James Barela, T. Gasiba, S. Suppan, Marc Berges, Kristian Beckers
Many people are unaware of the digital dangers that lie around each cyber-corner. Teaching people how to recognize dangerous situations is crucial, especially for those who work on or with computers. We postulated that interactive graphic vignettes could be a great way to expose professionals to dangerous situations and demonstrate the effects of their choices in these situations. In that way, we aimed to inoculate employees against cybersecurity threats. We used the Comic-BEE platform to create interactive security awareness vignettes and evaluated for how employees of a major industrial company perceived them. For analysing the potential of these comics, we ran an evaluation study as part of a capture-the-flag (CTF) event, a interactive exercise for hacking vulnerable software. We evaluated whether the comics fulfilled our requirements based on the responses of the participants. We showed the comics, on various cybersecurity concepts, to 20 volunteers. In the context of a CTF event, our requirements were not fulfilled. Most participants considered the images distracting, stating a preference for text-only material.
{"title":"When Interactive Graphic Storytelling Fails","authors":"James Barela, T. Gasiba, S. Suppan, Marc Berges, Kristian Beckers","doi":"10.1109/REW.2019.00034","DOIUrl":"https://doi.org/10.1109/REW.2019.00034","url":null,"abstract":"Many people are unaware of the digital dangers that lie around each cyber-corner. Teaching people how to recognize dangerous situations is crucial, especially for those who work on or with computers. We postulated that interactive graphic vignettes could be a great way to expose professionals to dangerous situations and demonstrate the effects of their choices in these situations. In that way, we aimed to inoculate employees against cybersecurity threats. We used the Comic-BEE platform to create interactive security awareness vignettes and evaluated for how employees of a major industrial company perceived them. For analysing the potential of these comics, we ran an evaluation study as part of a capture-the-flag (CTF) event, a interactive exercise for hacking vulnerable software. We evaluated whether the comics fulfilled our requirements based on the responses of the participants. We showed the comics, on various cybersecurity concepts, to 20 volunteers. In the context of a CTF event, our requirements were not fulfilled. Most participants considered the images distracting, stating a preference for text-only material.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114081213","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yui Yamashita, Masaru Onodera, Koichi Shimoda, Y. Tobe
There is a possibility that we can use a "mood" meter every day or regularly to see our own mental health condition similarly as in the case of weight meters. When performing emotion recognition using human speech, one of linguistic information and prosodic features included in speech is often used. However, by capturing both sides of speech, which is a means of human communication, it is considered that emotion recognition can be more accurately realized. Based on the background, we have developed PNViz, Positive-and-Negative Polarity Visualizer, an application running on an Android phone, to show the state of positive-ness of mental health by recording a short voice message. PNViz consists of the smartphone application and an analyzing server where the recorded voice is processed with both lexical and phonetic analyses and calculates a score ranging from -1 to 1. The calculated score is continuously logged and shown to the user and thus it is expected to encourage the user to take refreshing breaks or holidays.
{"title":"Emotion-Polarity Visualizer on Smartphone","authors":"Yui Yamashita, Masaru Onodera, Koichi Shimoda, Y. Tobe","doi":"10.1109/REW.2019.00020","DOIUrl":"https://doi.org/10.1109/REW.2019.00020","url":null,"abstract":"There is a possibility that we can use a \"mood\" meter every day or regularly to see our own mental health condition similarly as in the case of weight meters. When performing emotion recognition using human speech, one of linguistic information and prosodic features included in speech is often used. However, by capturing both sides of speech, which is a means of human communication, it is considered that emotion recognition can be more accurately realized. Based on the background, we have developed PNViz, Positive-and-Negative Polarity Visualizer, an application running on an Android phone, to show the state of positive-ness of mental health by recording a short voice message. PNViz consists of the smartphone application and an analyzing server where the recorded voice is processed with both lexical and phonetic analyses and calculates a score ranging from -1 to 1. The calculated score is continuously logged and shown to the user and thus it is expected to encourage the user to take refreshing breaks or holidays.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"45 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123301754","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Although users feel more engaged when they are involved in the elicitation, negotiation and prioritization of requirements for a product or service they are using, the quality of crowdsourced requirements remains an issue. Simple notations like user stories have been highly adopted by practitioners in agile development to capture requirements for a software product, but their utilization in crowdsourced requirements engineering is still scarce. Through a case study of a web application for sports tournament planning, we investigate how a dedicated platform for user story writing in crowd requirements engineering is valued by its users and we show that the delivered requirements are not inferior to those written by professionals.
