SQUARE Methodology
The SQUARE process was designed as a method to elicit, categorize and prioritize security requirements. Its goal was to integrate security into the early stages of software development, but it has also proved useful for evaluating security of existing systems (Mead, Hough, & Stehney II, Security Quality Requirements Engineering, 2005). SQUARE guides teams through a series of nine steps in order to determine a project’s security requirements in a structured manner. Tasks include agreeing on definitions, developing artifacts, assessing risks, eliciting and validating requirements.
This process has been proved useful for security requirements engineering and been recently adapted for usage with privacy requirements engineering (Bijwe & Mead, 2010). Privacy requirements engineering poses a range of different challenges compared to security requirements engineering. Privacy policies of an application are not dictated solely by the stakeholders, but they can be mandated by laws and regulations. Laws and regulations can be difficult to understand; a fair amount of knowledge can be required to properly interpret and comply with all applicable laws. Goal-Based Requirements Analysis Method (Antón, Carter, Dagnino, Dempster, & Siege, 2001), Pattern-Based Approach (Schumacher, 2003) and E-Commerce Personalization Approach (Cranor, 2003) have all been used in privacy requirements engineering; however, these methods are generic in nature and require a detailed understanding of privacy laws, standards and policies (Bijwe & Mead, 2010).