Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec


Building secure systems is difficult for many reasons. This paper deals with two of the main challenges: (i) the lack of security expertise in development teams and (ii) the inadequacy of existing methodologies to support developers who are not security experts. The security standard ISO 14508 Common Criteria (CC) together with secure design techniques such as UMLsec can provide the security expertise, knowledge, and guidelines that are needed. However, security expertise and guidelines are not stated explicitly in the CC. They are rather phrased in security domain terminology and difficult to understand for developers. This means that some general security and secure design expertise are required to fully take advantage of the CC and UMLsec. In addition, there is the problem of tracing security requirements and objectives into solution design, which is needed for proof of requirements fulfilment. This paper describes a security requirements engineering methodology called SecReq. SecReq combines three techniques: the CC, the heuristic requirements editor HeRA, and UMLsec. SecReq makes systematic use of the security engineering knowledge contained in the CC and UMLsec, as well as security-related heuristics in the HeRA tool. The integrated SecReq method supports early detection of security-related issues (HeRA), their systematic refinement guided by the CC, and the ability to trace security requirements into UML design models. A feedback loop helps reusing experience within SecReq and turns the approach into an iterative process for the secure system life-cycle, also in the presence of system evolution.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15


  1. 1.

    ATIS is a United States based body committed to rapidly developing and promoting technical and operations standards for the communications and related information technologies industry worldwide using a pragmatic, flexible, and open approach.

  2. 2.

    ITU is the leading United Nation’s agency for information and communication technologies. As the global focal point for governments and the private sector, ITU’s role in helping the world communicate spans three core sectors: radio communication, standardisation, and development. ITU also organises TELECOM events and was the lead organizing agency of the World Summit on the Information Society.

  3. 3.

    OMA is the leading industry forum for developing market driven, interoperable mobile service enablers. OMA focuses on service enabler architectures and open enabler interfaces that are independent of the underlying wireless networks and platforms.


  1. 1.

    Davis AM (2005) Just enough requirements management: where software development meets marketing. Dorset House Publishing, New York

    Google Scholar 

  2. 2.

    Polanyi M (1966) The tacit dimension. Doubleday, Garden City

    Google Scholar 

  3. 3.

    Lindstaedt SN, Schneider K (1997) Bridging the gap between face-to-face communication and long-term collaboration. In: Proceedings of the international ACM SIGGROUP conference on supporting group work. Phoenix, USA, Nov ACM

  4. 4.

    Damian D, Izquierdo L, Singer J, Kwan I (2007) Awareness in the wild: why communication breakdowns occur. In: Proceedings of second international conference on global software engineering. Munich, Germany, pp 81–90

  5. 5.

    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2, CCMB-2007-09-001, CCMB-2007-09-002 and CCMB-2007-09-003, September 2007

  6. 6.

    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 1; General Model, CCMB-2007-09-001, September 2007

  7. 7.

    Knauss E, Lübke D, Meyer S (2009) Feedback-driven requirements engineering: the HeRA. In: International conference on software engineering (ICSE’09), formal research demonstrations track. Vancouver, Canada

  8. 8.

    Department of Defense (1985) DoD 5200.28-STD: trusted computer system evaluation criteria. (August 15)

  9. 9.

    Government of Canada (1993) The Canadian trusted computer product evaluation criteria (January)

  10. 10.

    Department of Trade and Industry (2003) The national technical authority for information assurance (June 2003). http://www.itsec.gov.uk/

  11. 11.

    Common Methodology for Information Technology Security Evaluation, Evaluation methodology, Version 3.2, Revision 2, CCMB-2009-09-004, September 2007

  12. 12.

    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 2; security functional components, CCMB-2007-09-002, September 2007

  13. 13.

    ISO 15408:2007 Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2: part 3; security assurance components, CCMB-2007-09-003, September 2007

  14. 14.

    ISO 15408:2007 (2007) Common Criteria for information technology security evaluation: evaluation methodology, version 3.1, revision 2, CCMB-2007-09-004 (September)

  15. 15.

    Berzins V, Martell LC, Adams P (2007) Innovations in natural language document processing for requirements engineering. In: Paech B, Martell C (eds) Innovations for requirement analysis. From stakeholders’ needs to formal designs: 14th monterey workshop 2007. Lecture notes in computer science. Springer, Berlin, pp 125–146

  16. 16.

    Knauss E, Schneider K, Stapel K (2009) Learning to write better requirements through heuristic critiques. In: Proceedings of 17th IEEE requirementes engineering conference (RE 2009). Atlanta, USA

  17. 17.

    Fischer G (1994) Domain-oriented design environments. Automat Softw Eng 1:177–203

    Article  Google Scholar 

  18. 18.

    Schön DA (1983) The reflective practitioner: how professionals think in action. Basic Books, New York

    Google Scholar 

  19. 19.

