author = {Stefan Gärtner and Thomas Ruhroth and Jens Bürger and Kurt Schneider
	and Jan Jürjens},
  title = {{M}aintaining {R}equirements for {L}ong-{L}iving {S}oftware {S}ystems
	by {I}ncorporating {S}ecurity {K}nowledge},
  booktitle = {22nd IEEE International Requirements Engineering Conference},
  year = {2014},
  pages = {103--112},
  organization = {IEEE},
  abstract = {Security is an increasingly important quality facet in modern information
	systems and needs to be retained. Due to a constantly changing environment,
	long-living software systems ''age''? not by wearing out, but by
	failing to keep up-to-date with their environment. The problem is
	that requirements engineers usually do not have a complete overview
	of the security-related knowledge necessary to retain security of
	long-living software systems. This includes security standards, principles
	and guidelines as well as reported security incidents. In this paper,
	we focus on the identification of known vulnerabilities (and their
	variations) in natural-language requirements by leveraging security
	knowledge. For this purpose, we present an integrative security knowledge
	model and a heuristic method to detect vulnerabilities in requirements
	based on reported security incidents. To support knowledge evolution,
	we further propose a method based on natural language analysis to
	refine and to adapt security knowledge. Our evaluation indicates
	that the proposed assessment approach detects vulnerable requirements
	more reliable than other methods (Bayes, SVM, k-NN). Thus, requirements
	engineers can react faster and more effectively to a changing environment
	that has an impact on the desired security level of the information
	system. }