{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,21]],"date-time":"2026-04-21T14:47:20Z","timestamp":1776782840684,"version":"3.51.2"},"reference-count":55,"publisher":"Springer Science and Business Media LLC","issue":"5","license":[{"start":{"date-parts":[[2023,6,27]],"date-time":"2023-06-27T00:00:00Z","timestamp":1687824000000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,6,27]],"date-time":"2023-06-27T00:00:00Z","timestamp":1687824000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100003945","name":"Link\u00f6pings Universitet","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003945","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Ericsson AB"},{"DOI":"10.13039\/501100003945","name":"Link\u00f6ping University","doi-asserted-by":"crossref","id":[{"id":"10.13039\/501100003945","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["SN COMPUT. SCI."],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Software products are increasingly used in critical infrastructures, and verifying the security of these products has become a necessary part of every software development project. Effective and practical methods and processes are needed by software vendors and infrastructure operators to meet the existing extensive demand for security. This article describes a lightweight security risk assessment method that flags security issues as early as possible in the software project, namely during requirements analysis. The method requires minimal training effort, adds low overhead, and makes it possible to show immediate results to affected stakeholders. We present a longitudinal case study of how a large enterprise developing complex telecom products adopted this method all the way from pilot studies to full-scale regular use. Lessons learned from the case study provide knowledge about the impact that upskilling and training of requirements engineers have on reducing the risk of malfunctions or security vulnerabilities in situations where it is not possible to have security experts go through all requirements. The case study highlights the challenges of process changes in large organizations as well as the pros and cons of having centralized, distributed, or semi-distributed workforce for security assurance in requirements engineering.<\/jats:p>","DOI":"10.1007\/s42979-023-01968-x","type":"journal-article","created":{"date-parts":[[2023,6,27]],"date-time":"2023-06-27T15:12:37Z","timestamp":1687878757000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":5,"title":["A Case Study of Introducing Security Risk Assessment in Requirements Engineering in a Large Organization"],"prefix":"10.1007","volume":"4","author":[{"given":"Shanai","family":"Ardi","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3052-5604","authenticated-orcid":false,"given":"Kristian","family":"Sandahl","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mats","family":"Gustafsson","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2023,6,27]]},"reference":[{"issue":"2","key":"1968_CR1","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1109\/MSECP.2004.1281254","volume":"2","author":"G McGraw","year":"2004","unstructured":"McGraw G. Software security. IEEE Secur Priv. 2004;2(2):80\u20133.","journal-title":"IEEE Secur Priv"},{"issue":"6","key":"1968_CR2","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1109\/MSP.2004.95","volume":"2","author":"M Howard","year":"2004","unstructured":"Howard M. Building more secure software. IEEE Secur Priv. 2004;2(6):63\u20135.","journal-title":"IEEE Secur Priv"},{"key":"1968_CR3","doi-asserted-by":"crossref","unstructured":"Ardi S, Byers D and Shahmehri N Towards a structured unified process for software security, Proc. Int. Workshop on Software Engineering for Secure Systems (SESS), Shanghai, China, pp. 3\u201310. (2006)","DOI":"10.1145\/1137627.1137630"},{"key":"1968_CR4","doi-asserted-by":"crossref","unstructured":"Lipner S. B The trustworthy computing security development lifecycle, Proc. ACSAC 04, 20th Annual Computer Security Applications Conference, Tucson, USA, pp. 2\u201313. (2004)","DOI":"10.1109\/CSAC.2004.41"},{"key":"1968_CR5","doi-asserted-by":"crossref","unstructured":"McGraw G. Software Security: Building Security In. Boston: Addison-Wesley; 2006.","DOI":"10.1109\/ISSRE.2006.43"},{"key":"1968_CR6","unstructured":"Viega J, McGraw G (2011) Building Secure Software: How to Avoid Security Problems the Right Way. Boston: Addison-Wesley; 2011."