    Fischer G (1998) Seeding, evolutionary growth and reseeding: constructing, capturing and evolving knowledge in domain-oriented design environments. Automat Softw Eng 5:447–464

    Article  Google Scholar 

  20. 20.

    Knauss E, Flohr T (2007) Managing requirement engineering processes by adapted quality gateways and critique-based RE-tools. In: Proceedings of workshop on measuring requirements for project and product success. Palma de Mallorca, Spain (November, in conjunction with the IWSM-Mensura Conference)

  21. 21.

    Cockburn A (2000) Writing effective use cases. Addison-Wesley Professional, London

    Google Scholar 

  22. 22.

    Schneider K, Stapel K, Knauss E (2008) Beyond documents: visualizing informal communication. In: Proceedings of third international workshop on requirements engineering visualization (REV 08). Barcelona, Spain

  23. 23.

    Jürjens J (2005) Secure systems development with UML. Springer, Heidelberg

    Google Scholar 

  24. 24.

    Jürjens J (2000) Secure information flow for concurrent processes. In: Palamidessi C (ed) CONCUR 2000 (11th international conference on concurrency theory), vol 1877 of lecture notes in computer science. Springer, pp 395–409

  25. 25.

    Jürjens J (2002) Formal semantics for interacting UML subsystems. In: Jacobs B, Rensink A (eds) 5th International conference on formal methods for open object-based distributed systems (FMOODS 2002). International federation for information processing (IFIP). Kluwer, pp 29–44

  26. 26.

    Deubler M, Grünbauer J, Jürjens J, Wimmel G (2004) Sound development of secure service-based systems. In: Marco A, Aoyama M, Curbera F, Papazoglou MP (eds) Proceedings of the 2nd international conference on service oriented computing(ICSOC). ACM, pp 115–124

  27. 27.

    Chung L (1993) Dealing with security requirements during the development of information systems. In: 5th International conference on advanced information systems engineering (CAiSE 1993). Springer, pp 234–251

  28. 28.

    Jürjens J (2002) Using UMLsec and goal-trees for secure systems development. In: Lamont GB, Haddad H, Papadopoulos G, Panda B (eds) Proceedings of the 2002 symposium of applied computing (SAC). ACM Press, pp 1026–1031

  29. 29.

    Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44

    Article  Google Scholar 

  30. 30.

    McDermott JP, Fox C (1999) Using abuse case models for security requirements analysis. In: Proceedings of the 15th annual computer security applications conference. IEEE Computer Society, p 55

  31. 31.

    Mouratidis H, Giorgini P, Manson GA (2005) Integrating security and systems engineering: towards the modelling of secure information systems. In: Eder J, Missikoff M (eds) 15th International conference on advanced information systems engineering (CAiSE 2003), vol 2681 of lecture notes in computer science. Springer, pp 63–78

  32. 32.

    Massacci F, Mylopoulos J, Zannone N (2007) Computer-aided support for secure tropos. Automat Softw Eng 14(3):341–364

    Article  Google Scholar 

  33. 33.

    Mouratidis H, Jürjens J, Fox J (2006) Towards a comprehensive framework for secure systems development. In: Dubois E, Pohl K (eds) CAiSE, vol 4001 of lecture notes in computer science. Springer, Luxembourg, pp 48–62

    Google Scholar 

  34. 34.

    Mannion M, Keepence B (1995) SMART requirements. ACM SIGSOFT: SE Notes 20(2):42–47

    Article  Google Scholar 

  35. 35.

    ETSI TISPAN (2008) ETSI TS 182 027 V.2.0.0: IPTV Architecture; IPTV functions supported by the IMS subsystem. Standard, February

  36. 36.

    ETSI TISPAN (2008) ETSI TS 182 028 V.2.0.0: IPTV architecture; dedicated subsystem for IPTV functions. Standard, January

  37. 37.

    UMLsec tool, 2001-08. http://www.umlsec.de

  38. 38.

    TISPAN, ETSI (2006) Telecommunications and internet converged services and protocols for advanced networking (TISPAN): methods and protocols; part 1: method and proforma for threat, risk, vulnerability analysis. Technical report ETSI TS 102 165-1 V4.2.1, European Telecommunications Standards Institute

  39. 39.

    Rossebø JE, Cadzow S, Sijben P (2007) eTVRA, a threat, vulnerability and risk assessment method and tool for eEurope. In: ARES ’07: proceedings of the the second international conference on availability, reliability and security. IEEE Computer Society, pp 925–933

  40. 40.

    Winkler S (2007) Information flow between requirement artifacts. In: Proceedings of REFSQ 2007 international working conference on requirements engineering: foundation for software quality, vol 4542 of lecture notes in computer science. Trondheim, Norway. Springer, Berlin, pp 232–246

  41. 41.

