Fuzzy-based security requirements quality assessing: Comparison of security experts and generative AI

IF 3.1 2区计算机科学 Q1 COMPUTER SCIENCE, HARDWARE & ARCHITECTURE

Computer Standards & Interfaces Pub Date : 2026-04-01 Epub Date: 2026-01-28 DOI:10.1016/j.csi.2026.104137

Asta Slotkienė, Jolanta Miliauskaitė, Rasa Karbauskaitė

{"title":"Fuzzy-based security requirements quality assessing: Comparison of security experts and generative AI","authors":"Asta Slotkienė, Jolanta Miliauskaitė, Rasa Karbauskaitė","doi":"10.1016/j.csi.2026.104137","DOIUrl":null,"url":null,"abstract":"<div><div>Software systems that store and process large volumes of data are prime targets for increasingly sophisticated cyberattacks. Software engineers recognise that developing software completely free of defects or vulnerabilities is practically impossible, which makes security a critical quality characteristic of software products that must be addressed from the earliest stages of requirements engineering to avoid data loss, software failure, and ensure effective maintenance. Today, secure software engineering promotes proactive risk analysis, systematically identifying potential threats and integrating appropriate countermeasures into the requirements and development process. This paper presents an empirical investigation of security requirements engineering methodologies that integrate the experience of security experts and generative AI capabilities into the security requirements engineering (SRE) process. The empirical investigation results show that SRE based on Generative Artificial Intelligence (GenAI) capabilities still does not achieve the security expert's experience in specifying security requirements, while ensuring the quality of requirement specification based on security risks. We hope that our results will inspire researchers and practitioners to further explore the improvement of security requirements specifications using generative AI and fuzzy logic for SRE.</div></div>","PeriodicalId":50635,"journal":{"name":"Computer Standards & Interfaces","volume":"97 ","pages":"Article 104137"},"PeriodicalIF":3.1000,"publicationDate":"2026-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computer Standards & Interfaces","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0920548926000115","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"2026/1/28 0:00:00","PubModel":"Epub","JCR":"Q1","JCRName":"COMPUTER SCIENCE, HARDWARE & ARCHITECTURE","Score":null,"Total":0}

引用次数: 0

Abstract

Software systems that store and process large volumes of data are prime targets for increasingly sophisticated cyberattacks. Software engineers recognise that developing software completely free of defects or vulnerabilities is practically impossible, which makes security a critical quality characteristic of software products that must be addressed from the earliest stages of requirements engineering to avoid data loss, software failure, and ensure effective maintenance. Today, secure software engineering promotes proactive risk analysis, systematically identifying potential threats and integrating appropriate countermeasures into the requirements and development process. This paper presents an empirical investigation of security requirements engineering methodologies that integrate the experience of security experts and generative AI capabilities into the security requirements engineering (SRE) process. The empirical investigation results show that SRE based on Generative Artificial Intelligence (GenAI) capabilities still does not achieve the security expert's experience in specifying security requirements, while ensuring the quality of requirement specification based on security risks. We hope that our results will inspire researchers and practitioners to further explore the improvement of security requirements specifications using generative AI and fuzzy logic for SRE.

查看原文本刊更多论文

基于模糊的安全需求质量评估：安全专家与生成式人工智能的比较

存储和处理大量数据的软件系统是日益复杂的网络攻击的主要目标。软件工程师认识到，开发完全没有缺陷或漏洞的软件实际上是不可能的，这使得安全性成为软件产品的一个关键质量特征，必须从需求工程的早期阶段开始解决，以避免数据丢失、软件故障，并确保有效的维护。今天，安全软件工程促进了前瞻性的风险分析，系统地识别潜在的威胁，并将适当的对策集成到需求和开发过程中。本文提出了安全需求工程方法的实证研究，该方法将安全专家的经验和生成人工智能能力集成到安全需求工程（SRE）过程中。实证调查结果表明，基于生成式人工智能（GenAI）能力的SRE在保证基于安全风险的需求规范质量的同时，仍不能达到安全专家在指定安全需求方面的经验。我们希望我们的研究结果能够激励研究人员和实践者进一步探索使用生成式人工智能和模糊逻辑来改进SRE的安全需求规范。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computer Standards & Interfaces 工程技术-计算机：软件工程

CiteScore

11.90

自引率

16.00%

发文量

审稿时长

6 months

期刊介绍： The quality of software, well-defined interfaces (hardware and software), the process of digitalisation, and accepted standards in these fields are essential for building and exploiting complex computing, communication, multimedia and measuring systems. Standards can simplify the design and construction of individual hardware and software components and help to ensure satisfactory interworking. Computer Standards & Interfaces is an international journal dealing specifically with these topics. The journal • Provides information about activities and progress on the definition of computer standards, software quality, interfaces and methods, at national, European and international levels • Publishes critical comments on standards and standards activities • Disseminates user''s experiences and case studies in the application and exploitation of established or emerging standards, interfaces and methods • Offers a forum for discussion on actual projects, standards, interfaces and methods by recognised experts • Stimulates relevant research by providing a specialised refereed medium.