A Model for Structuring and Reusing Security Requirements Sources and Security Requirements

Various security requirements sources need to be incorporated when developing security requirements. A challenge for teams developing security requirements is to identify and structure relevant sources, to satisfy compliancerelated obligations, and to identify and properly address relevant threats, weaknesses and vulnerabilities. In this paper, we present a generic model which can be used for structuring and reusing security requirements sources and security requirements, to improve the efficiency of security requirements engineering and to achieve a desired ‘baseline’ security level and completeness of security requirements. The model supports security requirements engineering in general but can also be applied for continuous security requirements engineering in order to analyze and evaluate the influence of changes in software or the environment on security requirements and the overall software and system security. Elements of the model and their interdependencies are described, and observations on important aspects when applying this model in an organization are provided.