Visible to the public Biblio

Filters: Author is Niu, Jianwei  [Clear All Filters]
A B C D E F G H I J K L M N O P Q R S T U V W X Y Z 
Hibshi, Hanan, Slavin, Rocky, Niu, Jianwei, Breaux, Travis.  2014.  Rethinking Security Requirements in RE Research.

As information security became an increasing
concern for software developers and users, requirements
engineering (RE) researchers brought new insight to security
requirements. Security requirements aim to address security at
the early stages of system design while accommodating the
complex needs of different stakeholders. Meanwhile, other
research communities, such as usable privacy and security,
have also examined these requirements with specialized goal to
make security more usable for stakeholders from product
owners, to system users and administrators. In this paper we
report results from conducting a literature survey to compare
security requirements research from RE Conferences with the
Symposium on Usable Privacy and Security (SOUPS). We
report similarities between the two research areas, such as
common goals, technical definitions, research problems, and
directions. Further, we clarify the differences between these
two communities to understand how they can leverage each
other’s insights. From our analysis, we recommend new
directions in security requirements research mainly to expand
the meaning of security requirements in RE to reflect the
technological advancements that the broader field of security is
experiencing. These recommendations to encourage crosscollaboration
with other communities are not limited to the
security requirements area; in fact, we believe they can be
generalized to other areas of RE.

Slavin, Rocky, Lehker, J.M., Niu, Jianwei, Breaux, Travis.  2014.  Managing Security Requirement Patterns Using Feature Diagram Hierarchies. IEEE 22nd International Requirements Engineering Conference.

Security requirements patterns represent reusable security practices that software engineers can apply to improve security in their system. Reusing best practices that others have employed could have a number of benefits, such as decreasing the time spent in the requirements elicitation process or improving the quality of the product by reducing product failure risk. Pattern selection can be difficult due to the diversity of applicable patterns from which an analyst has to choose. The challenge is that identifying the most appropriate pattern for a situation can be cumbersome and time-consuming. We propose a new method that combines an inquiry-cycle based approach with the feature diagram notation to review only relevant patterns and quickly select the most appropriate patterns for the situation. Similar to patterns themselves, our approach captures expert knowledge to relate patterns based on decisions made by the pattern user. The resulting pattern hierarchies allow users to be guided through these decisions by questions, which introduce related patterns in order to help the pattern user select the most appropriate patterns for their situation, thus resulting in better requirement generation. We evaluate our approach using access control patterns in a pattern user study.

Rao, Ashwini, Hibshi, Hanan, Breaux, Travis, Lehker, Jean-Michel, Niu, Jianwei.  2014.  Less is More? Investigating the Role of Examples in Security Studies using Analogical Transfer 2014 Symposium and Bootcamp on the Science of Security (HotSoS).

Information system developers and administrators often overlook critical security requirements and best practices. This may be due to lack of tools and techniques that allow practitioners to tailor security knowledge to their particular context. In order to explore the impact of new security methods, we must improve our ability to study the impact of security tools and methods on software and system development. In this paper, we present early findings of an experiment to assess the extent to which the number and type of examples used in security training stimuli can impact security problem solving. To motivate this research, we formulate hypotheses from analogical transfer theory in psychology. The independent variables include number of problem surfaces and schemas, and the dependent variable is the answer accuracy. Our study results do not show a statistically significant difference in performance when the number and types of examples are varied. We discuss the limitations, threats to validity and opportunities for future studies in this area.

Riaz, Maria, Breaux, Travis, Williams, Laurie, Niu, Jianwei.  2012.  On the Design of Empirical Studies to Evaluate Software Patterns: A Survey.

Software patterns are created with the goal of capturing expert
knowledge so it can be efficiently and effectively shared with the
software development community. However, patterns in practice
may or may not achieve these goals. Empirical studies of the use
of software patterns can help in providing deeper insight into
whether these goals have been met. The objective of this paper is
to aid researchers in designing empirical studies of software
patterns by summarizing the study designs of software patterns
available in the literature. The important components of these
study designs include the evaluation criteria and how the patterns
are presented to study participants. We select and analyze 19
distinct empirical studies and identify 17 independent variables in
three different categories (participants demographics; pattern
presentation; problem presentation). We also extract 10 evaluation
criteria with 23 associated observable measures. Additionally, by
synthesizing the reported observations, we identify challenges
faced during study execution. Provision of multiple domainspecific
examples of pattern application and tool support to assist
in pattern selection are helpful for the study participants in
understanding and completing the study task. Capturing data
regarding the cognitive processes of participants can provide
insights into the findings of the study.

Slavin, Rocky, Shen, Hui, Niu, Jianwei.  2012.  Characterizations and Boundaries of Security Requirements Patterns. IEEE 2nd Workshop on Requirements Engineering Patterns (RePa’12).

Very often in the software development life cycle, security is applied too late or important security aspects are overlooked. Although the use of security patterns is gaining popularity, the current state of security requirements patterns is such that there is not much in terms of a defining structure. To address this issue, we are working towards defining the important characteristics as well as the boundaries for security requirements patterns in order to make them more effective. By examining an existing general pattern format that describes how security patterns should be structured and comparing it to existing security requirements patterns, we are deriving characterizations and boundaries for security requirements patterns. From these attributes, we propose a defining format. We hope that these can reduce user effort in elicitation and specification of security requirements patterns.