{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,9]],"date-time":"2026-04-09T14:30:24Z","timestamp":1775745024177,"version":"3.50.1"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2020,4,13]],"date-time":"2020-04-13T00:00:00Z","timestamp":1586736000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2020,4,13]],"date-time":"2020-04-13T00:00:00Z","timestamp":1586736000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"name":"Alphonse Weicker Foundation"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Empir Software Eng"],"published-print":{"date-parts":[[2020,7]]},"DOI":"10.1007\/s10664-020-09814-x","type":"journal-article","created":{"date-parts":[[2020,4,13]],"date-time":"2020-04-13T18:02:17Z","timestamp":1586800937000},"page":"2550-2582","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":12,"title":["Using machine learning to assist with the selection of security controls during security assessment"],"prefix":"10.1007","volume":"25","author":[{"given":"Seifeddine","family":"Bettaieb","sequence":"first","affiliation":[]},{"given":"Seung Yeob","family":"Shin","sequence":"additional","affiliation":[]},{"given":"Mehrdad","family":"Sabetzadeh","sequence":"additional","affiliation":[]},{"given":"Lionel C.","family":"Briand","sequence":"additional","affiliation":[]},{"given":"Michael","family":"Garceau","sequence":"additional","affiliation":[]},{"given":"Antoine","family":"Meyers","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,4,13]]},"reference":[{"issue":"sup1","key":"9814_CR1","doi-asserted-by":"publisher","first-page":"173","DOI":"10.1080\/12460125.2018.1468177","volume":"27","author":"L Almeida","year":"2018","unstructured":"Almeida L, Resp\u00edcio A (2018) Decision support for selecting information security controls. J Decis Syst 27(sup1):173\u2013180","journal-title":"J Decis Syst"},{"key":"9814_CR2","doi-asserted-by":"publisher","first-page":"20","DOI":"10.1145\/1007730.1007735","volume":"6","author":"GEAPA Batista","year":"2004","unstructured":"Batista G E A P A, Prati R C, Monard M C (2004) A study of the behavior of several methods for balancing machine learning training data. ACM SIGKDD Explorations Newsletter 6:20\u201329","journal-title":"ACM SIGKDD Explorations Newsletter"},{"key":"9814_CR3","doi-asserted-by":"crossref","unstructured":"Bettaieb S, Shin SY, Sabetzadeh M, Briand LC, Nou G, Garceau M (2019) Decision support for security-control identification using machine learning. In: Proceedings of the 25th international working conference on requirements engineering: Foundation for software quality (REFSQ\u201919), pp 3\u201320","DOI":"10.1007\/978-3-030-15538-4_1"},{"key":"9814_CR4","volume-title":"Pattern recognition and machine learning. Information Science and Statistics","author":"CM Bishop","year":"2007","unstructured":"Bishop C M (2007) Pattern recognition and machine learning. Information Science and Statistics. Springer, Berlin"},{"key":"9814_CR5","doi-asserted-by":"publisher","first-page":"1757","DOI":"10.1016\/j.patcog.2004.03.009","volume":"37","author":"MR Boutell","year":"2004","unstructured":"Boutell M R, Luo J, Shen X, Brown C M (2004) Learning multi-label scene classification. Pattern Recogn 37:1757\u20131771","journal-title":"Pattern Recogn"},{"key":"9814_CR6","unstructured":"Breiman L, Friedman J, Stone CJ, Olshen R (1984) Classification and Regression Trees. Wadsworth International Group"},{"key":"9814_CR7","doi-asserted-by":"crossref","unstructured":"Caralli R A, Stevens J F, Young L R, Wilson W R (2007) Introducing OCTAVE allegro: Improving the information security risk assessment process. Tech. rep CMU\/SEI-2007-TR-012, SEI, Carnegie Mellon