},{"key":"1968_CR7","unstructured":"McGraw G, Migues S, West J, (2018) Building Security In Maturity Model (BSIMM 8), https:\/\/www.bsimm.com\/. Accessed 2020\u201302\u201310"},{"key":"1968_CR8","doi-asserted-by":"crossref","unstructured":"Franqueira V.N.L, Bakalova Z, Than Tun T, Daneva Towards agile security risk management in RE and beyond, Proc. 1st Int. Workshop on Empirical Requirements (EMPIRE), Trento, Italy, pp. 33\u201336. (2011)","DOI":"10.1109\/EmpiRE.2011.6046253"},{"key":"1968_CR9","unstructured":"Mayer N, Rifaut A, Dubois E Towards a risk-based security requirement engineering framework, Proc. 11th Int. Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'05), Los Alamitos, USA, pp 83\u201397. (2005)"},{"key":"1968_CR10","doi-asserted-by":"crossref","unstructured":"Laoufi N, From risk analysis to the expression of security requirements for systems information, Proc. Fourth International conference on Cyber security, cyber warefare and digital forensics, Jakarta, Indonesia, pp 84\u201389. (2015)","DOI":"10.1109\/CyberSec.2015.25"},{"key":"1968_CR11","doi-asserted-by":"crossref","unstructured":"Oyetoyan T. D, Soares Cruzes D, Gilje Jaatun M, An empirical study on relationship between software security skills, usage and training needs in agile settings, International Conference on Availability, Reliability and Security, Salzburg, Austria, pp 548\u2013555. (2016)","DOI":"10.1109\/ARES.2016.103"},{"key":"1968_CR12","doi-asserted-by":"crossref","unstructured":"Savola R. M, V\u00e4is\u00e4nen T, Evesti A, Savolainen P, Kemppainen J, Kokem\u00e4ki M. Towards risk-driven security measurement for android smartphone platform, International Information Security South Africa conference, Johannesburg, South Africa, pp. 1\u20138. (2013)","DOI":"10.1109\/ISSA.2013.6641049"},{"issue":"2","key":"1968_CR13","doi-asserted-by":"publisher","first-page":"101","DOI":"10.1007\/s00766-010-0112-x","volume":"16","author":"Y Asnar","year":"2011","unstructured":"Asnar Y, Giorgini P, Mylopoulos J. Goal-driven risk assessment in requirements engineering. Requir Eng. 2011;16(2):101\u201316.","journal-title":"Requir Eng"},{"key":"1968_CR14","volume-title":"The security development lifecycle","author":"M Howard","year":"2006","unstructured":"Howard M, Lipner S. The security development lifecycle. Redmond, Washington: Microsoft Press; 2006."},{"key":"1968_CR15","unstructured":"The CLASP application security process. Secure Software Inc. 2005. https:\/\/cwe.mitre.org\/documents\/sources\/TheCLASPApplicationSecurityProcess.pdf. Accessed 23 Jun 2023."},{"key":"1968_CR16","unstructured":"Guide for conducting risk assessment, NIST Special Publication 800\u201330, https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-30r1.pdf. Accessed 23 Jun 2023."},{"key":"1968_CR17","unstructured":"ISO\/IEC 27000: https:\/\/www.iso.org\/standard\/73906.html. Accessed 23 Jun 2023."},{"key":"1968_CR18","unstructured":"ISC2 Cybersecurity workforce study (2019), https:\/\/www.isc2.org\/Research\/Workforce-Study. Accessed 23 Jun 2023."},{"key":"1968_CR19","unstructured":"Herrmann A, Morali A RiskREP: Risk-Based Security Requirements Elicitation and Prioritization, Proc. Perspectives in Business Informatics Research, Riga, Latvia, pp. 155\u2013162. (2011)"},{"issue":"4","key":"1968_CR20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/1082983.1083121","volume":"30","author":"M Umarji","year":"2005","unstructured":"Umarji M, Seaman C. Predicting acceptance of software process improvement. SIGSOFT Softw Eng Notes. 