A Requirements Engineering-based Approach for evaluating Security Requirements Engineering Methodologies

Abstract

The significance of security requirements in building safety and security critical systems is widely acknowledged. However, given the multitude of security requirements engineering methodologies that exists today, selecting the best suitable methodology remains challenging. In a previous work, we proposed a generic evaluation methodology to elicit and evaluate the anticipated characteristics of a security requirements engineering methodology with regards to the stakeholders' working context. In this article, we provide the empirical evaluation of three security requirements engineering methodologies KAOS, STS and SEPP with respect to the evaluation criteria elicited for network SRE context. The study show that none of them provide good support to derive network security requirements.