University","DOI":"10.21236\/ADA470450"},{"issue":"4","key":"9814_CR8","doi-asserted-by":"publisher","first-page":"436","DOI":"10.1016\/j.infsof.2009.10.010","volume":"52","author":"A Casamayor","year":"2010","unstructured":"Casamayor A, Godoy D, Campo M R (2010) Identification of non-functional requirements in textual specifications: A semi-supervised learning approach. Inf Softw Technol (IST\u201910) 52(4):436\u2013445","journal-title":"Inf Softw Technol (IST\u201910)"},{"key":"9814_CR9","unstructured":"CASES (2018) Method for an optimised analysis of risks by @CASES-LU. https:\/\/www.monarc.lu, accessed September 2018"},{"key":"9814_CR10","doi-asserted-by":"publisher","first-page":"321","DOI":"10.1613\/jair.953","volume":"16","author":"NV Chawla","year":"2002","unstructured":"Chawla N V, Bowyer K W, Hall L O, Kegelmeyer W P (2002) SMOTE: Synthetic minority over-sampling technique. J Artif Intell Res (JAIR\u201902) 16:321\u2013357","journal-title":"J Artif Intell Res (JAIR\u201902)"},{"key":"9814_CR11","unstructured":"CLUSIF (2018) Method for harmonized analysis of risk. https:\/\/clusif.fr\/mehari, accessed September 2018"},{"key":"9814_CR12","doi-asserted-by":"crossref","unstructured":"Cohen WW (1995) Fast effective rule induction. In: Proceedings of the 12th international conference on machine learning (ICML\u201995), pp 115\u2013123","DOI":"10.1016\/B978-1-55860-377-6.50023-2"},{"key":"9814_CR13","unstructured":"Cyber Threat Institute (2019) Vector matrix - risk assessment methodology, security, impact. http:\/\/www.riskvector.com, accessed June 2019"},{"key":"9814_CR14","volume-title":"Security requirements engineering: Designing secure socio-technical systems","author":"F Dalpiaz","year":"2016","unstructured":"Dalpiaz F, Paja E, Giorgini P (2016) Security requirements engineering: Designing secure socio-technical systems. MIT Press, Cambridge"},{"key":"9814_CR15","volume-title":"The art of software security assessment: Identifying and preventing software vulnerabilities","author":"M Dowd","year":"2006","unstructured":"Dowd M, McDonald J, Schuh J (2006) The art of software security assessment: Identifying and preventing software vulnerabilities. Pearson Education, London"},{"key":"9814_CR16","unstructured":"Elkan C (2001) The foundations of cost-sensitive learning. In: Proceedings of the 17th international joint conference on artificial intelligence (IJCAI\u201901), pp 973\u2013978"},{"key":"9814_CR17","unstructured":"Frank E, Witten IH (1998) Generating accurate rule sets without global optimization. In: Proceedings of the 15th international conference on machine learning (ICML\u201998), pp 144\u2013151"},{"key":"9814_CR18","first-page":"6","volume":"2008","author":"S Furnell","year":"2008","unstructured":"Furnell S (2008) End-user security culture: A lesson that will never be learnt? Comput Fraud Secur 2008:6\u20139","journal-title":"Comput Fraud Secur"},{"key":"9814_CR19","unstructured":"Grinstein G, Trutschl M, Cvek U (2001) High-dimensional visualizations. In: Proceedings of the visual data mining workshop (KDD\u201901), pp 120\u2013134"},{"issue":"1","key":"9814_CR20","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1109\/TSE.2007.70754","volume":"34","author":"CB Haley","year":"2008","unstructured":"Haley C B, Laney R C, Moffett J D, Nuseibeh B (2008) Security requirements engineering: A framework for representation and analysis. IEEE Trans Softw Eng (TSE\u201908) 34(1):133\u2013153","journal-title":"IEEE Trans Softw Eng (TSE\u201908)"},{"key":"9814_CR21","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1145\/1656274.1656278","volume":"11","author":"MA Hall","year":"2009","unstructured":"Hall M A, Frank E, Holmes G, Pfahringer B, Reutemann P, Witten I H (2009) The