2-SQUARE: A Web-Based Enhancement of SQUARE Privacy and Security Requirements Engineering

2-SQUARE: A Web-Based Enhancement of SQUARE Privacy and Security Requirements Engineering

Alan Lai (College of Agricultural and Environmental Science, University of California, Davis, CA, USA), Cui Zhang (Department of Computer Science, California State University, Sacramento, CA, USA) and Senad Busovaca (Department of Computer Science, California State University, Sacramento, CA, USA)
Copyright: © 2013 |Pages: 13
DOI: 10.4018/ijsi.2013010104
OnDemand PDF Download:
$37.50

Abstract

This paper presents a highly flexible and expandable tool called 2-SQUARE in support of the SQUARE methodology for security and privacy requirements engineering developed by the Software Engineering Institute at Carnegie Mellon University. Security and privacy requirements engineering can be a daunting task even with the proper expertise. 2-SQUARE aims at making it straightforward to perform requirements engineering regardless of expertise by providing flexible workflows and process guidance. 2-SQUARE also facilitates communication between requirements engineers and stakeholders throughout the requirements engineering process.
Article Preview

SQUARE Methodology

The SQUARE process was designed as a method to elicit, categorize and prioritize security requirements. Its goal was to integrate security into the early stages of software development, but it has also proved useful for evaluating security of existing systems (Mead, Hough, & Stehney II, Security Quality Requirements Engineering, 2005). SQUARE guides teams through a series of nine steps in order to determine a project’s security requirements in a structured manner. Tasks include agreeing on definitions, developing artifacts, assessing risks, eliciting and validating requirements.

This process has been proved useful for security requirements engineering and been recently adapted for usage with privacy requirements engineering (Bijwe & Mead, 2010). Privacy requirements engineering poses a range of different challenges compared to security requirements engineering. Privacy policies of an application are not dictated solely by the stakeholders, but they can be mandated by laws and regulations. Laws and regulations can be difficult to understand; a fair amount of knowledge can be required to properly interpret and comply with all applicable laws. Goal-Based Requirements Analysis Method (Antón, Carter, Dagnino, Dempster, & Siege, 2001), Pattern-Based Approach (Schumacher, 2003) and E-Commerce Personalization Approach (Cranor, 2003) have all been used in privacy requirements engineering; however, these methods are generic in nature and require a detailed understanding of privacy laws, standards and policies (Bijwe & Mead, 2010).

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 5: 4 Issues (2017)
Volume 4: 4 Issues (2016)
Volume 3: 4 Issues (2015)
Volume 2: 4 Issues (2014)
Volume 1: 4 Issues (2013)
View Complete Journal Contents Listing