Engineering secure software by modelling privacy and security requirements

Abstract

Requirements are individual statements, usually expressed in a form of natural language, specifying the behaviour and constraints of a proposed system. Due to the intrinsic value of correct requirements, it is therefore essential for the process to be implemented correctly and that the requirements themselves reflect the true needs of the proposed system. The majority of developed systems introduce the concerns of privacy and security, however, traditional requirements engineering techniques have not addressed these issues appropriately. Further, the concepts of privacy, security, and the interrelated concept of trust, have not been accurately defined in terms of requirements engineering. Natural language is shown to be the most prevalent form of knowledge used to represent requirements, however, natural language introduces a number of inherent problems which can lead to ambiguity and specifications open to interpretation. When reasoning with privacy and security concerns the resulting specification should be both clear and concise in the stipulation of requirements. Therefore, before attempting to model privacy and security at the requirements engineering level, it is essential to have an understanding and appreciation of the issues involved. Consideration is given to the various concerns that would effect methodology development and once assessed a possible approach to modelling privacy and security requirements is highlighted.