A maturity model for secure requirements engineering

Mahmood Niazi*, Ashraf Mohammed Saeed, Mohammad Alshayeb, Sajjad Mahmood, Saad Zafar

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

13 Scopus citations


Security is considered to be a critical software quality attribute. Tackling security at the requirements phase helps to avoid the need to rework secure software development issues. The aim of this paper is to develop a Requirements Engineering (RE) Security Maturity Model (RESMM) to assist software development organizations to better specify the requirements for secure software development. To achieve this objective, first, we conducted a systematic literature review (SLR) to identify the requirement practices for secure software development. Then we modified Sommerville's requirements engineering practices. We also conducted a questionnaire survey based on the identified security requirements practices. Next, the RESMM was built based on the results of the SLR, the modified Sommerville practices and feedback from the security practitioners. Finally, two case studies were conducted to assess RESMM. RESMM has 79 practices classified into 7 RE categories. The case study results show that RESMM has a clear structure and is easy to comprehend and use. In addition, the case study participants recommended that software organizations adopt RESMM. RESMM has the ability to identify the RE security maturity levels in software organizations. RESMM can also help software development organizations deliver secure software.

Original languageEnglish
Article number101852
JournalComputers and Security
StatePublished - Aug 2020

Bibliographical note

Funding Information:
The authors would like to acknowledge the support provided by the Deanship of Scientific Research via project number IN161024 at King Fahd University of Petroleum and Minerals, Saudi Arabia. In addition, we are grateful to the participants who evaluated the proposed model and recommended improvements.

Publisher Copyright:
© 2020

ASJC Scopus subject areas

  • Computer Science (all)
  • Law


Dive into the research topics of 'A maturity model for secure requirements engineering'. Together they form a unique fingerprint.

Cite this