{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,7]],"date-time":"2026-03-07T18:56:28Z","timestamp":1772909788476,"version":"3.50.1"},"reference-count":75,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2017,12,30]],"date-time":"2017-12-30T00:00:00Z","timestamp":1514592000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2017,12,30]],"date-time":"2017-12-30T00:00:00Z","timestamp":1514592000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100000181","name":"Air Force Office of Scientific Research","doi-asserted-by":"publisher","award":["FA-9550-09-1-0409"],"award-info":[{"award-number":["FA-9550-09-1-0409"]}],"id":[{"id":"10.13039\/100000181","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Requirements Eng"],"published-print":{"date-parts":[[2019,9]]},"DOI":"10.1007\/s00766-017-0287-5","type":"journal-article","created":{"date-parts":[[2017,12,30]],"date-time":"2017-12-30T13:28:41Z","timestamp":1514640521000},"page":"365-402","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":18,"title":["Semantic hierarchies for extracting, modeling, and connecting compliance requirements in information security control standards"],"prefix":"10.1007","volume":"24","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8433-2744","authenticated-orcid":false,"given":"Matthew L.","family":"Hale","sequence":"first","affiliation":[]},{"given":"Rose F.","family":"Gamble","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2017,12,30]]},"reference":[{"key":"287_CR1","unstructured":"DoD (2007) Instruction 8510.01: department of defense information assurance certification and accreditation process (DIACAP)"},{"key":"287_CR2","unstructured":"NIST (2013) Special publication 800-53 recommended security controls for federal information systems rev. 4., \n                              http:\/\/csrc.nist.gov\/publications\/nistpubs\/800-53-Rev3\/sp800-53-rev3-final.pdf\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR3","unstructured":"(2009) Common criteria for information technology security evaluation version 3.1 (Part 2: security functional requirements). \n                              http:\/\/www.commoncriteriaportal.org\/cc\/\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR4","unstructured":"DoD (2003) Instruction 8500.2, information assurance implementation"},{"key":"287_CR5","unstructured":"DISA (2011) Application security and development STIG version 3 release 4. \n                              http:\/\/iase.disa.mil\/stigs\/app_security\/app_sec\/app_sec.html\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR6","doi-asserted-by":"crossref","unstructured":"Hassan W, Logrippo L (2009) A governance requirements extraction model for legal compliance validation. In: Second international workshop on requirements engineering and law","DOI":"10.1109\/RELAW.2009.4"},{"key":"287_CR7","doi-asserted-by":"crossref","unstructured":"Gamble M, Gamble R, Hale M (2011) Security policy foundations in context UNITY. In: 7th International workshop on software engineering for secure systems","DOI":"10.1145\/1988630.1988633"},{"key":"287_CR8","doi-asserted-by":"crossref","unstructured":"Taguchi K, Yoshioka N, Tobita T, Kaneko H (2010) Aligning security requirements and security assurance using the common criteria. Presented at the fourth international conference on secure software integration and reliability improvement","DOI":"10.1109\/SSIRI.2010.30"},{"key":"287_CR9","doi-asserted-by":"crossref","unstructured":"Li N, Wang Q (2006) Beyond separation of duty: an algebra for specifying high-level security policies. In: Proceedings of the 13th ACM conference on computer and communications security","DOI":"10.1145\/1180405.1180449"},{"key":"287_CR10","unstructured":"(2003) Summary of the HIPAA privacy rule. \n                              http:\/\/www.hhs.gov\/ocr\/privacy\/hipaa\/understanding\/summary\/privacysummary.pdf\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR11","doi-asserted-by":"crossref","unstructured":"Best B, J\u00fcrjens J, Nuseibeh B (2007) Model-based security engineering of distributed information systems using UMLsec. In: 29th International conference on software engineering","DOI":"10.1109\/ICSE.2007.55"},{"key":"287_CR12","doi-asserted-by":"crossref","unstructured":"Adir A, Asaf S, Fournier L, Jaeger I, Peled O (2007) A framework for the validation of processor architecture compliance. In: Proceedings of the 44th annual design automation