    Damian D, Marczak S, Kwan I (2007) Collaboration patterns and the impact of distance on awareness in requirements-centred social networks. In: Proceedings of 15th IEEE international requirements engineering conference (RE 2007). New Delhi

  42. 42.

    Stapel K, Schneider K, Lübke D, Flohr T (2007) Improving an industrial reference process by information flow analysis: a case study. In: Proceedings of PROFES 2007, vol 4589 of LNCS. Riga, Latvia. Springer, Berlin, pp 147–159

  43. 43.

    Allmann C, Winkler L, Kölzow T (2006) The requirements engineering gap in the OEM-supplier relationship. J Univers Knowl Manage 1(2):103–111

    Google Scholar 

  44. 44.

    Stapel K, Knauss E, Allmann C (2008) Lightweight process documentation: just enough structure in automotive pre-development. In: O’Connor Rory V, Baddoo N, Smolander K, Messnarz R (eds) Proceedings of the 15th European conference, EuroSPI, communications in computer and information science. Dublin, Ireland, 9. Springer, pp 142–151

  45. 45.

    Schneider K (2007) Generating fast feedback in requirements elicitation. In: Requirements engineering: foundation for software quality (REFSQ 2007)

  46. 46.

    Fabbrini F, Fusani M, Gnesi S, Lami G (2001) The linguistic approach to the natural language requirements quality: benefit of the use of an automatic tool. In: SEW ’01: proceedings of the 26th annual NASA goddard software engineering workshop. IEEE Computer Society, Washington, DC, p 97

  47. 47.

    Wilson WM, Rosenberg LH, Hyatt LE (1996) Automated quality analysis of natural language requirement specifications. In Proceedings of PNSQC conference

  48. 48.

    Melchisedech R (2000) Verwaltung und Prüfung natürlichsprachlicher Spezifikationen. PhD thesis, Fakultät Informatik, Universität Stuttgart, Stuttgart

  49. 49.

    Fabbrini F, Fusani M, Gnesi S, Lami G (2001) An automatic quality evaluation for natural language requirements. In: Proceedings of the seventh international workshop on RE: foundation for software quality (REFSQ 2001). Interlaken, Switzerland

  50. 50.

    Breaux TD, Antón AI (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20

    Article  Google Scholar 

  51. 51.

    Schumacher M, Buglioni EF, Hybertson D, Buschmann F, Sommerlad P (2006) Security patterns: integrating security and systems engineering. Wiley, London

    Google Scholar 

  52. 52.

    Toval A, Nicolás J, Morosa B, García F (2002) Requirements reuse for improving information systems security: a practitioner’s approach. Requir Eng J 6:205–219

    MATH  Article  Google Scholar 

  53. 53.

    Crook R, Ince DC, Lin L, Nuseibeh B (2002) Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of the 10th anniversary IEEE joint international conference on requirements engineering. IEEE Computer Society, pp 203–205

  54. 54.

    Haley CB, Laney RC, Moffett JD, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng 34(1):133–153

    Article  Google Scholar 

  55. 55.

    Giorgini P, Massacci F, Mylopoulos J (2003) Requirement engineering meets security: a case study on modelling secure electronic transactions by VISA and Mastercard. In: Song I-Y, Liddle SW, Ling TW, Scheuermann P (eds) 22nd International conference on conceptual modeling (ER 2003), vol 2813 of lecture notes in computer science. Springer, pp 263–276

  56. 56.

    Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005) Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE international conference on requirements engineering. IEEE Computer Society, pp 167–176

  57. 57.

    Mellado D, Medinav, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information system. Comput Stand Interfaces 29:244–253

    Article  Google Scholar 

  58. 58.

    Mead NR, Steheny T (2005) Security quality requirements engineering (square) methodology. SIGSOFT Softw Eng Notes 30(4):1–7

    Article  Google Scholar 

  59. 59.

    ISO/IEC 27001:2005 (2005) Specification for information security management (October)

  60. 60.

    Islam S, Dong W (2008) Security requirements addressing security risks for improving software quality. In: Workshop-band software-Qualitätsmodellierung und—bewertung (SQMB ’08), Technical report TUM-I0811, Technische Universität München, Munich, Germany

  61. 61.

    Islam S, Dong W (2008) Human factors in software security risk management. In: LMSA ’08: proceedings of the first international workshop on leadership and management in software architecture. ACM, New York, pp 13–16

  62. 62.

    Whittle J, Wijesekera D, Hartong M (2008) Executable misuse cases for modeling security concerns. In: ICSE ’08: proceedings of the 30th international conference on Software engineering. ACM, New York, pp 121–130

  63. 63.

    Yskout K, Scandariato R, Win BD, Joosen W (2008) Transforming security requirements into architecture. In: International conference on availability, reliability and security. pp 1421–1428

  64. 64.

