Seda Gürses

A comparison of security requirements engineering methods

This paper presents a conceptual framework for security engineering, with a strong focus on security requirements elicitation and analysis. This conceptual framework establishes a clear-cut vocabulary and makes explicit the interrelations between the different concepts and notions used in security engineering. Further, we apply our conceptual framework to compare and evaluate current security requirements engineering approaches, such as the Common Criteria, Secure Tropos, SREP, MSRA, as well as methods based on UML and problem frames. We review these methods and assess them according to different criteria, such as the general approach and scope of the method, its validation, and quality assurance capabilities. Finally, we discuss how these methods are related to the conceptual framework and to one another.

Two Tales of Privacy in Online Social Networks

Privacy is one of the friction points that emerge when communications are mediated in online social networks (OSNs). Different communities of computer science researchers have framed the OSN privacy problem as one of surveillance, institutional privacy, or social privacy. In tackling these problems, researchers have also treated them as if they were independent. In this article, the authors argue that the different privacy problems are entangled and that OSN privacy research would benefit from a more holistic approach.

PETs in the Surveillance Society: A Critical Review of the Potentials and Limitations of the Privacy as Confidentiality Paradigm

“Privacy as confidentiality” has been the dominant paradigm in computer science privacy research. Privacy Enhancing Technologies (PETs) that guarantee confidentiality of personal data or anonymous communication have resulted from such research. The objective of this chapter is to show that such PETs are indispensable but are short of being the privacy solutions they sometimes claim to be given current day circumstances. We will argue using perspectives from surveillance studies that the computer scientists’ conception of privacy through data or communication confidentiality is techno-centric and displaces end-user perspectives and needs in a surveillance society. We will further show that the perspectives from surveillance studies demand a critical review for their human-centric conception of information systems. Last, we re-position PETs in a surveillance society and argue for the necessity for multiple paradigms for privacy and related design.

Requirements engineering within a large-scale security-oriented research project: lessons learned

Requirements engineering has been recognized as a fundamental phase of the software engineering process. Nevertheless, the elicitation and analysis of requirements are often left aside in favor of architecture-driven software development. This tendency, however, can lead to issues that may affect the success of a project. This paper presents our experience gained in the elicitation and analysis of requirements in a large-scale security-oriented European research project, which was originally conceived as an architecture-driven project. In particular, we illustrate the challenges that can be faced in large-scale research projects and consider the applicability of existing best practices and off-the-shelf methodologies with respect to the needs of such projects. We then discuss how those practices and methods can be integrated into the requirements engineering process and possibly improved to address the identified challenges. Finally, we summarize the lessons learned from our experience and the benefits that a proper requirements analysis can bring to a project.