conference","DOI":"10.1145\/1278480.1278702"},{"key":"287_CR13","unstructured":"NIST (2010) Special publication 800-37, guide for applying the risk management framework to federal information systems a security life cycle approach"},{"key":"287_CR14","doi-asserted-by":"crossref","unstructured":"Hale M, Gamble R (2012) Risk propagation of security SLAs in the cloud In: Proceeding of the workshop on management and security technologies for cloud computing 2012, IEEE GLOBECOM","DOI":"10.1109\/GLOCOMW.2012.6477665"},{"key":"287_CR15","unstructured":"MITRE. The common weakness enumeration (CWE) initiative. MITRE Corporation. \n                              http:\/\/cwe.mitre.org\/\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR16","unstructured":"MITRE. Common vulnerabilities and exposures (CVE) initiative\/ MITRE Corporation. \n                              http:\/\/cve.mitre.org\/\n                              \n                           . Accessed Oct 2015"},{"issue":"4","key":"287_CR17","first-page":"4","volume":"14","author":"A Minkiewicz","year":"2011","unstructured":"Minkiewicz A (2011) Cloud Nine, are we there yet? J Softw Technol 14(4):4\u20138","journal-title":"J Softw Technol"},{"key":"287_CR18","unstructured":"CSA (2012) Cloud controls matrix. \n                              https:\/\/cloudsecurityalliance.org\/wp-content\/themes\/csa\/download-box-ccm-v1-3.php\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR19","unstructured":"Breaux T, Anton A (2005) Deriving semantic models from privacy policies. In: Proceedings of the sixth IEEE international workshop on policies for distributed systems and networks"},{"key":"287_CR20","unstructured":"DoD (1999) Directive 5200.2: personnel security program"},{"key":"287_CR21","unstructured":"DoD (1997) Instruction 5200.40: DoD information technology security certification and accreditation process (DITSCAP)"},{"key":"287_CR22","unstructured":"DoD (2002) Directive 8500.1: information assurance"},{"key":"287_CR23","unstructured":"OMB (1996) Circular no. A-130: memorandum for heads of executive departments and establishments\u2014management of federal information resources"},{"key":"287_CR24","unstructured":"(2009) Common criteria for information technology security evaluation version 3.1 (Part 1: introduction and general model). \n                              http:\/\/www.commoncriteriaportal.org\/cc\/\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR25","unstructured":"(2009) Common criteria for information technology security evaluation version 3.1 (Part 3: security assurance requirements). \n                              http:\/\/www.commoncriteriaportal.org\/cc\/\n                              \n                           . Accessed Oct 2015"},{"issue":"1","key":"287_CR26","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1109\/TSE.2007.70754","volume":"34","author":"C Haley","year":"2008","unstructured":"Haley C, Laney R, Moffett J, Nuseibeh B (2008) Security requirements engineering: a framework for representation and analysis. Trans Softw Eng (IEEE) 34(1):133\u2013153","journal-title":"Trans Softw Eng (IEEE)"},{"key":"287_CR27","doi-asserted-by":"crossref","unstructured":"Haley C, Moffett J, Laney R, Nuseibeh B (2006) A framework for security requirements engineering. In: Proceedings of the 2006 international workshop on Software engineering for secure systems","DOI":"10.1145\/1137627.1137634"},{"key":"287_CR28","doi-asserted-by":"crossref","unstructured":"Redl C, Breskovic I, Brandic I, Dustdar S (2012) Automatic SLA matching and provider selection in grid and cloud computing markets. In: Proceedings of the 13th international conference on grid computing","DOI":"10.1109\/Grid.2012.18"},{"key":"287_CR29","doi-asserted-by":"crossref","unstructured":"Modica G, Petralia G, Tomarchio O (2012) A business ontology to enable semantic matchmaking in open cloud markets. In: Eighth international conference on semantics, knowledge and grids","DOI":"10.1109\/SKG.2012.1"},{"key":"287_CR30","doi-asserted-by":"crossref","unstructured":"Belhajjame K, Embury S, Paton N (2013) Verification of semantic web service annotations using ontology-based partitioning. In: IEEE transactions on services computing (preprint)","DOI":"10.1109\/TSC.2013.4"},{"key":"287_CR31","doi-asserted-by":"crossref","unstructured":"Zhu W (2012) Semantic mediation bus (TM): an ontology-based runtime infrastructure for service interoperability. In: Proceedings of 16th IEEE international