2005;30(4):1\u20136.","journal-title":"SIGSOFT Softw Eng Notes"},{"key":"1968_CR21","unstructured":"Borg A, Yong A, Carlshamre P, Sandahl K The bad conscience of requirements engineering: an investigation in real-world treatment of non-functional requirements, Proc. 3rd International Conference on Software Engineering Research and Practice in Sweden (SERPS'03), pp. 1\u20138. (2003)"},{"issue":"1","key":"1968_CR22","doi-asserted-by":"publisher","first-page":"53","DOI":"10.5381\/jot.2003.2.1.c6","volume":"2","author":"DG Firesmith","year":"2003","unstructured":"Firesmith DG. Engineering security requirements. J Object Technol. 2003;2(1):53\u201368.","journal-title":"J Object Technol"},{"issue":"1","key":"1968_CR23","doi-asserted-by":"publisher","first-page":"20","DOI":"10.1109\/MS.2008.19","volume":"25","author":"A Tondel","year":"2008","unstructured":"Tondel A, Gilje Jaatun M, Meland PH. Security requirements for the rest of us: a survey. IEEE Softw. 2008;25(1):20\u20137.","journal-title":"IEEE Softw"},{"key":"1968_CR24","unstructured":"Mead N.R, Houg E.D, Stehny T.R, Security quality requirements engineering (SQUARE) methodology, Software Eng. Inst. Carnegie Mellon University, Techncial Report CMU\/SEI-2005-TR-009. (2005)"},{"key":"1968_CR25","doi-asserted-by":"publisher","unstructured":"Luburic N, Sladic G, Milosaljevic B Applicability issues in security requirements engineering for agile development, Proc. International Conference on Applied Internet and Information Technologies, Bitola, Macedonia, DOI:https:\/\/doi.org\/10.20544\/AIIT2018.I02.(2018)","DOI":"10.20544\/AIIT2018.I02."},{"key":"1968_CR26","unstructured":"Poller A, Kocksch L, Turpe S, EPP F. A, Kinder-Kurlansa K. Can security become a routine?: A study of organizational changes in an agile software development group, Cumputer Supported Cooperative Work (CSCW), Portland, Oregon, USA, pp 2849-2503"},{"issue":"1","key":"1968_CR27","doi-asserted-by":"publisher","first-page":"79","DOI":"10.1007\/s00766-005-0020-7","volume":"11","author":"T Gorschek","year":"2007","unstructured":"Gorschek T, Wohlin C. Requirements abstraction model. Requirements Eng. 2007;11(1):79\u2013101.","journal-title":"Requirements Eng"},{"issue":"1","key":"1968_CR28","doi-asserted-by":"publisher","first-page":"11","DOI":"10.1111\/j.1539-6924.1981.tb01350.x","volume":"1","author":"S Kaplan","year":"1981","unstructured":"Kaplan S, Garrik BJ. On the quantitate definition of risk. Risk Anal. 1981;1(1):11\u201327.","journal-title":"Risk Anal"},{"key":"1968_CR29","volume-title":"Computer security, principles and practice","author":"W Stalling","year":"2007","unstructured":"Stalling W, Brown L. Computer security, principles and practice. Hoboken: Prentice hall; 2007."},{"key":"1968_CR30","unstructured":"http:\/\/www.3gpp.org\/SON, Accessed 2021\u201303\u201309"},{"key":"1968_CR31","unstructured":"http:\/\/www.3gpp.org\/ftp\/Specs\/html-info\/25484.htm, Accessed 2021\u201303\u201309"},{"key":"1968_CR32","unstructured":"Yin R. K Case study research: Design and Methods, Fourth Edition, Applied Social Research Methods Series. (2009)"},{"issue":"2","key":"1968_CR33","doi-asserted-by":"publisher","first-page":"131","DOI":"10.1007\/s10664-008-9102-8","volume":"14","author":"P Runeson","year":"2009","unstructured":"Runeson P, H\u00f6st M. Guidelines for conducting and reporting case study research in software engineering. J Empirical Softw Eng Springer. 