{"title":"User Story Writing in Crowd Requirements Engineering: The Case of a Web Application for Sports Tournament Planning","authors":"A. Menkveld, S. Brinkkemper, F. Dalpiaz","doi":"10.1109/REW.2019.00037","DOIUrl":"https://doi.org/10.1109/REW.2019.00037","url":null,"abstract":"Although users feel more engaged when they are involved in the elicitation, negotiation and prioritization of requirements for a product or service they are using, the quality of crowdsourced requirements remains an issue. Simple notations like user stories have been highly adopted by practitioners in agile development to capture requirements for a software product, but their utilization in crowdsourced requirements engineering is still scarce. Through a case study of a web application for sports tournament planning, we investigate how a dedicated platform for user story writing in crowd requirements engineering is valued by its users and we show that the delivered requirements are not inferior to those written by professionals.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127976881","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: secure coding must be based on a set of secure coding guidelines and software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative "Charter of Trust", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.
{"title":"Raising Secure Coding Awareness for Software Developers in the Industry","authors":"T. Gasiba, U. Lechner","doi":"10.1109/REW.2019.00030","DOIUrl":"https://doi.org/10.1109/REW.2019.00030","url":null,"abstract":"Many industrial IT security standards and policies mandate the usage of a secure coding methodology in the software development process. This implies two different aspects: secure coding must be based on a set of secure coding guidelines and software developers must be aware of these secure coding practices. On the one side, secure coding guidelines seems a bit like a black-art: while there exist abstract guidelines that are widely accepted, low-level secure coding guidelines for different programming languages are scarce. On the other side, once a set of secure coding guidelines is chosen, a good methodology is needed to make them known by the people which should be using them, i.e. software developers. Motivated both by the secure coding requirements from industry standards and also by the mandate to train staff on IT security by the global industry initiative \"Charter of Trust\", this paper presents an overview of important research questions on how to choose secure coding guidelines and on how to raise software developer awareness for secure coding using serious games.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125356231","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Alvine Boaye Belle, T. Lethbridge, Sègla Kpodjedo, O. Adesina, Miguel Garzón
Assurance cases are a well-established structured technique used to document a reasoned, auditable argument supporting that a system meets desirable properties (e.g., safety or security). Assurance cases are increasingly becoming popular, and are being used to make safety and cyber-security arguments about medical, automotive and aviation systems. Current methods usually assess confidence in assurance cases, but only with evidence available at design-time. However, real-world situations demand considerations of evidence that are also available at run-time. In this paper, we introduce a novel confidence measure called INCIDENCE (weIghted assuraNCe confIDENCE). The measure considers evidence available both at design and run times, and is suitable for the assessment of assurance cases represented using Goal Structuring Notation (GSN) – being a popular notation for representing assurance cases. We rely on the confidence measure to derive an uncertainty measure that can be used to measure technical debt (requirement debt) for software systems. We illustrate our work through an example focusing on feature identification.
{"title":"A Novel Approach to Measure Confidence and Uncertainty in Assurance Cases","authors":"Alvine Boaye Belle, T. Lethbridge, Sègla Kpodjedo, O. Adesina, Miguel Garzón","doi":"10.1109/REW.2019.00011","DOIUrl":"https://doi.org/10.1109/REW.2019.00011","url":null,"abstract":"Assurance cases are a well-established structured technique used to document a reasoned, auditable argument supporting that a system meets desirable properties (e.g., safety or security). Assurance cases are increasingly becoming popular, and are being used to make safety and cyber-security arguments about medical, automotive and aviation systems. Current methods usually assess confidence in assurance cases, but only with evidence available at design-time. However, real-world situations demand considerations of evidence that are also available at run-time. In this paper, we introduce a novel confidence measure called INCIDENCE (weIghted assuraNCe confIDENCE). The measure considers evidence available both at design and run times, and is suitable for the assessment of assurance cases represented using Goal Structuring Notation (GSN) – being a popular notation for representing assurance cases. We rely on the confidence measure to derive an uncertainty measure that can be used to measure technical debt (requirement debt) for software systems. We illustrate our work through an example focusing on feature identification.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116116287","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
T. Spijkman, S. Brinkkemper, F. Dalpiaz, Anne-Fleur Hemmer, Richard van de Bospoort
Many failed software projects can be traced to bad requirements management. Additionally, there is a big gap be-tween state of the art and practice in software architecture. For enterprise software customisation, not only do these issues apply, but additional challenges exist too. Instead of one standard soft-ware product, vendors often have to deal with customised ver-sions with additional maintenance challenges. In this research, we apply the Requirements Engineering for Software Architecture (RE4SA) model via a multi-case study to show how the require-ments engineering and software architecture disciplines can be linked, and in doing so provide improvements to both areas. Our multi-case study regards enterprise software customisation and shows improvements in requirements management and higher alignment between the software architecture and requirements.
