevant requirements while they write and discuss project requirements. At the same time, the approach enables participating stakeholders to learn while they write requirements. This can increase security awareness and facilitate learning on both individual and organizational levels. As a basis for our approach, we introduce heuristic assistant tools. They support reuse of existing experiences that are relevant for security. In particular, they include Bayesian classifiers that issue a warning automatically when new requirements seem to be security-relevant. Our results indicate that this is feasible, in particular if the classifier is trained with domain-specific data and documents from previous projects. We show how the ability to identify security-relevant requirements can be improved using this approach. We illustrate our approach by providing a step-by-step example of how we improved the security requirements engineering process at the European Telecommunications Standards Institute (ETSI) and report on experiences made in this application.     

Experiential learning approach for requirements engineering education

The use of requirements engineering (RE) in industry is hampered by a poor understanding of its practices and their benefits. Teaching RE at the university level is therefore an important endeavor. Shortly before students become engineers and enter the workforce, this education could ideally be provided as an integrated part of developing the requisite business skills for understanding RE. Because much social wisdom is packed into RE methods, it is unrealistic to expect students with little organizational experience to understand and appreciate this body of knowledge; hence, the necessity of an experiential approach. The course described in this paper uses an active, affective, experiential pedagogy giving students the opportunity to experience a simulated work environment that demonstrates the social/design–problem complexities and richness of a development organization in the throes of creating a new product. Emotional and technical debriefing is conducted after each meaningful experience so that students and faculty, alike can better understand the professional relevancies of what they have just experienced. This includes an examination of the many forces encountered in industrial settings but not normally discussed in academic settings. The course uses a low-tech social simulation, rather than software simulation, so that students learn through interaction with real people, and are therefore confronted with the complexity of true social relationships.     

Viewpoints: principles, problems and a practical approach to requirements engineering

The paper includes a survey and discussion of viewpoint‐oriented approaches to requirements engineering and a presentation of new work in this area which has been designed with practical application in mind. We describe the benefits of viewpoint‐oriented requirements engineering and describe the strengths and weaknesses of a number of viewpoint‐oriented methods. We discuss the practical problems of introducing viewpoint‐oriented requirements engineering into industrial software engineering practice and why these have prevented the widespread use of existing approaches. We then introduce a new model of viewpoints called Preview. Preview viewpoints are flexible, generic entities which can be used in different ways and in different application domains. We describe the novel characteristics of the Preview viewpoints model and the associated processes of requirements discovery, analysis and negotiation. Finally, we discuss how well this approach addresses some outstanding problems in requirements engineering (RE) and the practical industrial problems of introducing new requirements engineering methods.     

A soft computing approach for privacy requirements engineering: The PriS framework

Soft computing continuously gains interest in many fields of academic and industrial domain; among the most notable characteristics for using soft computing methodological tools is the ability to handle with vague and imprecise data in decision making processes. Similar conditions are often encountered in requirements engineering. In this paper, we introduce the PriS approach, a security and privacy requirements engineering framework which aims at incorporating privacy requirements early in the system development process. Specifically, PriS provides a set of concepts for modelling privacy requirements in the organisation domain and a systematic way-of-working for translating these requirements into system models. The conceptual model of PriS uses a goal hierarchy structure. Every privacy requirement is either applied or not on every goal. To this end every privacy requirement is a variable that can take two values [0,1] on every goal meaning that the requirements constraints the goal (value 1) or not (value 0). Following this way of working PriS ends up suggesting a number of implementation techniques based on the privacy requirements constraining the respective goals. Taking into account that the mapping of privacy variables to a crisp set consisting of two values [0,1] is constraining, we extend also the PriS framework so as to be able to address the degree of participation of every privacy requirement towards achieving the generic goal of privacy. Therefore, we propose a fuzzification of privacy variables that maps the expression of the degree of participation of each privacy variable to the [0,1] interval. We also present a mathematical framework that allows the concurrent management of combined independent preferences towards the necessity of a privacy measure; among the advantages of the presented extended framework is the scalability of the approach in such a way that the results are not limited by the number of independent opinions or by the number of factors considered while reasoning for a specific selection of privacy measures.     

Integrated requirements engineering: a tutorial

This short tutorial introduces the fundamental activities of RE (requirements engineering) and discusses how it has evolved as a part of the software engineering process. However, rather than focusing on the established RE techniques, the author discusses how the changing nature of software engineering has led to the new challenges in RE. The author then introduces a number of new techniques that helps us to meet these challenges by integrating RE more closely with other systems implementation activities.     

