The Usage-Centric Security Requirements Engineering (USeR) Method

This paper presents an approach for extracting security requirements from early design specifications. An increasing part of the communication and sharing of information in our society utilizes electronic media. Many organizations, especially distributed and Net-centric, are entirely dependent on well functioning information systems. Thus, IT security is becoming central to the ability to fulfill business goals, build trustworthy systems, and protect assets. In order to develop systems with adequate security features, it is essential to capture the corresponding security needs and requirements. The main objective of this paper is to present and illustrate the use of a method for extracting security needs from textual descriptions of general requirements of information systems, and to transform these needs into security requirements and security techniques. The consequences of selected security techniques are described as design implications. The method utilizes quality tools, such as voice of the customer table and affinity and hierarchy diagrams. To illustrate the method, known as the usage-centric security requirements engineering (USeR) method, it is demonstrated in a case study. The USeR method enables the identification of security needs from statements about information systems, and the transformation of those needs into security techniques. Although the method needs to be used with complementary approaches, e.g. misuse cases to detect security requirements originating from the functional requirements, it provides a coherent approach and holistic view that even in the early stages can guide the system evolution to achieve information systems more resistant to security threats