WEKA data mining software: An update. ACM SIGKDD Explorations Newsletter 11:10\u201318","journal-title":"ACM SIGKDD Explorations Newsletter"},{"key":"9814_CR22","unstructured":"Ionita D, Wieringa RJ (2016) Web-based collaborative security requirements elicitation. In: Joint proceedings of REFSQ-2016 workshops, Doctoral symposium, Research method track, and poster track co-located with the 22nd international working conference on requirements engineering: Foundation for software quality (REFSQ Workshops\u201916), pp 3\u20136"},{"key":"9814_CR23","unstructured":"ISACA (2018) Framework for it governance and control. http:\/\/www.isaca.org\/Knowledge-Center\/cobit\/Pages\/Overview.aspx, accessed June 2018"},{"key":"9814_CR24","volume-title":"ISO 31000 - risk management","author":"ISO","year":"2018","unstructured":"ISO (2018) ISO 31000 - risk management. ISO Standard, London"},{"key":"9814_CR25","volume-title":"ISO\/IEC 27002:2005 code of practice for information security controls","author":"ISO and IEC","year":"2005","unstructured":"ISO and IEC (2005) ISO\/IEC 27002:2005 code of practice for information security controls. ISO Standard, London"},{"key":"9814_CR26","volume-title":"ISO\/IEC 27000:2018 information security management systems","author":"ISO and IEC","year":"2018","unstructured":"ISO and IEC (2018) ISO\/IEC 27000:2018 information security management systems. ISO Standard, London"},{"key":"9814_CR27","unstructured":"John GH, Langley P (1995) Estimating continuous distributions in bayesian classifiers. In: Proceedings of the 11th annual conference on uncertainty in artificial intelligence (UAI\u201995), pp 338\u2013345"},{"key":"9814_CR28","doi-asserted-by":"crossref","unstructured":"Jufri MT, Hendayun M, Suharto T (2017) Risk-assessment based academic information system security policy using OCTAVE Allegro and ISO 27002. In: Proceedings of the 2nd international conference on informatics and computing (ICIC\u201917), pp 1\u20136","DOI":"10.1109\/IAC.2017.8280541"},{"key":"9814_CR29","doi-asserted-by":"publisher","first-page":"85","DOI":"10.1007\/s40070-016-0055-7","volume":"4","author":"E Kiesling","year":"2016","unstructured":"Kiesling E, Ekelhart A, Grill B, Strauss C, Stummer C (2016) Selecting security control portfolios: A multi-objective simulation-optimization approach. EURO J Decision Process 4:85\u2013117","journal-title":"EURO J Decision Process"},{"issue":"2","key":"9814_CR30","doi-asserted-by":"publisher","first-page":"20","DOI":"10.1145\/511152.511155","volume":"27","author":"BA Kitchenham","year":"2002","unstructured":"Kitchenham B A, Pfleeger S L (2002) Principles of survey research: Part 3: Constructing a survey instrument. ACM SIGSOFT Software Engineering Notes 27 (2):20\u201324","journal-title":"ACM SIGSOFT Software Engineering Notes"},{"key":"9814_CR31","doi-asserted-by":"crossref","unstructured":"Kurtanovi\u0107 Z, Maalej W (2017) Mining user rationale from software reviews. In: Proceedings of the 25th IEEE international conference on requirements engineering (RE\u201917), pp 61\u201370","DOI":"10.1109\/RE.2017.86"},{"issue":"1","key":"9814_CR32","doi-asserted-by":"publisher","first-page":"191","DOI":"10.2307\/2347628","volume":"41","author":"S le Cessie","year":"1992","unstructured":"le Cessie S, van Houwelingen JC (1992) Ridge estimators in logistic regression. Appl Stat 41(1):191\u2013201","journal-title":"Appl Stat"},{"key":"9814_CR33","doi-asserted-by":"crossref","unstructured":"Li T (2017) Identifying security requirements based on linguistic analysis and machine learning. In: Proceedings of the 24th Asia-Pacific software engineering conference (APSEC\u201917), pp 