2009;14(2):131\u201364.","journal-title":"J Empirical Softw Eng Springer"},{"key":"1968_CR34","doi-asserted-by":"publisher","DOI":"10.1136\/bmj.311.7000.299","author":"J Kitzinger","year":"1995","unstructured":"Kitzinger J. Qualitative research: introducing focusgroups. BMJ. 1995. https:\/\/doi.org\/10.1136\/bmj.311.7000.299.","journal-title":"BMJ"},{"issue":"11","key":"1968_CR35","doi-asserted-by":"publisher","first-page":"1451","DOI":"10.1016\/j.ijnurstu.2010.06.004","volume":"47","author":"DF Polit","year":"2010","unstructured":"Polit DF, Tatano Beck C. Generalization in quantitative and qualitative research: myths and strategies. Int J Nurs Stud. 2010;47(11):1451\u20138.","journal-title":"Int J Nurs Stud"},{"issue":"4","key":"1968_CR36","doi-asserted-by":"publisher","first-page":"419","DOI":"10.1108\/JQME-09-2013-0062","volume":"21","author":"JB Samuel","year":"2015","unstructured":"Samuel JB, Marathamuthu MS, Murugaiah U. The use of 5-WHYs technique to eliminate OEE\u2019s speed loss in a manufacturing firm. J Qual Maint Eng. 2015;21(4):419\u201343.","journal-title":"J Qual Maint Eng"},{"issue":"1","key":"1968_CR37","doi-asserted-by":"publisher","first-page":"58","DOI":"10.1109\/MS.2003.1159030","volume":"20","author":"I Alexander","year":"2003","unstructured":"Alexander I. Misuse cases: use cases with hostile intent. IEEE Softw. 2003;20(1):58\u201366.","journal-title":"IEEE Softw"},{"key":"1968_CR38","doi-asserted-by":"crossref","unstructured":"Salehie M, Pasquale L, Omoronyia I, Ali R, and Nuseibeh B Requirements-driven adaptive security: Protecting variable assets at runtime, 20th IEEE International Requirements Engineering Conference (RE), Chicago, IL, USA, pp. 111-120. (2012)","DOI":"10.1109\/RE.2012.6345794"},{"key":"1968_CR39","doi-asserted-by":"publisher","DOI":"10.1007\/978-1-4615-5269-7","volume-title":"Non-functional requirements in software engineering","author":"L Chung","year":"2000","unstructured":"Chung L, Nixon BA, Yu E, Mylopoulos J. Non-functional requirements in software engineering. Dordrecht: Kluwer Academic Publishers; 2000."},{"key":"1968_CR40","unstructured":"Burge J, Brown D (2002) NFRs: fact or fiction? Worcester Polytechnic Institute, Technical Report, WPI-CS-TR-02\u201301."},{"key":"1968_CR41","unstructured":"http:\/\/commoncriteriaportal.org. Accessed 2019\u201303\u201330"},{"key":"1968_CR42","unstructured":"Wilander J, Gustavsson J Security requirements - a field study of current practices, E-Proc. The Symposium on Requirements Engineering for Information Security (SREIS), Paris, France. (2005)"},{"issue":"1","key":"1968_CR43","doi-asserted-by":"publisher","first-page":"133","DOI":"10.1109\/TSE.2007.70754","volume":"34","author":"CB Haley","year":"2008","unstructured":"Haley CB, Laney R, Moffett J, Nuseibeh B. Security requirements engineering: a framework for representation and analysis. IEEE Trans Softw Eng. 2008;34(1):133\u201353.","journal-title":"IEEE Trans Softw Eng"},{"issue":"4","key":"1968_CR44","doi-asserted-by":"publisher","first-page":"10","DOI":"10.1109\/MSP.2005.103","volume":"3","author":"A Apvrille","year":"2005","unstructured":"Apvrille A, Pourzandi M. Security software development by example. IEEE Secur Priv. 2005;3(4):10\u20137.","journal-title":"IEEE Secur Priv"},{"key":"1968_CR45","doi-asserted-by":"crossref","unstructured":"Bostr\u00f6m B, W\u00e4yrynen J, Boden M (2006) Extending XP practices to support security requirements engineering International Workshop on Software Engineering for Secure Systems (SESS). Shanghai, pp. 11\u201318","DOI":"10.1145\/1137627.1137631"},{"issue":"1","key":"1968_CR46","doi-asserted-by":"publisher","first-page":"557","DOI":"10.1007\/s00766-017-0279-5","volume":"23","author":"A Souag","year":"2018","unstructured":"Souag A, Mazo R, Salinesi C, Comyn-Wattiau I. Using the AMAN-DA method to generate security requirements: a case study in the maritime domain. Requirements Eng. 2018;23(1):557\u201380.","journal-title":"Requirements Eng"},{"key":"1968_CR47","doi-asserted-by":"publisher","first-page":"439","DOI":"10.1007\/s00766-020-00338-w","volume":"25","author":"H Villamizar","year":"2020","unstructured":"Villamizar H, Kalinowski M, Garcia A, Mendez D. An efficient approach for reviewing security-related aspects in agile requirements specifications of web