Integrating ontologies,model driven,and CNL in a multi-viewed approach for requirements engineering

Research in requirements engineering (RE) has been growing in the last few years. RE researchers are generally concerned with a set of open issues such as: (i) the need for a well-defined process to identify and specify the requirements scope, (ii) suitable mechanisms to support communication among different stakeholders and development teams involved in the RE process, (iii) mechanisms to deal with the inherent volatility of requirements, and (iv) the need for a traceability scheme to help managing requirements in the downstream phases of the development process. In this work, we address some of these open issues by proposing the use of an iterative and incremental model-driven RE process combined with the employment of different notations such as controlled natural language and ontology in each activity of RE process. Based on the argument that there is no single notation suitable to represent requirements from the different perspectives of all the stakeholders and development teams, we propose a RE process encompassing different views, representing each perspective. This paper describes the proposed process, its tool support, and presents a controlled experiment that illustrates the proposal and evaluates its benefits.     

Modelling and engineering the requirements engineering process: An overview of the NATURE approach

This paper presents an overview of the process theory developed in the context of the ESPRIT project NATURE.¹ This theory proposes means for modelling and engineering the requirements engineering (RE) process. The key element of this theory is a situation-and decision-based process meta-model independent of any RE methodology. The process meta-model acts as a shell for defining process models by instantiation. An enactment mechanism implemented in a tool environment has been defined. It allows execution of process models and provides effective guidance to the requirements engineer. Construction of process models is also supported based on generic method knowledge chunks. The formalization of our approach is based on a free algebra.     

A holistic approach to feature modeling for product line requirements engineering

Requirements engineering (RE) offers the means to discover, model, and manage the requirements of the products that comprise a product line, while software product line engineering (SPLE) offers the means of realizing the products’ requirements from a common base of software assets. In practice, however, RE and SPLE have proven to be less complementary than they should. While some RE techniques, particularly goal modeling, support the exploration of alternative solutions, the appropriate solution is typically conditional on context and a large product line may have many product-defining contexts. Thus, scalability and traceability through into product line features are key challenges for RE. Feature modeling, by contrast, has been widely accepted as a way of modeling commonality and variability of products of a product line that may be very complex. In this paper, we propose a goal-driven feature modeling approach that separates a feature space in terms of problem space and solution space features, and establish explicit mappings between them. This approach contributes to reducing the inherent complexity of a mixed-view feature model, deriving key engineering drivers for developing core assets of a product line, and facilitating the quality-based product configuration.     

Requirements engineering for organizational transformation

Traditional approaches to requirements elicitation stress systematic and rational analysis and representation of organizational context and system requirements. This paper argues that the introduction of any computer-based system to an organization transforms the organization and changes the work patterns of the system's users in the organization. These changes interact with the users' values and beliefs and trigger emotional responses which are sometimes directed against the computer-based system and its proponents. The paper debunks myths about how smoothly such organizational transformations take place, describes case studies showing how organizational transformation really takes place, and introduces and confirms by case studies some guidelines for eliciting requirements and the relevant emotional issues for a computer-based system that is being introduced into an organization to change its work patterns.     

A case study validation of a knowledge-based approach for the selection of requirements engineering techniques

Requirements engineering (RE) is a critical phase in the software engineering process and plays a vital role in ensuring the overall quality of a software product. Recent research has shown that industry increasingly recognizes the importance of good RE practices and the use of appropriate RE techniques. However, due to the large number of RE techniques, requirements engineers find it challenging to select suitable techniques for a particular project. Unfortunately, technique selection based on personal experience has limitations with regards to the scope, effectiveness and suitability of the RE techniques for the project at hand. In this paper, a Knowledge-based Approach for the Selection of Requirements Engineering Techniques (KASRET) is proposed that helps during RE techniques selection. This approach has three major features. First, a library of requirements techniques was developed which includes detailed knowledge about RE techniques. Second, KASRET integrates advantages of different knowledge representation schemata and reasoning mechanisms. Thus, KASRET provides mechanisms for the management of knowledge about requirements techniques and support for RE process development. Third, as a major decision support mechanism, an objective function evaluates the overall ability and cost of RE techniques, which is helpful for the selection of RE techniques. This paper makes not only a contribution to RE but also to research and application of knowledge management and decision support in process development. A case study using an industrial project shows the support of KASRET for RE techniques selection.

