Академический Документы
Профессиональный Документы
Культура Документы
Islamabad
Abstract—We perform systematic mapping study in the RQ2: Which continent and country is leading in the
field of security requirements engineering covering the security requirements engineering research?
time period of 2010-2015. Our aim is to find problems
that the literature has addressed during the five year RQ3: What is the distribution of studies with respect
period. Our primary studies comprised of 251 studies. We to journal and conferences?
identified 15 clusters regarding problems faced in
RQ4. What are the problems and their solutions that
security requirements engineering and identified their
have been reported in the literature in the last five
solutions. Our future work includes conducting a
years?
Systematic Literature Review on security requirements
engineering. Index Terms—Systematic Mapping, Security
II. MAPPING STUDY PROCESS
Requirements Engineering, Literature Survey
A.Scope, Search String And Selection Criteria
I.INTRODUCTION
We, as a first step set the scope of our search
Considering security at the requirements level has
strategy in terms of considering those studies which
recently gained momentum. There was a time when
consider security. Safety and security terms are
it was considered as an after-thought but the
ambiguous in a way that both of them talk about
vulnerabilities associated with information systems
protection of the system under consideration. In
made considering security at requirements level an
order to find out if the literature takes safety in the
essential issue. Currently there exists a synthesized
similar
evidence from the literature about the security
requirements engineering and a frame work has been terms as security we searched first 100 papers of IEEE
developed by carrying out a systematic literature Xplore database with the search string. “safety” AND
review [1]. The SLR comprise of the evidence from the “requirements engineering” We found that security and
literature till 2009. In order to see what that security safety although are to some extent similar, have been
requirement’s engineering momentum has brought addressed differently in the literature. Different standards
to surface in the last five years there is a need to have been made for each. Each has a different lifecycle.
carry out a systematic review for the period of 2010 Literature had come up with the view that both are
till the end of 2015. As a first step we carry out a interdependent on four fronts [2]. To such extent the
systematic mapping study to identify evidence safety and security are different in literature that it is
clusters and maps. We aim to answer some generic considered conflicting at some parts. Things are going in
questions along with a specific question. Our research the direction to align both the concepts but presently
questions are: safety and security are dealt differently in the literature
[3]. We found only one paper that address security but did
RQ1: What type of studies have been researched in
not have the term “security” [4] with the above
security requirements engineering?
mentioned search string. Since problems can arise when it
comes to different lifecycles and artifacts and RQ1: What type of studies have been researched in
methodologies we left out safety from our search terms. security requirements engineering?
B. Strategy for Deriving Search Terms and Search String In
order to finalize our search string, we first finalized our RQ2: Which continent and country is leading in the
search terms. We searched the IEEE Xplore database with security requirements engineering research?
the key word “threat” and “secure software
RQ3: What is the distribution of studies with respect to
development” to find out if there were any studies that
journal and conferences?
were pertaining to security without explicitly using these
words. We found only two articles [5] [6], in the former
A.Study Type
while found only one [7] paper in the latter case.
Therefore we decided to leave these two terms out of our In order to answer research question 1, we categorized
search strategy. The databases selected were IEEE Xplore the type of studies into empirical and non-empirical ones.
and Scopus. Our final search string is as follows: It was found that in the last five years much of the
emphasis is being paid to the non-empirical studies
“Security” AND “Requirements Engineering” OR
comprising of 39 % examples followed by 27 % solutions
“Requirements Analysis” OR “Requirements and 2 % reporting about the tools developed for different
Elicitation” OR “Requirements Modeling” security requirements initiatives (Fig. 1). In empirical
studies we found that 18 % contributed as case studies, 6
C. Inclusion and Exclusion Criteria % as experimental studies followed by evaluation with 4
% and surveys/ interviews as 3 %. While 2% studies were
We selected those studies that have been published in the
experience reports.
time period of 2010-2015 and which considered building
security in at the requirements level. On the other hand B. Top Countries and continents
we did not consider studies published prior to year 2010
and also left out those which were not written in English. To answer our research question 2, we plotted a bubble
chart on the world map as shown in Fig. 2. The top
D. Primary Studies continent was Europe with 138 studies being conducted
there. Asia was second with 61 studies followed by
IEEE Xplore resulted in 293 studies while Scopus gave 496
America with 40 studies. Australia and Africa contributed
results. We discarded the duplicates and irrelevant
towards 7 and 5 studies respectively. Among the
studies. The number of relevant studies found were 251,
European countries, Germany was at the top with 50
out of which 20 % were from IEEE Xplore with number of
studies. United States of America contributed to security
51 studies as shown in Table I. The 200 studies (80 %)
requirements engineering with 29 studies (Fig. 3). It
were from Scopus database.
should be noted that, as a world map we added those
countries to America continent bubble that belonged to
TABLE I. TOTAL NUMBER OF RELEVANT /IRRELEVANT
South America. Italy came third with 18 studies followed
STUDIES
by United Kingdom with 16 studies. China, Norway and
Database Total Relevant Perecentage India and Japan contributed towards 14 and 12 studies
Studies Studies of Relevant respectively. Countries that contributed with less than 3
Studies but more than 12 studies were; Spain, France Australia,
IEEE Xplore 293 51 20% Canada, South Korea, United Arab Emirates, Malaysia and
Scopus 496 200 80% Netherland. While countries such as Belgium, Estonia,
Total 798 251 - Greece, Saudi Arabia, Morocco, Brazil, Finland, Hungry
and Taiwan contributed with 3 or 2 studies. Those
countries that had an individual publications were;
III. ANALYSIS AND CLASSIFICATION
Algeria, Argentina, Austria, Costa Rica, Czech Republic,
We analyzed and classified primary studies according to Ireland, Nigeria, Pakistan and Kuwait (not shown in the Fig
the generic data that has to be extracted for mapping 3.).
study. In order to show the trends and build systematic
C. Conference/Journal Distribution
maps we give answers to our generic research questions in
this section.
In order to answer the third research question, we
differentiated between journal and conference papers
(Fig. 4). We found 48 studies had been published as
journal articles contributing towards 48 %. 198 studies
were conference papers contributing towards a
percentage of 79 %. We also found some studies that
were compiled as chapters in lecture notes of conference
proceedings. We differentiated them as book chapters FG 2 Continent wise distribution of studies
that contributed as 5 % of the total studies. Among the
journal paper studies we found the Requirements
Engineering (RE) journal on the top with 10 studies
followed by Information and Software Technology (IST)
and Journal of Systems and Software (JSS) journal with 4
studies each. International Journal of Security and its
Applications contributed towards 3 studies. Journal of
Universal Computer Science and Communications in
Computer and Information Science contributed towards 2 Journal(79%)
studies not shown in the Fig. 5 while other journal Conference(19%)
contributed towards individual study each.
Book Chapters(2%)
D. Year Wise Distribution
FG 3 Conference/Journal
The year wise distribution of studies is shown in Fig. 6.
Year 2014 was the top year when 62 studies were carried
out, followed by year 2012 with 48 studies. The year wise
distribution shows that the number of studies gradually
Column1
increased in between 2010 and 2012 with a little dip in
2013 and then peaked in 2014. However in 2015 the 10
number significantly lowered with only 24 studies being 8
reported in that year.
6
Column1
4
2
0
2012
2013
2014
2015