Identifying security-related requirements in regulatory documents based on cross-project classification

Start Page
82
End Page
91
Citation
18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering (PROMISE 2022)
Contribution to Conference
18th ACM International Conference on Predictive Models and Data Analytics in Software Engineering, PROMISE 2022  
Publisher DOI
10.1145/3558489.3559074
Scopus ID
2-s2.0-85143201827
Security is getting substantial focus in many industries, especially safety-critical ones. When new regulations and standards which can run to hundreds of pages are introduced, it is necessary to identify the requirements in those documents which have an impact on security. Additionally, it is necessary to revisit the requirements of existing systems and identify the security related ones. We investigate the feasibility of using a classifier for security-related requirements trained on requirement specifications available online. We base our investigation on 15 requirement documents, randomly selected and partially pre-labelled, with a total of 3,880 requirements. To validate the model, we run a cross-project prediction on the data where each specification constitutes a group. We also test the model on three different United Nations (UN) regulations from the automotive domain with different magnitudes of security relevance. Our results indicate the feasibility of training a model from a heterogeneous data set including specifications from multiple domains and in different styles. Additionally, we show the ability of such a classifier to identify security requirements in real-life regulations and discuss scenarios in which such a classification becomes useful to practitioners.
Subjects
Automated Requirements Engineering
Machine Learning
Requirements Classification
Security Requirements