388\u2013397","DOI":"10.1109\/APSEC.2017.45"},{"issue":"140","key":"9814_CR34","first-page":"5","volume":"22","author":"R Likert","year":"1932","unstructured":"Likert R (1932) A technique for the measurement of attitudes. Arch Psychol 22 (140):5\u201355","journal-title":"Arch Psychol"},{"key":"9814_CR35","unstructured":"Meier J, Mackman A, Vasireddy S, Dunner M, Escamilla R, Murukan A (2003) Improving web application security: Threats and countermeasures, Tech. rep., Microsoft"},{"issue":"11","key":"9814_CR36","doi-asserted-by":"publisher","first-page":"30","DOI":"10.1145\/319382.319388","volume":"42","author":"TM Mitchell","year":"1999","unstructured":"Mitchell T M (1999) Machine learning and data mining. Commun ACM 42 (11):30\u201336","journal-title":"Commun ACM"},{"key":"9814_CR37","unstructured":"Myagmar S, Lee AJ, Yurcik W (2005) Threat modeling as a basis for security requirements. In: Proceedings of the IEEE symposium on requirements engineering for information security (SREIS\u201905), pp 1\u20138"},{"key":"9814_CR38","volume-title":"NIST special publication 800-30: Guide for conducting risk assessments","author":"NIST","year":"2012","unstructured":"NIST (2012) NIST special publication 800-30: Guide for conducting risk assessments. NIST Standard, Gaithersburg"},{"key":"9814_CR39","unstructured":"OSA (2018) Open security architecture. http:\/\/www.opensecurityarchitecture.org, accessed September 2018"},{"key":"9814_CR40","doi-asserted-by":"crossref","unstructured":"Park S, F\u00fcrnkranz J (2007) Efficient pairwise classification. In: Proceedings of the 18th European conference on machine learning (ECML\u201907), pp 658\u2013665","DOI":"10.1007\/978-3-540-74958-5_65"},{"issue":"1","key":"9814_CR41","first-page":"81","volume":"1","author":"JR Quinlan","year":"1986","unstructured":"Quinlan J R (1986) Induction of decision trees. Mach Learn 1(1):81\u2013106","journal-title":"Mach Learn"},{"key":"9814_CR42","volume-title":"C4.5: Programs for machine learning","author":"JR Quinlan","year":"1993","unstructured":"Quinlan JR (1993) C4.5: Programs for machine learning. Morgan Kaufmann, Massachusetts"},{"key":"9814_CR43","doi-asserted-by":"crossref","unstructured":"Read J, Pfahringer B, Holmes G, Frank E (2009) Classifier chains for multi-label classification. In: Proceedings of the 2009 joint European conference on machine learning and knowledge discovery in databases (ECML PKDD\u201909), pp 254\u2013269","DOI":"10.1007\/978-3-642-04174-7_17"},{"key":"9814_CR44","doi-asserted-by":"crossref","unstructured":"Rodeghero P, Jiang S, Armaly A, McMillan C (2017) Detecting user story information in developer-client conversations to generate extractive summaries. In: Proceedings of the 39th international conference on software engineering (ICSE\u201917), pp 49\u201359","DOI":"10.1109\/ICSE.2017.13"},{"key":"9814_CR45","volume-title":"Diffusion of innovations","author":"EM Rogers","year":"2003","unstructured":"Rogers EM (2003) Diffusion of innovations, 5th edn. Free Press, New York","edition":"5th edn."},{"key":"9814_CR46","unstructured":"Schmitt C, Liggesmeyer P (2015) A model for structuring and reusing security requirements sources and security requirements. In: Joint proceedings of REFSQ-2015 workshops, doctoral symposium, research method track, and poster track co-located with the 21st international working conference on requirements engineering: Foundation for software quality (REFSQ Workshops\u201915), pp 34\u201343"},{"key":"9814_CR47","doi-asserted-by":"crossref","unstructured":"Sihwi SW, Andriyanto F, Anggrainingsih R (2016) An expert system for risk assessment of information system security based on ISO 27002. In: Proceedings of the 2016 IEEE international conference on knowledge engineering and applications (ICKEA\u201916), pp 56\u201361","DOI":"10.1109\/ICKEA.2016.7802992"},{"key":"9814_CR48","doi-asserted-by":"publisher","first-page":"34","DOI":"10.1007\/s00766-004-0194-4","volume":"10","author":"G Sindre","year":"2005","unstructured":"Sindre G, Opdahl A L (2005) Eliciting security requirements with misuse cases. Requir Eng 10:34\u201344","journal-title":"Requir Eng"},{"key":"9814_CR49","doi-asserted-by":"crossref","unstructured":"Tsoumakas G, Vlahavas IP (2007) Random k-labelsets: An ensemble method for multilabel classification. In: Proceedings of the 18th European conference on machine learning (ECML\u201907), pp 406\u2013417","DOI":"10.1007\/978-3-540-74958-5_38"},{"key":"9814_CR50","doi-asserted-by":"crossref","unstructured":"T\u00fcrpe S (2017) The trouble with security requirements. In: Proceedings of the 25th IEEE international conference on requirements engineering (RE\u201917), pp 122\u2013133","DOI":"10.1109\/RE.2017.13"},{"issue":"3","key":"9814_CR51","doi-asserted-by":"publisher","first-page":"408","DOI":"10.1109\/TSMC.1972.4309137","volume":"2","author":"DL Wilson","year":"1972","unstructured":"Wilson D L (1972) Asymptotic properties of nearest neighbor rules using edited data. IEEE Trans Syst Man Cybern 2(3):408\u2013421","journal-title":"IEEE Trans Syst Man Cybern"},{"key":"9814_CR52","doi-asserted-by":"publisher","first-page":"1035","DOI":"10.1016\/j.procs.2015.08.625","volume":"64","author":"I Yevseyeva","year":"2015","unstructured":"Yevseyeva I, Basto-Fernandes V, Emmerich M, van Moorsel A (2015) Selecting optimal subset of security controls. Procedia Comput Sci 64:1035\u20131042","journal-title":"Procedia Comput Sci"},{"key":"9814_CR53","doi-asserted-by":"publisher","first-page":"971","DOI":"10.1016\/j.procs.2016.09.261","volume":"100","author":"I Yevseyeva","year":"2016","unstructured":"Yevseyeva I, Basto-Fernandes V, van Moorsel A, Janicke H, Emmerich M (2016) Two-stage security controls selection. Procedia Comput Sci 100:971\u2013978","journal-title":"Procedia Comput Sci"},{"key":"9814_CR54","doi-asserted-by":"publisher","first-page":"102","DOI":"10.1016\/j.jss.2015.04.065","volume":"106","author":"Y Yu","year":"2015","unstructured":"Yu Y, Franqueira V N, Tun T T, Wieringa R J, Nuseibeh B (2015) Automated analysis of security requirements through risk-based argumentation. J Syst Softw (JSS\u201915) 106:102\u2013116","journal-title":"J Syst Softw (JSS\u201915)"},{"issue":"8","key":"9814_CR55","doi-asserted-by":"publisher","first-page":"1819","DOI":"10.1109\/TKDE.2013.39","volume":"26","author":"M Zhang","year":"2014","unstructured":"Zhang M, Zhou Z (2014) A review on multi-label learning algorithms. IEEE Trans Knowl Data Eng (TKDE\u201914) 26(8):1819\u20131837","journal-title":"IEEE Trans Knowl Data Eng (TKDE\u201914)"}],"container-title":["Empirical Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-020-09814-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10664-020-09814-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10664-020-09814-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,4,12]],"date-time":"2021-04-12T23:45:17Z","timestamp":1618271117000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10664-020-09814-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,4,13]]},"references-count":55,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2020,7]]}},"alternative-id":["9814"],"URL":"https:\/\/doi.org\/10.1007\/s10664-020-09814-x","relation":{},"ISSN":["1382-3256","1573-7616"],"issn-type":[{"value":"1382-3256","type":"print"},{"value":"1573-7616","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,4,13]]},"assertion":[{"value":"13 April 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}}]}}