Towards risk-driven security requirements management in agile software development

Dan Ionita*, Coco van der Velden, Henk Jan Klein Ikkink, Eelko Neven, Maya Daneva, Michael Kuipers

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

13 Citations (Scopus)


The focus on user stories in agile means non-functional requirements, such as security, are not always explicit. This makes it hard for the development team to implement the required functionality in a reliable, secure way. Security checklists can help but they do not consider the application’s context and are not part of the product backlog. In this paper we explore whether these issues can be addressed by a framework which uses a risk assessment process, a mapping of threats to security features, and a repository of operationalized security features to populate the product backlog with prioritized security requirements. The approach highlights the relevance of each security feature to product owners while ensuring the knowledge and time required to implement security requirements is made available to developers. We applied and evaluated the framework at a Dutch medium-sized software development company with promising results.

Original languageEnglish
Title of host publicationInformation Systems Engineering in Responsible Information Systems
Subtitle of host publicationCAiSE Forum 2019, Rome, Italy, June 3–7, 2019, Proceedings
EditorsCinzia Cappiello, Marcela Ruiz
Place of PublicationCham
Number of pages12
ISBN (Print)9783030212964
Publication statusPublished - 1 Jan 2019
Event31st International Conference on Advanced Information Systems Engineering, CAiSE 2019: CAiSE - Rome, Italy
Duration: 3 Jun 20197 Jun 2019
Conference number: 31

Publication series

NameLecture Notes in Business Information Processing
ISSN (Print)1865-1348
ISSN (Electronic)1865-1356


Conference31st International Conference on Advanced Information Systems Engineering, CAiSE 2019


  • Empirical research method
  • Risk assessment
  • Secure software development
  • Security requirements


Dive into the research topics of 'Towards risk-driven security requirements management in agile software development'. Together they form a unique fingerprint.

Cite this