A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches

Security is an inevitable concern in today’s scenario of software-based application’s pervasiveness and development practices. Researchers and practitioners frequently advocate that security-related aspects should be integrated and incorporated right from the beginning of SDLC. Security requirements engineering (SRE) plays an important role during the inceptive phases of software development. Thereby, we conducted a systematic review of the current state of the literature related to SRE. In total, we selected and analyzed 108 relevant studies. After analyzing the selected studies, we identified 20 different SRE approaches and compared them on different technical parameters like ‘performance in the requirements subphase,’ ‘usability with respect to size and complexity of the project,’ ‘notation used,’ ‘industry recognition/adoption,’ ‘tool support,’ ‘standards integration’ and ‘elicitation technique used.’ The results of this study are based on the comparative analysis of the SRE approaches, their analytical evaluation by the authors and trends observed during the course of the review. The major findings of this study indicate that SRE approaches like ‘Misuse case, Secure Tropos, SEPP and SQUARE’ are most popular among researchers while UML-based approaches like ‘Misuse Case, SecureUML and UMLsec’ are easily adaptable approaches. Threat modeling as an activity is adapted by most of the SRE approaches while few approaches support risk analysis. In addition, among several other findings, our study indicates that most of the SRE approaches fail to integrate security standards and formal methods. The contribution of this work is consequently that of supplying researchers with a summarized comparison of existing SRE approaches, along with the best practices adopted in the field of security requirements engineering. The insights provided here on selection appropriateness may prove to be instrumental for research in the area and may significantly facilitate both researchers and practitioners.