Zen-ReqOptimizer: a search-based approach for requirements assignment optimization

At early phases of a product development lifecycle of large scale Cyber-Physical Systems (CPSs), a large number of requirements need to be assigned to stakeholders from different organizations or departments of the same organization for review, clarification and checking their conformance to standards and regulations. These requirements have various characteristics such as extents of importance to the organization, complexity, and dependencies between each other, thereby requiring different effort (workload) to review and clarify. While working with our industrial partners in the domain of CPSs, we discovered an optimization problem, where an optimal solution is required for assigning requirements to various stakeholders by maximizing their familiarity to assigned requirements, meanwhile balancing the overall workload of each stakeholder. In this direction, we propose a fitness function that takes into account all the above-mentioned factors to guide a search algorithm to find an optimal solution. As a pilot experiment, we first investigated four commonly applied search algorithms (i.e., GA, (1 + 1) EA, AVM, RS) together with the proposed fitness function and results show that (1 + 1) EA performs significantly better than the other algorithms. Since our optimization problem is multi-objective, we further empirically evaluated the performance of the fitness function with six multi-objective search algorithms (CellDE, MOCell, NSGA-II, PAES, SMPSO, SPEA2) together with (1 + 1) EA (the best in the pilot study) and RS (as the baseline) in terms of finding an optimal solution using an real-world case study and 120 artificial problems of varying complexity. Results show that both for the real-world case study and the artificial problems (1 + 1) EA achieved the best performance for each single objective and NSGA-II achieved the best performance for the overall fitness. NSGA-II has the ability to solve a wide range of problems without having their performance degraded significantly and (1 + 1) EA is not fit for problems with less than 250 requirements Therefore we recommend that, if a project manager is interested in a particular objective then (1 + 1) EA should be used; otherwise, NSGA-II should be applied to obtain optimal solutions when putting the overall fitness as the first priority.     

An approach to engineering the requirements of data warehouses

We focus exclusively on the issue of Requirements engineering for Data Warehouses (DW). Our position is that the information content of a DW is found in the larger context of the goals of an organization. We refer to this context as the organizational perspective. Goals identify the set of decisions that are relevant which in turn help in determining the information needed to support these. The organizational perspective is converted into the technical perspective, which deals with the set of decisions to be supported and the information required. The latter defines Data warehouse contents. To elicit the technical perspective, we use the notion of an informational scenario. It is a typical interaction between a DW system and the decision maker and consists of a sequence of pairs of the form, <information request, response>. We formulate an information request as a statement in an adapted form of SQL called Specification SQL. The proposals here are implemented in the form of an Informational Scenario Engine that processes informational scenarios and determines Data Warehouse Information Contents.     

Bayesian networks for enhancement of requirements engineering: a literature review

Requirements analysis is the software engineering stage that is closest to the users’ world. It also involves tasks that are knowledge intensive. Thus, the use of Bayesian networks (BNs) to model this knowledge would be a valuable aid. These probabilistic models could manage the imprecision and ambiguities usually present in requirements engineering (RE). In this work, we conduct a literature review focusing on where and how BNs are applied on subareas of RE in order to identify which gaps remain uncovered and which methods might engineers employ to incorporate this intelligent technique into their own requirements processes. The scarcity of identified studies (there are only 20) suggests that not all RE areas have been properly investigated in the literature. The evidence available for adopting BNs into RE is sufficiently mature yet the methods applied are not easily translatable to other topics. Nonetheless, there are enough studies supporting the applicability of synergistic cooperation between RE and BNs. This work provides a background for understanding the current state of research encompassing RE and BNs. Functional, non-functional and -ilities requirements artifacts are enhanced by the use of BNs. These models were obtained by interacting with experts or by learning from databases. The most common criticism from the point of view of BN experts is that the models lack validation, whereas requirements engineers point to the lack of a clear application method for BNs and the lack of tools for incorporating them as built-in help functions.     

Status report: requirements engineering

It is argued that, in general, requirements engineering produces one large document, written in a natural language, that few people bother to read. Projects that do read and follow the document often build systems that do not satisfy needs. The reasons for the current state of the practice are listed. Research areas that have significant payoff potential, including improving natural-language specifications, rapid prototyping and requirements animation, requirements clustering, requirements-based testing, computer-aided requirements engineering, requirements reuse, research into methods, knowledge engineering, formal methods, and a unified framework, are outlined     

E-business and organizational change: a structurational approach

Abstract.  Although e-business is a familiar part of the organizational landscape, its implementation remains a problem for large traditional organizations. This paper argues that the pervasiveness of e-business calls for the adoption of an organizational change perspective to study its implementation. Using structuration theory, the paper analyzes a detailed case study of the implementation of a major e-business initiative in a traditional automotive manufacturer. It shows how a combination of structural contradictions and unexpected consequences derailed the initiative.