Functional Requirements Under Security PresSuRE

Recently, there has been an increase of reported security incidents hitting large software systems. Such incidents can originate from different attackers exploiting vulnerabilities of different parts of a system. Hence, there is a need for enhancing security considerations in software development. It is crucial for requirements engineers to identify security threats early on, and to refine the threats into security requirements. In this paper, we introduce a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE is a method for identifying security needs during the requirements analysis of software systems using a problem frame model. Our method does not rely entirely on the requirements engineer to detect security needs, but provides a computer-aided security threat identification, and subsequently the elicitation of security requirements. The identification is based on the functional requirements for a system-to-be. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.