Stakeholder Alignment/Capability Based Security Engineering: Capability Engineering vs “Problemeering” and “Solutioneering” – Prioritizing Stakeholder Needs Over Requirements

Abstract

ABSTRACTWhen building systems, it is tempting to start with the stakeholder requirements and jump straight into implementing a preconceived solution and then mapping it to the requirements as best one can. This is “solutioneering.” To avoid this, systems engineers build models of the requirements, elaborating them into use cases, activity diagrams, IBDs, and other more concrete modeling steps. However, part of a system engineer's job is to validate these requirements against the stakeholder needs, capabilities, and goals to ensure you build the right system. This assumes that the stakeholder knows and understands their needs and problems, which we have dubbed “Problemeering.” The systems engineer can never take the requirements at face value, assume that they are correct and have captured the stakeholder needs and can solve their problems. This is true across many cross‐cutting aspects and domains, requiring a Subject Matter Expert (SME). This is especially true regarding security issues where is it unlikely that stakeholders are aware of the current threat landscape and risks and can fully elaborate them. This will require the knowledge and experience of a cyber‐security SME who can adequately analyze the system vulnerabilities from the right perspective. In this article, we will detail how Capability‐Based security engineering ensures the articulation of the true needs of the stakeholder so that the engineers ultimately implement the needs in the delivered system.