    Arenas A, Aziz B, Bicarregui J, Matthews B, Yang EY (2008) Modelling security properties in a grid-based operating system with anti-goals. In: Proceedings of the 2008 third international conference on availability, reliability and security (ARES). pp 1429–1436

  65. 65.

    Elahi G, Yu E (2007) A goal oriented approach for modeling and analyzing security trade-offs. In: ER 2007, vol 4801 of lecture notes in computer science. Springer, pp 375–390

  66. 66.

    Flechais I, Mascolo C, Sasse MA (2007) Integrating security and usability into the requirements and design process. Int J Electron Secur Digit Forensics 1(1):12–26

    Article  Google Scholar 

  67. 67.

    Baldwin A, Beres Y, Shiu S, Kearney P (2006) A model based approach to trust, security and assurance. BT Technol J 24(4):53–68

    Article  Google Scholar 

  68. 68.

    Kearney P, Brügger L (2007) A risk-driven security analysis method and modelling language. BT Technol J 25(1) January

  69. 69.

    Ray I, France RB, Li Na, Georg G (2004) An aspect-based approach to modeling access control concerns. Inf Softw Technol 46(9):575–587

    Article  Google Scholar 

  70. 70.

    Houmb SH, Georg G, France RB, Bieman JM, Jürjens J (2005) Cost-benefit trade-off analysis using BBN for aspect-oriented risk-driven development. In: Proceedings of the 10th IEEE international conference on engineering of complex computer systems. IEEE Computer Society, pp 195–204

  71. 71.

    Basin DA, Doser J, Lodderstedt T (2006) Model driven security: from UML models to access control infrastructures. ACM Trans Softw Eng Methodol 15(1):39–91

    Article  Google Scholar 

  72. 72.

    Brucker AD, Doser J, Wolff B (2006) A model transformation semantics and analysis methodology for SecureUML. In: MoDELS 2006, vol 4199 of lecture notes in computer science. Springer, pp 306–320

  73. 73.

    Alam M, Hafner M, Memon M, Hung P (2007) Modeling and enforcing advanced access control policies in healthcare systems with SECTET. In: Sztipanovits J, Breu R, Ammenwerth E, Bajcsy R, Mitchell JC, Pretschner A (eds) Workshop on model-based trustworthy health information systems (MOTHIS@Models)

  74. 74.

    Alam M, Hafner M, Breu R (2007) Model-driven security engineering for trust management in SECTET. J Softw 2(1):47–59

    Google Scholar 

  75. 75.

    Breu R, Burger K, Hafner M, Jürjens J, Popp G, Wimmel G, Lotz V (2003) Key issues of a formally based process model for security engineering. In: 16th International conference “Software & Systems Engineering & their Applications” (ICSSEA 2003)

  76. 76.

    Jürjens J, Shabalin P (2007) Tools for secure systems development with UML. Int J Softw Tools Technol Transf 9(5–6):527–544 (October 2007. Invited submission to the special issue for FASE 2004/05)

    Google Scholar 

  77. 77.

    Best B, Jürjens J, Nuseibeh B (2007) Model-based security engineering of distributed information systems using UMLsec. In: 29th International conference on software engineering (ICSE 2007). ACM, pp 581–590

  78. 78.

    Jürjens J, Rumm R (2008) Model-based security analysis of the german health card architecture. Methods Inf Med 47(5):409–416 (special section on model-based development of trustworthy health information systems)

  79. 79.

    Jürjens J, Schreck J, Bartmann P (2008) Model-based security analysis for mobile communications. In: 30th International conference on software engineering (ICSE 2008). ACM

  80. 80.

    Yu Y, Jürjens J, Mylopoulos J (2008) Traceability for the maintenance of secure software. In: 24th International conference on software maintenance (ICSM). IEEE Computer Society

Download references


This work was partly supported by the Royal Society Industrial Fellowship on Automated Verification of Security-Critical Software (VeriSec), the Royal Society Joint International Project on Model-based Formal Security Analysis of Crypto-Protocol Implementations, the EU FP7 Integrated Project Security Engineering for Lifelong Evolvable Systems, the German Research foundation(DFG project InfoFLOW, 2008–2011), and the EU project SecureChange (ICT-FET-231101).

Author information



Corresponding authors

Correspondence to Shareeful Islam or Eric Knauss.

Rights and permissions

Reprints and Permissions

About this article

Cite this article

Houmb, S.H., Islam, S., Knauss, E. et al. Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec. Requirements Eng 15, 63–93 (2010). https://doi.org/10.1007/s00766-009-0093-9

Download citation


  • Security requirement elicitation
  • Common Criteria (CC)
  • UMLsec
  • Heuristics
  • Secure design