Enhancing security requirements specification with SECRET-SCORE: A template-driven and ontology-based approach

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-07-30 DOI:10.1016/j.cose.2025.104605

Hiba Hnaini , Raúl Mazo , Paola Vallejo , Andrés López , Joël Champeau

{"title":"Enhancing security requirements specification with SECRET-SCORE: A template-driven and ontology-based approach","authors":"Hiba Hnaini , Raúl Mazo , Paola Vallejo , Andrés López , Joël Champeau","doi":"10.1016/j.cose.2025.104605","DOIUrl":null,"url":null,"abstract":"<div><div>In our rapidly changing world, where technology is integral to every aspect of our lives, ensuring our systems’ security is paramount. As industries become increasingly interconnected, the risk of security vulnerabilities and targeted attacks increases. Establishing robust security requirements is crucial to safeguard sensitive information and protect against malicious threats. To simplify and improve the quality of these requirements, researchers have proposed templates or boilerplates that can guide requirements engineers when defining requirements. However, this approach can help define the requirement structure without suggesting what security requirements to define to have a well-secured system. This paper proposes a guided strategy that combines (i) SECRET (SECurity REquirements specification Template) for a guided specification of each requirement and (ii) SCORE (Security Criteria Ontology for security Requirements Engineering) to suggest additional security requirements. We implemented the SECRET-SCORE approach using an autocomplete service that connects the SECRET template to the SCORE ontology. We then used the service to create a new language for security requirements in the VariaMos online tool. Finally, to test the usability of the implemented language, we conducted a usability test that reported high results in usability and user satisfaction with the developed tool.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104605"},"PeriodicalIF":5.4000,"publicationDate":"2025-07-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002949","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In our rapidly changing world, where technology is integral to every aspect of our lives, ensuring our systems’ security is paramount. As industries become increasingly interconnected, the risk of security vulnerabilities and targeted attacks increases. Establishing robust security requirements is crucial to safeguard sensitive information and protect against malicious threats. To simplify and improve the quality of these requirements, researchers have proposed templates or boilerplates that can guide requirements engineers when defining requirements. However, this approach can help define the requirement structure without suggesting what security requirements to define to have a well-secured system. This paper proposes a guided strategy that combines (i) SECRET (SECurity REquirements specification Template) for a guided specification of each requirement and (ii) SCORE (Security Criteria Ontology for security Requirements Engineering) to suggest additional security requirements. We implemented the SECRET-SCORE approach using an autocomplete service that connects the SECRET template to the SCORE ontology. We then used the service to create a new language for security requirements in the VariaMos online tool. Finally, to test the usability of the implemented language, we conducted a usability test that reported high results in usability and user satisfaction with the developed tool.

查看原文本刊更多论文

使用SECRET-SCORE增强安全需求规范：一种模板驱动和基于本体的方法

在我们这个瞬息万变的世界里，技术与我们生活的方方面面密不可分，确保系统的安全至关重要。随着行业之间的联系日益紧密，安全漏洞和针对性攻击的风险也在增加。建立健壮的安全需求对于保护敏感信息和防范恶意威胁至关重要。为了简化和提高这些需求的质量，研究人员提出了模板或样板，可以在定义需求时指导需求工程师。然而，这种方法可以帮助定义需求结构，而不建议定义什么安全需求来拥有一个良好的安全系统。本文提出了一种指导策略，该策略结合了(i) SECRET（安全需求规范模板）和SCORE（安全需求工程的安全标准本体论）来建议额外的安全需求。SECRET（安全需求规范模板）用于每个需求的指导规范。我们使用自动完成服务来实现SECRET-SCORE方法，该服务将SECRET模板连接到SCORE本体。然后，我们使用该服务在VariaMos在线工具中为安全需求创建一种新语言。最后，为了测试实现语言的可用性，我们进行了可用性测试，报告了开发工具在可用性和用户满意度方面的高结果。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.