Security Requirements Analysis Using Knowledge in CAPEC
Haruhiko Kaiya, Sho Kono, Shinpei Ogata, Takao Okubo, Nobukazu Yosioka,
Hironori Washizaki, and Kenji Kaijiri.
In Advanced Information Systems Engineering Workshops, Vol. 178
of Lecture Notes in Business Information Processing (LNBIP),
Thessaloniki, Greece, 2014. Springer.
ISBN 978-3-319-07868-7, June 16-20 2014.
Because all the requirements analysts are not the experts of security,
providing security knowledge automatically is one of the effective means for
supporting security requirements elicitation. We propose a method for eliciting
security requirements on the basis of Common Attack Patterns Enumeration and
Classification (CAPEC). A requirements analyst can automatically acquire the
candidates of attacks against a functional requirement with the help of our method.
Because technical terms are mainly used in the descriptions in CAPEC and usual
phrases are used in the requirements descriptions, there are gaps between them.
To bridge the gaps, our method contains a mapping between technical terms and
noun phrases called term maps.