Author: Shamal Faily

Lecturer in Systems Security Engineering at Bournemouth University. My research interests revolve around the synthesis of design techniques and tools towards the engineering systems that both usable and secure.

Rethinking Security & Privacy Requirements Engineering

Most people agree that security and privacy needs to be addressed as early as possible when specifying a system. Yet, security is never the main motivation when building any system, especially when engaging in innovation; many teams remove or deprioritise security requirements when projects rush to meet deadlines, without understanding the impact this might have. Similarly, many people fail to appreciate how privacy expectations are shaped by contextual information flows and norms, treating privacy merely as a private-public dichotomy. As the public outcry over the Snowden leaks has demonstrated, misjudging privacy implications influences not only a system under construction, but the wider world within which it is situated.

When security and privacy is addressed, we discover how hard specifying security and privacy really is. We lack clarity about what it means to secure systems, tests for proving a system is secure, and a grasp of all possible solutions for satisfying a specified security problem. Without the ability to clearly specify security functionality or expectations, we are unable to make claims about a system’s security. The Requirements Engineering (RE) community is starting to make traction in addressing these problems, but the remit of security and privacy requirements is widening. As well as specifying software systems, requirements are now helping shape security education and training, privacy audits, and certification; this means that the distinction between requirements and related security and privacy concepts is becoming blurred.

To think about these problems, we decided to organise the Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop.  The workshop brings together practitioners and researchers interested in security and privacy requirements, and will run as a one-day workshop during RE14  The workshop format will consist of an invited talk, paper presentations and discussions, and a facilitated roadmap building session.

Although the first workshop of its kind, ESPRE builds on the success of recent workshops in security requirements engineering and secure software engineering, in particular the Security and Privacy Requirements Engineering (SPREE) Workshop in 2011, the International Workshop for Software Engineering for Secure Systems (SESS) series, and the Requirements for High Assurance Systems (RHAS) workshop series. Our workshop organisation committee draws from the expertise associated with these workshops.