1. 2010 CRC PhD Student Conference
A Release Planning Model to Handle Security
Requirements
Saad Bin Saleem
Center of Research in Computing, Open University
s.b.saleem@open.ac.uk
Basic information
Supervisors: Dr. Charles Haley
Dr. Yijun Yu
Professor Bashar Nuseibeh
Professor Anne De Roeck
Department: Computing
Status: Full-time Research Student
Probation Viva: Probably in November, 2010
Starting Date: Joined OU at 1st February 2010
Background
Nowadays usage of computer technology is growing rapidly and almost everybody in the world is
depending on computer systems [1]. More and more people and organizations are using computer
systems to process, store and manage their highly sensitive data [2]. Any loss, theft and alteration of
this data from computer systems can cause a serious incident, which may consequently cause to
human disasters. Therefore, proper security of computer systems is very important to avoid any kind
of unlikely events.
Software is an important component of any computer system and a software security failure can cause
malfunction of overall system [1]. It is reported by many scientists and engineers that software
security related problems are increasing over the years and secure software development is still a
challenging area for software community [3, 4].
For the development of secure software, an early inclusion of security concerns in the Software
Development Life Cycle (SDLC) is suggested by many researchers [1, 4]. They consider that it will be
very helpful to improve overall software security and can be useful to solve common security threats
at design and architecture level [1, 4]. For this purpose, understanding of security requirements at
early stages of SDLC is very important, as security requirements are ignored in most of the cases [5,
6]. It is also considered that software security is much related to confidentiality, availability and
integrity [7]. But in some cases security is much more than that and depends on many other constraints
like stakeholders, etc [6, 7]. To elicit all kinds of security requirements, a systematic procedure named
Security Requirements Engineering (SRE) is suggested in the literature [5]. This process insures that
elicited security requirements should be complete, consistent and easy to understand [5].
A Requirement Engineering (RE) process consists of many stages from elicitation to requirements
validation and Release Planning (RP). RP is considered an important phase of RE in bespoke and
market driven software development. RP is divided into two major subtypes named as strategic RP
and operational RP [9, 12]. The idea of selecting an optimum set of features or requirements to deliver
in a release is called strategic RP or road-mapping and it is performed at product level [9, 10]. On the
other hand allocation of resources for realization of a product is called operational RP and performed
to decide when a product release should be delivered [10].
In the RP process, it is a common phenomenon to select as much functional requirements or features
in a release and deliver to customer or market as soon as possible [11]. In this way, there is a chance
Page 122 of 125

2. 2010 CRC PhD Student Conference
to compromise some quality requirements in general and security requirements in particular which
consequently lead to compromise with many threats to software [15]. Some existing models of RP
deals with quality requirements as technical constraints in general (hard constraints) but not
specifically consider these requirements for prioritization with other functional requirements [11, 12, 9
and 15]. Therefore, identifying and fixing any security concerns during selection of requirements for a
release, and before deciding time to delivery, can make software less prone to security failures. It can
also help in delivering incremental security as organizations cannot hundred percent claim about the
security of software product and always need to improve further.
Based on the above discussion, it is observed that security requirements needs to be consider in RP for
better product strategies and delivery of secure software to customer. So, there is a need to align
security requirements with RP by developing a model which treats security requirements separately
for strategic and operational RP to release secure software
Current research in SRE is aiming to improve existing methods to elicit, analyze, specify, validate and
manage security requirements [3, 13]. Like Charles et al have proposed a framework for eliciting
security requirements and highlighted some further research directions in the area [3]. Similarly in
RP, Ruhe et al have extended the existing approach Evolve+ with three parameters (time dependent
value functions, flexible release dates, and adjusted time dependent resource capacities) for more
improved planning. Saad & Usman had identified the need to improve existing models of RP
according to the needs of Industry [8].
So, this study will contribute in the SRE & RP research, as purpose of this study is to develop a model
which treats security requirements in conjunction with functional requirement for strategic and
operational RP. The research will be conducted in three phases. In first phase, impact of security
requirements on strategic and operational RP will be analyzed. In second phase of research a model
will be developed based on the results of first phase. In third phase, the developed model will be
validated to verify model’s effectiveness.
Research Questions
Following are preliminary research questions based on the purpose of study.
RQ1. What existing practices are in the literature to deal security requirements for strategic and
operational RP?
RQ2. What are implications of security requirements on strategic and operational RP as compare to
functional requirements and/or other quality requirements?
RQ3. Which is an appropriate mechanism for developing a model to treat security requirements
as separate requirements instead constraints for prioritization of functional requirements?
RQ4. What kind of other constraints the model should consider for developing strategic and
operational RP?
RQ5. To what extent the proposed model is effective?
Research Methodology
Qualitative and quantitative research methodologies will be selected to conduct the research in two
different stages [14]. The literature review and Industrial Interviews will be used as strategies of
inquiry in first stage of research. For example, literature review will be used to know existing practices
to deal security requirements during strategic and operational RP, to analyze existing models of
strategic and operational RP and to identify any constraints that should be consider for strategic and
operational RP based on security and all other kinds of requirements. Similarly, industrial interviews
will be used beside with literature review to know any implications of security requirements on
strategic and operational RP. In second stage of research, Industrial Interviews and experiments will
be adopted as strategies of inquiry to validate the model’s functionality.
Page 123 of 125