enterprise distributed object computing conference workshops","DOI":"10.1109\/EDOCW.2012.27"},{"key":"287_CR32","doi-asserted-by":"crossref","unstructured":"Dobson G, Sanchez-Macian A (2006) Towards unified QoS\/SLA ontologies. In: Proceedings of the IEEE services computing workshops","DOI":"10.1109\/SCW.2006.40"},{"key":"287_CR33","doi-asserted-by":"crossref","unstructured":"Khoury P, Mokhtari A, Coquery E, Hacid M-S (2008) An ontological interface for software developers to select security patterns. In: Proceedings of the 19th international conference on database and expert systems application","DOI":"10.1109\/DEXA.2008.110"},{"key":"287_CR34","unstructured":"W3C (2004) OWL web ontology language guide. \n                              http:\/\/www.w3.org\/TR\/owl-guide\/\n                              \n                           . Accessed Oct 2015"},{"issue":"8","key":"287_CR35","doi-asserted-by":"publisher","first-page":"1205","DOI":"10.1109\/TKDE.2008.209","volume":"21","author":"P Wongthongtham","year":"2009","unstructured":"Wongthongtham P, Chang E, Dillon T, Sommerville I (2009) Development of a software engineering ontology for multisite software development. IEEE Trans Knowl Data Eng 21(8):1205\u20131217","journal-title":"IEEE Trans Knowl Data Eng"},{"key":"287_CR36","doi-asserted-by":"crossref","unstructured":"Mace J, Parkin S, Moorsel AV (2010) A collaborative ontology development tool for information security managers. In: Proceedings of the 4th symposium on computer human interaction for the management of information technology","DOI":"10.1145\/1873561.1873566"},{"key":"287_CR37","unstructured":"Evesti A, Ovaska E, Savola R (2009) From security modelling to run-time security monitoring. In: Proceeedings of European workshop on security in model driven architecture (SECMDA)"},{"key":"287_CR38","doi-asserted-by":"crossref","unstructured":"Lee S, Gandhi R, Muthurajan D, Yavagal D, Ahn G (2006) Building problem domain ontology from security requirements in regulatory documents. In: Proceedings of the international workshop on software engineering for secure systems","DOI":"10.1145\/1137627.1137635"},{"key":"287_CR39","doi-asserted-by":"crossref","unstructured":"Tsoumas B, Gritzalis D (2006) Towards an ontology-based security management. In: Proceedings of the 20th international conference on advanced information networking and applications, vol 01","DOI":"10.1109\/AINA.2006.329"},{"key":"287_CR40","doi-asserted-by":"crossref","unstructured":"Lee S, Gandhi R, Wagle S (2007) Towards a requirements-driven workbench for supporting software certification and accreditation. In: Proceedings of the third international workshop on software engineering for secure systems","DOI":"10.1109\/SESS.2007.11"},{"key":"287_CR41","doi-asserted-by":"crossref","unstructured":"Weber-Jahnke J, Onabajo A (2009) Mining and analysing security goal models in health information systems. In: Proceedings of the ICSE workshop on software engineering in health care","DOI":"10.1109\/SEHC.2009.5069605"},{"key":"287_CR42","doi-asserted-by":"crossref","unstructured":"Mathews AW, Yadron D (2015) Health insurer anthem hit by hackers. Wall Str J","DOI":"10.1016\/S1361-3723(15)30001-4"},{"key":"287_CR43","doi-asserted-by":"crossref","unstructured":"Daramola O, Sindre G, Stalhane T (2012) Pattern-based security requirements specification using ontologies and boilerplates. In: 2012 Second IEEE international workshop on requirements patterns (RePa), pp 54\u201359","DOI":"10.1109\/RePa.2012.6359973"},{"key":"287_CR44","doi-asserted-by":"crossref","unstructured":"Sharma V, Sarkar S, Verma K, Panayappan A, Kass A (2009) Extracting high-level functional design from software requirements. In: 16th Asia-Pacific software engineering conference","DOI":"10.1109\/APSEC.2009.63"},{"key":"287_CR45","unstructured":"Ambriola V, Gervasi V (1997) Processing natural language requirements. In: Proceedings of the 12th international conference on automated software engineering"},{"key":"287_CR46","doi-asserted-by":"crossref","unstructured":"Bernsmed K, Jaatun M, Meland P, Undheim A (2012) Thunder in the clouds: security challenges and solutions for federated clouds. In: 4th International IEEE conference on cloud computing technology and science","DOI":"10.1109\/CloudCom.2012.6427547"},{"key":"287_CR47","doi-asserted-by":"crossref","unstructured":"Bleikertz S, Gro\u00df T, M\u00f6dersheim S (2011) Automated verification of virtualized infrastructures. In: Proceedings of the 3rd ACM workshop on cloud computing security workshop","DOI":"10.1145\/2046660.2046672"},{"key":"287_CR48","doi-asserted-by":"crossref","unstructured":"She W, Yen I, Thuraisingham B, Huang S (2011) Rule-based run-time information flow control in service cloud. In: IEEE international conference on web services","DOI":"10.1109\/ICWS.2011.35"},{"key":"287_CR49","doi-asserted-by":"crossref","unstructured":"Singaravelu L, Pu C (2007) Fine-grain, end-to-end security for web service compositions In: IEEE international conference on services computing","DOI":"10.1109\/SCC.2007.61"},{"issue":"3","key":"287_CR50","doi-asserted-by":"publisher","first-page":"185","DOI":"10.1016\/j.tcs.2007.02.025","volume":"376","author":"G-C Roman","year":"2007","unstructured":"Roman G-C, Julien C, Payton J (2007) Modeling adaptive behaviors in context UNITY. Theor Comput Sci 376(3):185\u2013204","journal-title":"Theor Comput Sci"},{"issue":"5","key":"287_CR51","doi-asserted-by":"publisher","first-page":"315","DOI":"10.1109\/32.685256","volume":"24","author":"R deNicola","year":"1998","unstructured":"deNicola R, Ferrari G, Pugliese R (1998) KLAIM: a kernel language for agents interaction and mobility. IEEE Trans Softw Eng 24(5):315\u2013330","journal-title":"IEEE Trans Softw Eng"},{"key":"287_CR52","unstructured":"Bravetti M, Busi N, Gorrieri R, Lucchi R, Zavattaro G (2004) Security issues in the tuple-space coordination model. In: Proceedings of workshop on formal aspects in security and trust"},{"key":"287_CR53","doi-asserted-by":"publisher","first-page":"145","DOI":"10.1002\/spip.373","volume":"13","author":"MT Gamble","year":"2008","unstructured":"Gamble MT, Gamble R (2008) Isolation in design reuse. J Softw Process Improv Pract 13:145\u2013156","journal-title":"J Softw Process Improv Pract"},{"key":"287_CR54","doi-asserted-by":"crossref","unstructured":"Xie R, Gamble R (2013) An architecture for cross-cloud auditing. In: 8th Cyber security and information intelligence research workshop","DOI":"10.1145\/2459976.2459981"},{"key":"287_CR55","doi-asserted-by":"crossref","unstructured":"Raj H, Nathuji R, Singh A, England P (2009) Resource management for isolation enhanced cloud services. In: Proceedings of the ACM workshop on Cloud computing security workshop","DOI":"10.1145\/1655008.1655019"},{"key":"287_CR56","doi-asserted-by":"crossref","unstructured":"Bernsmed K, Jaatun M, Meland P, Undheim A (2011) Security SLAs for federated cloud services. In: Sixth international conference on availability, reliability and security","DOI":"10.1109\/ARES.2011.34"},{"issue":"3","key":"287_CR57","first-page":"122","volume":"85","author":"R Handorean","year":"2003","unstructured":"Handorean R, Roman G-C (2003) Secure sharing of tuple spaces in ad hoc settings. ENTCS 85(3):122\u2013141","journal-title":"ENTCS"},{"key":"287_CR58","doi-asserted-by":"crossref","unstructured":"Merrick I, Wood A (2000) Coordination with scopes. In: Proceedings of the 2000 ACM symposium on applied computing","DOI":"10.1145\/335603.335747"},{"issue":"8","key":"287_CR59","doi-asserted-by":"publisher","first-page":"26","DOI":"10.1109\/MC.1986.1663305","volume":"19","author":"A Sudhir","year":"1986","unstructured":"Sudhir A, Carriero N, Gelernter D (1986) Linda and friends. IEEE Comput 19(8):26\u201334","journal-title":"IEEE Comput"},{"key":"287_CR60","volume-title":"Parallel program design: a foundation","author":"K Mani Chandy","year":"1988","unstructured":"Mani Chandy K (1988) Parallel program design: a foundation. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA"},{"key":"287_CR61","doi-asserted-by":"crossref","unstructured":"Wang W, Gupta A, Wu Y (2015) Continuously delivered? Periodically updated? Never changed? Studying an open source project\u2019s releases of code, requirements, and trace matrix. In: 2015 IEEE workshop on just-in-time requirements engineering (JITRE). IEEE, pp 13\u201316","DOI":"10.1109\/JITRE.2015.7330213"},{"issue":"3","key":"287_CR62","doi-asserted-by":"publisher","first-page":"231","DOI":"10.1007\/s00766-013-0198-z","volume":"19","author":"C Ghezzi","year":"2014","unstructured":"Ghezzi C, Menghi C, Sharifloo AM, Spoletini P (2014) On requirement verification for evolving Statecharts specifications. Requir Eng 19(3):231\u2013255","journal-title":"Requir Eng"},{"issue":"3","key":"287_CR63","doi-asserted-by":"publisher","first-page":"309","DOI":"10.1007\/s00766-013-0197-0","volume":"19","author":"A