The Development and Evaluation of A Deployable Ontology-Based Methodology for Security Requirements Engineering

Security is becoming a priority for organisations. As attacks on their software systems continue to increase, organisations spend heavily on software security and experience continuous disruption to business operations. Current approaches to security requirements engineering (SRE) have limited success because most of them demand the development team to answer security-related questions. The current SRE approaches assume developers have the required security knowledge or can obtain it from public security databases. The reality is that neither developers have the security knowledge nor do the public security knowledge sources map directly to SRE activities. In addition, SRE approaches have inconsistent and sometimes overlapped conceptual views of the problem and solution. Risk, security management, software design and implementation, and requirements engineering are the most common perspectives. Consequently, SRE approaches are transparently different yet address the same problem. Applying these approaches to a particular software system will likely produce different security requirements.

This thesis proposes an ontology-based SRE methodology (SREM). The thesis presents four distinct contributions to the SRE domain, which synergically form the SREM. The first contribution is an SRE conceptual framework (SRECF) derived from an extensive literature review and analysis. The second contribution is a SRE knowledge base system ontology (SREKBS), which equips software development teams with answers to security questions related to threats, vulnerabilities, countermeasures, security properties, and reusable security requirements. The third contribution is a systematic process (SREKBSSP) based on the SREKBS ontology, designed to guide requirement engineering activities such as elicitation, analysis, specifications, and validation of security requirements. This process is highly integrated with, and dependent on, the SREKBS ontology. The fourth contribution is a SRE tool (SRET), which streamlines the retrieval of security knowledge and the execution of the SREM. The SREM is evaluated in an industrial setting, with the first evaluation being a controlled experiment of the SREKBS ontology by software and security experts. The second evaluation is an industrial case study that applies the SREM to derive security requirements for a software system. The evaluation results show the excellent success of the SREM in deriving security requirements at the early stages of software development. The SREM, as an outcome of this research, is a promising solution to SRE problems. Consequently, the purpose of this research is believed to be achieved to a great degree.