{"title":"Specification of Requirements and Software Architecture for the Customisation of Enterprise Software: A Multi-case Study Based on the RE4SA Model","authors":"T. Spijkman, S. Brinkkemper, F. Dalpiaz, Anne-Fleur Hemmer, Richard van de Bospoort","doi":"10.1109/REW.2019.00015","DOIUrl":"https://doi.org/10.1109/REW.2019.00015","url":null,"abstract":"Many failed software projects can be traced to bad requirements management. Additionally, there is a big gap be-tween state of the art and practice in software architecture. For enterprise software customisation, not only do these issues apply, but additional challenges exist too. Instead of one standard soft-ware product, vendors often have to deal with customised ver-sions with additional maintenance challenges. In this research, we apply the Requirements Engineering for Software Architecture (RE4SA) model via a multi-case study to show how the require-ments engineering and software architecture disciplines can be linked, and in doing so provide improvements to both areas. Our multi-case study regards enterprise software customisation and shows improvements in requirements management and higher alignment between the software architecture and requirements.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131277196","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Kristian Beckers, Duncan Ki-Aries, Seok-Won Lee, N. Mead
The preface provides an overview to the Sixth International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE'19)
前言概述了第六届安全与隐私需求工程国际研讨会(ESPRE'19)
{"title":"Preface Sixth International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE'19)","authors":"Kristian Beckers, Duncan Ki-Aries, Seok-Won Lee, N. Mead","doi":"10.1109/rew.2019.00028","DOIUrl":"https://doi.org/10.1109/rew.2019.00028","url":null,"abstract":"The preface provides an overview to the Sixth International Workshop on Evolving Security and Privacy Requirements Engineering (ESPRE'19)","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"13 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115910281","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Goal-oriented process enhancement and discovery (GoPED) was recently proposed to take advantage of goal modeling capabilities in process mining activities. Conventional process mining aims to discover underlying process models from historical, crowdsourced event logs in an activity-oriented fashion. GoPED, however, infers goal-aligned process models from the event logs enhanced with some goal-related attributes. GoPED selects the historical behaviors that have yielded sufficient levels of satisfaction for (often conflicting) goals of different stakeholders. There are three algorithms available to select the subset of event logs from three different perspectives. The main input of all three algorithms is a version of the event log (EnhancedLog) that is (1) structured as a table showing each case and its trace in one row, (2) with rows enhanced with satisfaction levels of different goals. Therefore, typical event logs are not ready to be fed as-is to GoPED algorithms. This paper proposes a scheme for manipulating original event logs and turn them into EnhancedLog. Two tools were also developed and tested for this scheme: TraceMaker, to structure the log as explained above, and EnhancedLogMaker, to compute satisfaction levels of goals for all cases in the structured log.
{"title":"Data Preprocessing for Goal-Oriented Process Discovery","authors":"Mahdi Ghasemi, Daniel Amyot","doi":"10.1109/REW.2019.00041","DOIUrl":"https://doi.org/10.1109/REW.2019.00041","url":null,"abstract":"Goal-oriented process enhancement and discovery (GoPED) was recently proposed to take advantage of goal modeling capabilities in process mining activities. Conventional process mining aims to discover underlying process models from historical, crowdsourced event logs in an activity-oriented fashion. GoPED, however, infers goal-aligned process models from the event logs enhanced with some goal-related attributes. GoPED selects the historical behaviors that have yielded sufficient levels of satisfaction for (often conflicting) goals of different stakeholders. There are three algorithms available to select the subset of event logs from three different perspectives. The main input of all three algorithms is a version of the event log (EnhancedLog) that is (1) structured as a table showing each case and its trace in one row, (2) with rows enhanced with satisfaction levels of different goals. Therefore, typical event logs are not ready to be fed as-is to GoPED algorithms. This paper proposes a scheme for manipulating original event logs and turn them into EnhancedLog. Two tools were also developed and tested for this scheme: TraceMaker, to structure the log as explained above, and EnhancedLogMaker, to compute satisfaction levels of goals for all cases in the structured log.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116775012","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
K. Taveter, L. Sterling, S. Pedell, Rachel Burrows, Eliise Marie Taveter
This paper describes a method for eliciting and representing emotional requirements for sociotechnical systems in a holistic manner along with eliciting and representing functional and quality requirements. As emotional requirements are crucial in designing sociotechnical systems for e-healthcare, the application of the method in two case studies of this problem domain is described.
{"title":"A Method for Eliciting and Representing Emotional Requirements: Two Case Studies in e-Healthcare","authors":"K. Taveter, L. Sterling, S. Pedell, Rachel Burrows, Eliise Marie Taveter","doi":"10.1109/REW.2019.00021","DOIUrl":"https://doi.org/10.1109/REW.2019.00021","url":null,"abstract":"This paper describes a method for eliciting and representing emotional requirements for sociotechnical systems in a holistic manner along with eliciting and representing functional and quality requirements. As emotional requirements are crucial in designing sociotechnical systems for e-healthcare, the application of the method in two case studies of this problem domain is described.","PeriodicalId":166923,"journal":{"name":"2019 IEEE 27th International Requirements Engineering Conference Workshops (REW)","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2019-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116936165","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: