liu.seSearch for publications in DiVA
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A Case Study of Introducing Security Risk Assessment in Requirements Engineering in a Large Organization
Ericsson AB, Linköping, Sweden.
Linköping University, Department of Computer and Information Science, Software and Systems. Linköping University, Faculty of Science & Engineering. (PELAB)ORCID iD: 0000-0002-3052-5604
Ericsson AB, Linköping, Sweden.
2023 (English)In: SN Computer Science, E-ISSN 2661-8907, Vol. 4, no 5, article id 488Article in journal (Refereed) Published
Abstract [en]

Software products are increasingly used in critical infrastructures, and verifying the security of these products has become a necessary part of every software development project. Effective and practical methods and processes are needed by software vendors and infrastructure operators to meet the existing extensive demand for security. This article describes a lightweight security risk assessment method that flags security issues as early as possible in the software project, namely during requirements analysis. The method requires minimal training effort, adds low overhead, and makes it possible to show immediate results to affected stakeholders. We present a longitudinal case study of how a large enterprise developing complex telecom products adopted this method all the way from pilot studies to full-scale regular use. Lessons learned from the case study provide knowledge about the impact that upskilling and training of requirements engineers have on reducing the risk of malfunctions or security vulnerabilities in situations where it is not possible to have security experts go through all requirements. The case study highlights the challenges of process changes in large organizations as well as the pros and cons of having centralized, distributed, or semi-distributed workforce for security assurance in requirements engineering.

Place, publisher, year, edition, pages
Springer, 2023. Vol. 4, no 5, article id 488
Keywords [en]
Security risk assessment, Software Engineering, Requirements Engineering
National Category
Software Engineering
Identifiers
URN: urn:nbn:se:liu:diva-199361DOI: 10.1007/s42979-023-01968-xScopus ID: 2-s2.0-85163766655OAI: oai:DiVA.org:liu-199361DiVA, id: diva2:1815039
Funder
Linköpings universitetAvailable from: 2023-11-27 Created: 2023-11-27 Last updated: 2024-09-11Bibliographically approved

Open Access in DiVA

fulltext(1120 kB)8 downloads
File information
File name FULLTEXT01.pdfFile size 1120 kBChecksum SHA-512
30d1d4a51237870c8e4148dd01d304bdb77ed68931f21962c9fa0c041ac8a1f90526219161a4042ad4e8809adb22cd69b72d3616443966b05989938479c1d604
Type fulltextMimetype application/pdf

Other links

Publisher's full textScopus

Authority records

Sandahl, Kristian

Search in DiVA

By author/editor
Sandahl, Kristian
By organisation
Software and SystemsFaculty of Science & Engineering
Software Engineering

Search outside of DiVA

GoogleGoogle Scholar
Total: 8 downloads
The number of downloads is the sum of all downloads of full texts. It may include eg previous versions that are now no longer available

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 129 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • oxford
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf