Publikationen

@ARTICLE{Schneider2012,
  author = {Kurt Schneider and Eric Knauss and Siv Houmb and Shareeful Islam
	and Jan Jürjens},
  title = {{E}nhancing {S}ecurity {R}equirements {E}ngineering by {O}rganizational
	{L}earning},
  journal = {{R}equirements {E}ngineering {J}ournal ({REJ}), special issue on
	{REFSQ}'12},
  year = {2012},
  abstract = {More and more software projects today are security-related in one
	way or the other. Requirements engineers without expertise in security
	are at risk of overlooking security requirements, which often leads
	to security vulnerabilities that can later be exploited in practice.
	Identifying security-relevant requirements is labor-intensive and
	error-prone. In order to facilitate the security requirements elicitation
	process, we present an approach supporting organizational learning
	on security requirements by establishing company-wide experience
	resources and a socio-technical network to benefit from them. The
	approach is based on modeling the flow of requirements and related
	experiences. Based on those models, we enable people to exchange
	experiences about security-relevant requirements while they write
	and discuss project requirements. At the same time, the approach
	enables participating stakeholders to learn while they write requirements.
	This can increase security awareness and facilitate learning on both
	individual and organizational levels. As a basis for our approach,
	we introduce heuristic assistant tools. They support reuse of existing
	experiences that are relevant for security. In particular, they include
	Bayesian classifiers that issue a warning automatically when new
	requirements seem to be security-relevant. Our results indicate that
	this is feasible, in particular if the classifier is trained with
	domain-specific data and documents from previous projects. We show
	how the ability to identify security-relevant requirements can be
	improved using this approach. We illustrate our approach by providing
	a step-by-step example of how we improved the security requirements
	engineering process at the European Telecommunications Standards
	Institute (ETSI) and report on experiences made in this application.},
  doi = {10.1007/s00766-011-0141-0},
  url = {http://www.springerlink.com/content/8h4808155m841v46/}
}