applications. Requirements Eng. 2020;25:439\u201368.","journal-title":"Requirements Eng"},{"key":"1968_CR48","doi-asserted-by":"crossref","unstructured":"Vasilevskaya M, Nadjm-Tehrani S Model-based Security Risk Analysis for Networked Embedded Systems, Proc. The 9th International Conference on Critical Information Infrastructures Security (CRITIS) Limassol, Cyprus, pp. 381\u2013386. (2014)","DOI":"10.1007\/978-3-319-31664-2_39"},{"issue":"3","key":"1968_CR49","doi-asserted-by":"publisher","first-page":"90","DOI":"10.1109\/MSP.2004.17","volume":"2","author":"P Hope","year":"2004","unstructured":"Hope P, McGraw G, Anton AI. Misuse and abuse cases: getting past the positive. IEEE Secur Priv. 2004;2(3):90\u20132.","journal-title":"IEEE Secur Priv"},{"key":"1968_CR50","doi-asserted-by":"crossref","unstructured":"Sindre G, Opdahl A.L Eliciting security requirements with misuse cases, Proc. 37th International Conference on Technology of Object Oriented Languages and Systems (TOOLS-37\u201900) Sydney, Australia, pp. 120\u2013131. (2000)","DOI":"10.1109\/TOOLS.2000.891363"},{"key":"1968_CR51","doi-asserted-by":"crossref","unstructured":"Mwambe O, Echisen I Security oriented malicious activity diagrams to support information systems security, International conference on advanced information networking and applications workshop Taipei, Taiwan, pp. 74\u201381. (2017)","DOI":"10.1109\/WAINA.2017.51"},{"issue":"1","key":"1968_CR52","first-page":"79","volume":"2","author":"A Behnia","year":"2012","unstructured":"Behnia A, Abd Rashid R, Chaudhry JA. A survey of information security risk analysis methods. Smart Comput Rev. 2012;2(1):79\u201364.","journal-title":"Smart Comput Rev"},{"key":"1968_CR53","doi-asserted-by":"publisher","first-page":"251","DOI":"10.1007\/s00766-015-0220-8","volume":"21","author":"A Souag","year":"2016","unstructured":"Souag A, Mazo A, Salinesi C, Comyn-Wattiau I. Reusable knowledge in security requirements engineering: a systematic mapping study. Requirement Eng. 2016;21:251\u201383.","journal-title":"Requirement Eng"},{"key":"1968_CR54","unstructured":"Cruzes D, Gilje Jaatun M, Bernsmed K, Tondel I.A Challenges and experinces with applying Microsoft Threat Modeling in Agile Development Projects, 25th Australasian Software Engineering Conference, Adelaide, Australia, pp. 111\u2013120. (2018)"},{"key":"1968_CR55","doi-asserted-by":"crossref","unstructured":"Morrison P, Smith B.H, Williams L Surveying security practice adherence in software development, Proc. of the Hot Topics in Science of Security: Symposium and Bootcamp, ACM International Conference Proceeding Series Part F127186, New York, USA, pp. 85\u201394. (2017)","DOI":"10.1145\/3055305.3055312"}],"container-title":["SN Computer Science"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01968-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s42979-023-01968-x\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s42979-023-01968-x.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,10,23]],"date-time":"2024-10-23T04:39:21Z","timestamp":1729658361000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s42979-023-01968-x"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,6,27]]},"references-count":55,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2023,9]]}},"alternative-id":["1968"],"URL":"https:\/\/doi.org\/10.1007\/s42979-023-01968-x","relation":{},"ISSN":["2661-8907"],"issn-type":[{"value":"2661-8907","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,6,27]]},"assertion":[{"value":"28 June 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"27 May 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"27 June 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"Ardi and Gustafsson are both employed at Ericsson AB, full time. Sandahl is employed full time at Link\u00f6ping University and is a senior member of IEEE.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}}],"article-number":"488"}}