3. 2010 CRC PhD Student Conference
References
[1] Mc-Graw, G “Software Security”, IEEE Computer Society (Privacy and Security), 2004
[2] C. Irvine, T. Levin, J. Wilson, D. Shifflet, & B. Peireira, “An Approach to Security Requirements
Engineering for a High Assurance System”, Journal of Requirements Engineering Journal, Vol. 7,
No. 4, pp.192-206, 2002
[3] Haley, B. C., Laney, R., Moffett, J., Nuseibeh, B., "Security Requirements Engineering: A
Framework for Representation and Analysis," IEEE Transactions on Software Engineering, vol.34,
no.1, pp.133-153, 2008
[4] Hassan, R., Bohner, S., and El-Kassas, S., “Formal Derivation of Security Design Specifications
From Security Requirements”, In Proceedings of the 4th Annual Workshop on Cyber Security and
information intelligence Research: Developing Strategies To Meet the Cyber Security and information
intelligence Challenges Ahead, pp.1-3, 2008
[5] Mellado, D., Fernández-Medina, E., & Piattini, M., “Applying a Security Requirements
Engineering Process”, Computer Security–ESORICS, Springer, pp. 192-206, 2006
[6] B. H. Cheng and J. M. Atlee, "Research Directions in Requirements Engineering," Future of
Software Engineering, (FOSE07), pp. 285-303, 2007
[7] A. Avizienis, J. C. Laprie, B. Randell, and C. Landwehr, "Basic Concepts and Taxonomy of
Dependable and Secure Computing," IEEE Transactions on Dependable and Secure Computing,
vol. 1, no. 1, pp. 11-33, 2004
[8] Saleem, B. S., Shafique. M.U., “A Study on Strategic Release Planning Models of Academia &
Industry”, Master Thesis, Blekinge Institute of Technology, Sweden, pp.1-81, 2008
[9] Al-Emran, A., Pfahl, D., “Operational Planning, Re-planning and Risk Analysis for Software
Releases”, Proceedings of the 8th International Conference on Product Focused Software Process
Improvement (PROFES), pp. 315-329, 2007
[10] Ruhe, G., Momoh, J., "Strategic Release Planning and Evaluation of Operational Feasibility, "In
Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS), vol.9,
pp. 313b, 2005
[11] Tondel, I.A.; Jaatun, M.G.; Meland, P.H., "Security Requirements for the Rest of Us: A Survey",
IEEE Software, vol.25, no.1, pp.20-27, 2008
[12] Ngo-The, A., and Ruhe, G., “A Systematic Approach for Solving the Wicked Problem of
Software Release Planning”, Soft Comput, vol. 12, no.1, pp. 95-108, 2007
[13] Jing-Song Cui; Da Zhang, "The Research and Application of Security Requirements Analysis
Methodology of Information Systems”, 2nd International Conference on Anti-counterfeiting, Security
and Identification, pp.30-36, 2008
[14] Creswell, W. J., Research Design: Qualitative, Quantitative, and Mixed Method Approaches,
Second Edition, Thousand Oaks: Sage, pp.1-246, 2003
Page 124 of 125

4. 2010 CRC PhD Student Conference
[15] Svahnberg, M., Gorschek, Feldt, R., Torkar, R., Saleem, B. S., and Shafique, U. M., “A
systematic review on strategic release planning models,” Information and Software Technology, vol.
52, no.3, pp. 237-248, 2010
[16] Elroy, J., and Ruhe, G., “When-to-release decisions for features with time-dependent value
functions,” To be Appeared in Journal of Requirements Engineering, 2010
Page 125 of 125