{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,28]],"date-time":"2026-02-28T17:52:39Z","timestamp":1772301159864,"version":"3.50.1"},"reference-count":37,"publisher":"MDPI AG","issue":"10","license":[{"start":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T00:00:00Z","timestamp":1759968000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Computers"],"abstract":"<jats:p>Security is crucial, especially as software systems become increasingly complex. Both practitioners and researchers advocate for the early integration of security requirements (SR) into the Software Development Life Cycle (SDLC). However, ensuring the validation and assurance of security requirements is still a major challenge in developing secure systems. To investigate this issue, a two-phase study was carried out. First phase: a literature review was conducted on 45 relevant studies related to Security Requirements Engineering (SRE) and Security Requirements Assurance (SRA). Nine SRE techniques were examined across multiple parameters, including major categories, requirements engineering stages, project scale, and the integration of standards involving 17 distinct activities. Second phase: An empirical survey of 58 industry professionals revealed a clear disparity between the understanding of Security Requirements Engineering (SRE) and the implementation of Security Requirements Assurance (SRA). While statistical analyses (ANOVA, regression, correlation, Kruskal\u2013Wallis) confirmed a moderate grasp of SRE practices, SRA remains poorly understood and underapplied. Unlike prior studies focused on isolated models, this research combines practical insights with comparative analysis, highlighting the systemic neglect of SRA in current practices. The findings indicate the need for stronger security assurance in early development phases, offering targeted, data-driven recommendations for bridging this gap.<\/jats:p>","DOI":"10.3390\/computers14100429","type":"journal-article","created":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T12:32:47Z","timestamp":1760099567000},"page":"429","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Security Requirements Engineering: A Review and Analysis"],"prefix":"10.3390","volume":"14","author":[{"given":"Aftab Alam","family":"Janisar","sequence":"first","affiliation":[{"name":"Department of Computing Universiti Teknologi PETRONAS, 32610 Seri Iskandar, Perak, Malaysia"}]},{"given":"Ayman","family":"Meidan","sequence":"additional","affiliation":[{"name":"Faculty of Computer Studies, Arab Open University, P.O. Box 800, Riyadh 11421, Saudi Arabia"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8383-2395","authenticated-orcid":false,"given":"Khairul Shafee bin","family":"Kalid","sequence":"additional","affiliation":[{"name":"Department of Computing Universiti Teknologi PETRONAS, 32610 Seri Iskandar, Perak, Malaysia"}]},{"given":"Abdul Rehman","family":"Gilal","sequence":"additional","affiliation":[{"name":"Knight Foundation School of Computing and Information Sciences, Florida International University, Miami, FL 33199, USA"}]},{"given":"Aliza Bt","family":"Sarlan","sequence":"additional","affiliation":[{"name":"Department of Computing Universiti Teknologi PETRONAS, 32610 Seri Iskandar, Perak, Malaysia"}]}],"member":"1968","published-online":{"date-parts":[[2025,10,9]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"8963","DOI":"10.1007\/s13369-019-04067-3","article-title":"A Systematic Review and Analytical Evaluation of Security Requirements Engineering Approaches","volume":"44","author":"Nazir","year":"2019","journal-title":"Arab. J. Sci. Eng."},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"101704","DOI":"10.1016\/j.softx.2024.101704","article-title":"E-SCORE: A web-based tool for security requirements engineering","volume":"26","author":"Hnaini","year":"2024","journal-title":"SoftwareX"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"e2521","DOI":"10.1002\/smr.2521","article-title":"Security risks of global software development life cycle: Industry practitioner\u2019s perspective","volume":"36","author":"Khan","year":"2022","journal-title":"J. Softw. Evol. Process"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"101852","DOI":"10.1016\/j.cose.2020.101852","article-title":"A maturity model for secure requirements engineering","volume":"95","author":"Niazi","year":"2020","journal-title":"Comput. Secur."},{"key":"ref_5","doi-asserted-by":"crossref","unstructured":"Sousa-Dias, D., Amyot, D., Rahimi-Kian, A., and Mylopoulos, J. (2023). A Review of Cybersecurity Concerns for Transactive Energy Markets. Energies, 16.","DOI":"10.3390\/en16134838"},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1348","DOI":"10.1016\/j.procs.2024.03.133","article-title":"Software Development Teams Knowledge and Awareness of Security Requirement Engineering and Security Requirement Elicitation and Analysis","volume":"234","author":"Janisar","year":"2024","journal-title":"Procedia Comput. Sci."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"177","DOI":"10.1007\/s00766-023-00411-0","article-title":"Advances in automated support for requirements engineering: A systematic literature review","volume":"29","author":"Umar","year":"2024","journal-title":"Requir. Eng."},{"key":"ref_8","doi-asserted-by":"crossref","first-page":"107477","DOI":"10.1016\/j.infsof.2024.107477","article-title":"Machine learning for requirements engineering (ML4RE): A systematic literature review complemented by practitioners\u2019 voices from Stack Overflow","volume":"172","author":"Li","year":"2024","journal-title":"Inf. Softw. Technol."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Ozkaya, M., Akdur, D., Toptani, E.C., Kocak, B., and Kardas, G. (2023). Practitioners\u2019 Perspectives towards Requirements Engineering: A Survey. Systems, 11.","DOI":"10.3390\/systems11020065"},{"key":"ref_10","unstructured":"Holthouse, R., Owens, S., and Bhunia, S. (2025). The 23andMe Data Breach: Analyzing Credential Stuffing Attacks, Security Vulnerabilities, and Mitigation Strategies. arXiv."},{"key":"ref_11","unstructured":"Gentles, J., Fields, M., Goodman, G., and Bhunia, S. (2025). Breaking the Vault: A Case Study of the 2022 LastPass Data Breach. arXiv."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"1","DOI":"10.4018\/IJCWT.315651","article-title":"Cyber kill chain analysis of five major US data breaches: Lessons learnt and prevention plan","volume":"12","author":"Sebastian","year":"2022","journal-title":"Int. J. Cyber Warf. Terror. (IJCWT)"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"e30050","DOI":"10.2196\/30050","article-title":"Assessing the Legal Aspects of Information Security Requirements for Health Care in 3 Countries: Scoping Review and Framework Development","volume":"9","author":"Yeng","year":"2022","journal-title":"JMIR Hum Factors"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"377","DOI":"10.1007\/s00766-023-00399-7","article-title":"The state-of-practice in requirements specification: An extended interview study at 12 companies","volume":"28","author":"Franch","year":"2023","journal-title":"Requir. Eng."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Worakitpreeda, N., and Pongpaibul, M. (2021, January 18\u201320). Framework for Eliciting Security Requirements of Web Application from Business Users. Proceedings of the 2021 25th International Computer Science and Engineering Conference (ICSEC), Chiang Rai, Thailand.","DOI":"10.1109\/ICSEC53205.2021.9684600"},{"key":"ref_16","first-page":"1685","article-title":"Fuzzy logic driven security requirements engineering process","volume":"42","author":"Sadiq","year":"2021","journal-title":"J. Inf. Optim. Sci."},{"key":"ref_17","doi-asserted-by":"crossref","first-page":"45","DOI":"10.15282\/ijsecs.8.1.2022.5.0095","article-title":"SecRS template to aid novice developers in security requirements identification and documentation","volume":"8","author":"Qadir","year":"2022","journal-title":"Int. J. Softw. Eng. Comput. Syst."},{"key":"ref_18","first-page":"1","article-title":"Integrating Security Requirements Engineering into MBSE: Profile and Guidelines","volume":"Volume 2020","author":"Butleris","year":"2020","journal-title":"Security and Communication Networks"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"191","DOI":"10.1016\/j.jksuci.2018.12.005","article-title":"STORE: Security Threat Oriented Requirements Engineering Methodology","volume":"34","author":"Ansari","year":"2022","journal-title":"J. King Saud Univ.-Comput. Inf. Sci."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Khan, R.A., and Khan, S.U. (2018, January 27\u201329). A preliminary structure of software security assurance model. Proceedings of the 13th International Conference on Global Software Engineering, Gothenburg, Sweden.","DOI":"10.1145\/3196369.3196385"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"100496","DOI":"10.1016\/j.cosrev.2022.100496","article-title":"System security assurance: A systematic literature review","volume":"45","author":"Shukla","year":"2022","journal-title":"Comput. Sci. Rev."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Katt, B., and Prasher, N. (2018, January 24\u201328). Quantitative security assurance metrics. Proceedings of the 12th European Conference on Software Architecture: Companion Proceedings, Madrid, Spain.","DOI":"10.1145\/3241403.3241464"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"70","DOI":"10.1007\/s10664-021-09971-7","article-title":"Security assurance cases\u2014State of the art of an emerging approach","volume":"26","author":"Mohamad","year":"2021","journal-title":"Empir. Softw. Eng."