Abstract
Recently published reports on cybercrime indicate an ever-increasing number of security incidents related to IT systems. Many attacks causing the incidents abuse (in)directly one or more security defects. Fixing the security defect once fielded is costly. To avoid the defects and the subsequent need to fix them, security has to be considered thoroughly when developing software. The earliest phase to do so is the requirements engineering, in which security threats should be identified early on and treated by defining sufficient security requirements. In a previous paper [1], we introduced a methodology for Problem-based Security Requirements Elicitation (PresSuRE). PresSuRE provides a computer-aided security threat identification. The identification is based on the functional requirements for a system-to-be. Still, there is a need for guidance on how to derive security requirements once the threats are identified. In this work, we provide such guidance extending PresSuRE and its tool support. We illustrate and validate our approach using a smart grid scenario provided by the industrial partners of the EU project NESSoS.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