Mahmoud","year":"2014","unstructured":"Mahmoud A, Niu N (2014) Supporting requirements to code traceability through refactoring. Requir Eng 19(3):309\u2013329","journal-title":"Requir Eng"},{"key":"287_CR64","unstructured":"Hermoye L, Lamsweerde A, Perry D (2014) A reuse-based approach to security requirements engineering. \n                              http:\/\/users.ece.utexas.edu\/~perry\/work\/papers\/060908-LH-reuse.pdf"},{"key":"287_CR65","unstructured":"van Hermoye LA, Perry DE (2006) Attack patterns for security requirements engineering"},{"key":"287_CR66","unstructured":"Saeki M, Kaiya H (2008) Security requirements elicitation using method weaving and common criteria. In: International conference on model driven engineering languages and systems. Springer, pp 185\u2013196"},{"issue":"3","key":"287_CR67","doi-asserted-by":"publisher","first-page":"1234","DOI":"10.1109\/TII.2013.2258165","volume":"9","author":"V Vyatkin","year":"2013","unstructured":"Vyatkin V (2013) Software engineering in industrial automation: state-of-the-art review. IEEE Trans Ind Inf 9(3):1234\u20131249","journal-title":"IEEE Trans Ind Inf"},{"issue":"Supplement C","key":"287_CR68","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1016\/j.jss.2015.04.065","volume":"106","author":"Y Yu","year":"2015","unstructured":"Yu Y, Franqueira VNL, Tun TT, Wieringa RJ, Nuseibeh B (2015) Automated analysis of security requirements through risk-based argumentation. J Syst Softw 106(Supplement C):102\u2013116","journal-title":"J Syst Softw"},{"key":"287_CR69","doi-asserted-by":"crossref","unstructured":"Darimont R, Delor E, Massonet P, van Lamsweerde A (1997) GRAIL\/KAOS: an environment for goal-driven requirements engineering. In: Proceedings of the 19th international conference on software engineering. ACM, pp 612\u2013613","DOI":"10.1145\/253228.253499"},{"key":"287_CR70","unstructured":"Profile EP, E-COFC public business class. ECMA Technical Report TR\/781999"},{"key":"287_CR71","unstructured":"MITRE. Common attack pattern enumeration and classification (CAPEC) initiative. MITRE Corporation. \n                              http:\/\/cwe.mitre.org\/\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR72","unstructured":"Davies J, Woodcock J (1996) Using Z: specification, refinement and proof. Prentice Hall International Series in Computer Science. ISBN 0-13-948472-8"},{"issue":"6","key":"287_CR73","doi-asserted-by":"publisher","first-page":"1157","DOI":"10.3233\/JCS-2009-0393","volume":"18","author":"M Clarkson","year":"2010","unstructured":"Clarkson M, Schneider F (2010) Hyperproperties. J Comput Secur 18(6):1157\u20131210","journal-title":"J Comput Secur"},{"key":"287_CR74","unstructured":"(2012) FedRamp Baseline Security Controls. \n                              www.gsa.gov\/graphics\/staffoffices\/FedRAMP_Security_Controls_Final.zip\n                              \n                           . Accessed Oct 2015"},{"key":"287_CR75","unstructured":"(2009) Cloud security alliance, security guidance for critical areas of focus in cloud computing v3.0. \n                              https:\/\/cloudsecurityalliance.org\/wp-content\/uploads\/2011\/07\/csaguide.v2.1.pdf\n                              \n                           . Accessed Oct 2015"}],"container-title":["Requirements Engineering"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00766-017-0287-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/article\/10.1007\/s00766-017-0287-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"http:\/\/link.springer.com\/content\/pdf\/10.1007\/s00766-017-0287-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2020,5,14]],"date-time":"2020-05-14T07:56:39Z","timestamp":1589442999000},"score":1,"resource":{"primary":{"URL":"http:\/\/link.springer.com\/10.1007\/s00766-017-0287-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2017,12,30]]},"references-count":75,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2019,9]]}},"alternative-id":["287"],"URL":"https:\/\/doi.org\/10.1007\/s00766-017-0287-5","relation":{},"ISSN":["0947-3602","1432-010X"],"issn-type":[{"value":"0947-3602","type":"print"},{"value":"1432-010X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2017,12,30]]},"assertion":[{"value":"4 May 2017","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"18 December 2017","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"30 December 2017","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}