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/j.cose.2019.03.010","article-title":"Threat modeling\u2014A systematic literature review","volume":"84","author":"Xiong","year":"2019","journal-title":"Comput. Secur."},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Sabau, A.R., Lammers, D., and Lichter, H. (2025). SecuRe\u2014An Approach to Recommending Security Design Patterns. arXiv.","DOI":"10.1109\/ICSA-C65153.2025.00037"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"73","DOI":"10.1007\/s00766-024-00416-3","article-title":"Improving requirements completeness: Automated assistance through large language models","volume":"29","author":"Luitel","year":"2024","journal-title":"Requir. Eng."},{"key":"ref_27","doi-asserted-by":"crossref","first-page":"107702","DOI":"10.1016\/j.infsof.2025.107702","article-title":"Beyond domain dependency in security requirements identification","volume":"182","author":"Casillo","year":"2025","journal-title":"Inf. Softw. Technol."},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Lins, F.A.A., Freitas, F.A., N\u00f3brega, O.O., and Valen\u00e7a, G. (2024, January 10\u201313). Security Requirements Engineering Approaches for IoT-Based Systems: A Comprehensive Review and Open Research Challenges. Proceedings of the 2024 IEEE 10th World Forum on Internet of Things (WF-IoT), Ottawa, ON, Canada.","DOI":"10.1109\/WF-IoT62078.2024.10811372"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Bhole, M., Kastner, W., and Sauter, T. (2024, January 3\u20136). From manual to semi-automated safety and security requirements engineering: Ensuring compliance in industry 4.0. Proceedings of the IECON 2024-50th Annual Conference of the IEEE Industrial Electronics Society, Chicago, IL, USA.","DOI":"10.1109\/IECON55916.2024.10905636"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Aviv, I., Svetinovic, D., and Lee, S.-W. (2024, January 24\u201325). Requirements Engineering for Web3 Systems: Preface. Proceedings of the 2024 IEEE 32nd International Requirements Engineering Conference Workshops (REW), Reykjavik, Iceland.","DOI":"10.1109\/REW61692.2024.00049"},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"47518","DOI":"10.1109\/ACCESS.2024.3380888","article-title":"Toward a Holistic Privacy Requirements Engineering Process: Insights From a Systematic Literature Review","volume":"12","author":"Herwanto","year":"2024","journal-title":"IEEE Access"},{"key":"ref_32","first-page":"4041","article-title":"An Improved Hybrid Deep Learning Approach for Security Requirements Classification","volume":"82","author":"Hassan","year":"2025","journal-title":"Comput. Mater. Contin."},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Span, M.T., Salinger, G., Rayno, M., and Daily, J. (2024, January 16\u201319). Security Requirements Engineering: A Survey for the Systems Engineer. Proceedings of the 2024 IEEE International Symposium on Systems Engineering (ISSE), Perugia, Italy.","DOI":"10.1109\/ISSE63315.2024.10741103"},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"2003","DOI":"10.21275\/SR23822112511","article-title":"Synergizing Requirements Engineering and Quality Assurance: A Comprehensive Exploration in Software Quality Engineering","volume":"12","author":"Pargaonkar","year":"2023","journal-title":"Int. J. Sci. Res. (IJSR)"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"488","DOI":"10.1007\/s42979-023-01968-x","article-title":"A Case Study of Introducing Security Risk Assessment in Requirements Engineering in a Large Organization","volume":"4","author":"Ardi","year":"2023","journal-title":"SN Comput. Sci."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"102697","DOI":"10.1016\/j.cose.2022.102697","article-title":"Assessing frameworks for eliciting privacy & security requirements from laws and regulations","volume":"117","author":"Olukoya","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_37","first-page":"1326","article-title":"Securing Software Development: A Holistic Exploration of Security Awareness in Software Development Teams","volume":"14","author":"Janisar","year":"2024","journal-title":"Int. J. Acad. Res. Bus. Soc. Sci."}],"container-title":["Computers"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/10\/429\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T12:46:21Z","timestamp":1760100381000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-431X\/14\/10\/429"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,10,9]]},"references-count":37,"journal-issue":{"issue":"10","published-online":{"date-parts":[[2025,10]]}},"alternative-id":["computers14100429"],"URL":"https:\/\/doi.org\/10.3390\/computers14100429","relation":{},"ISSN":["2073-431X"],"issn-type":[{"value":"2073-431X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,10,9]]}}}