e-Informatica Software Engineering Journal SIoT Framework: Towards an Approach for Early Identification of Security Requirements for Internet-of-things Applications

SIoT Framework: Towards an Approach for Early Identification of Security Requirements for Internet-of-things Applications

[1]Ronald Jabangwe and Anh Nguyen-Duc, "SIoT Framework: Towards an Approach for Early Identification of Security Requirements for Internet-of-things Applications", In e-Informatica Software Engineering Journal, vol. 14, no. 1, pp. 77–95, 2020. DOI: 10.37190/e-Inf200103.

Get article (PDF)View article entry (BibTeX)


Ronald Jabangwe, Anh Nguyen-Duc


Background: Security has become more of a concern with the wide deployment of Internet-of-things (IoT) devices. The importance of addressing security risks early in the development lifecycle before pushing to market cannot be over emphasized.
Aim: To this end, we propose a conceptual framework to help with identifying security concerns early in the product development lifecycle for Internet-of-things, that we refer to as SIoT (Security for Internet-of-Things).
Method: The framework adopts well known security engineering approaches and best practices, and systematically builds on existing research work on IoT architecture.
Results: Practitioners at a Norwegian start-up company evaluated the framework and found it useful as a foundation for addressing critical security concerns for IoT applications early in the development lifecycle. The output from using the framework can be a checklist that can be used as input during security requirements engineering activities for IoT applications.
Conclusions: However, security is a multi-faced concept; therefore, users of the SIoT framework should not view the framework as a panacea to all security threats. The framework may need to be refined in the future, particularly to improve its completeness to cover various IoT contexts.


security requirement; Internet-of-things; Software Engineering; Requirement Engineering; Security Framework


1. S. Lucero, “IoT platforms: Enabling the Internet of Things,” IHS Technology, Whitepaper, 2016. [Online]. https://www.esparkinfo.com/wp-content/uploads/2018/11/enabling-IOT.pdf

2. L. Chung, B.A. Nixon, E. Yu, and J. Mylopoulos, Non-Functional Requirements in Software Engineering , International Series in Software Engineering. Springer, 2000. [Online]. https://www.springer.com/gp/book/9780792386667

3. A. Olmsted, “Secure software development through non-functional requirements modeling,” in International Conference on Information Society (i-Society) , 2016, pp. 22–27.

4. S. Myagmar, A.J. Lee, and W. Yurcik, “Threat modeling as a basis for security requirements,” in Proceedings of the IEEE Symposium on Requirements Engineering for Information Security , 2005.

5. F. Swiderski and W. Snyder, Threat Modeling . Microsoft Press, 2004.

6. A.N. Duc, R. Jabangwe, P. Paul, and P. Abrahamsson, “Security challenges in IoT development: A software engineering perspective,” in Proceedings of the XP2017 Scientific Workshops , XP ’17. ACM, 2017, pp. 11:1–11:5.

7. A.S. Sani, D. Yuan, J. Jin, L. Gao, S. Yu, and Z.Y. Dong, “Cyber security framework for internet of things-based energy internet,” Future Generation Computer Systems , Vol. 93, No. 4, 2019, pp. 849–859.

8. I. Jacobson, I. Spence, and P.W. Ng, “Is there a single method for the internet of things?” Queue , Vol. 60, No. 11, 2017.

9. P. Patel and D. Cassou, “Enabling high-level application development for the Internet of Things,” Journal of Systems and Software , Vol. 103, 2015, pp. 62–84.

10. B. Morin, N. Harrand, and F. Fleurey, “Model-based software engineering to tame the IoT jungle,” IEEE Software , Vol. 34, No. 1, 2017, pp. 30–36.

11. K. Meridji, K.T. Al-Sarayreh, A. Abran, and S. Trudel, “System security requirements: A framework for early identification, specification and measurement of related software requirements,” Computer Standards and Interfaces , Vol. 66, 2019, p. 103346.

12. M. Ammar, G. Russello, and B. Crispo, “Internet of things: A survey on the security of IoT frameworks,” Journal of Information Security and Applications , Vol. 38, 2018, pp. 8–27. [Online]. http://www.sciencedirect.com/science/article/pii/S2214212617302934

13. P. Devanbu and S. Stubblebine, “Software engineering for security: A roadmap,” in ICSE ’00: Proceedings of the Conference on The Future of Software Engineering , 2000. [Online]. https://www.researchgate.net/publication/2393383_Software_Engineering_for_Security_a_Roadmap

14. N. Mead, “Security quality requirements engineering (SQUARE),” Software Engineering Institute, Tech. Rep., 2011.

15. G. Sindre and A.L. Opdahl, “Eliciting security requirements with misuse cases,” Requirements Engineering , Vol. 10, No. 1, 2005, pp. 34–44.

16. A. van Lamsweerde, “Elaborating security requirements by construction of intentional anti-models,” in Proceedings. 26th International Conference on Software Engineering , 2004, pp. 148–157.

17. Y. Yu, H. Kaiya, H. Washizaki, Y. Xiong, Z. Hu, and N. Yoshioka, “Enforcing a security pattern in stakeholder goal models,” in Proceedings of the 4th ACM workshop on Quality of protection , 2008, pp. 9–14.

18. S.H. Adelyar and A. Norta, “Towards a secure agile software development process,” in 10th International Conference on the Quality of Information and Communications Technology (QUATIC) , 2016, pp. 101–106.

19. K. Beznosov, “eXtreme security engineering: On employing XP practices to achieve “good enough security” without defining it,” in First ACM Workshop on Business Driven Security Engineering (BizSec) , 2005.

20. I. Ghani and N.I.A. Firdaus, “Role-based extreme programming (XP) for secure software development,” in Special Issue – Agile Symposium , 2013.

21. M.R.R. Ramesh and A. Tadepalligudem, “A survey on security requirement elicitation methods: classification, merits and demerits,” International Journal of Applied Engineering Research , 2016.

22. Q. Jing, A.V. Vasilakos, J. Wan, J. Lu, and D. Qiu, “Security of the Internet of Things: Perspectives and challenges,” Wireless Networks , 2014.

23. F. Wortmann and K. Fluchter, “Internet of Things,” Business and Information Systems Engineering , Vol. 57, No. 3, 2015, pp. 221–224.

24. H.J. La and S.D. Kim, “A service-based approach to designing cyber physical systems,” in IEEE/ACIS 9th International Conference on Computer and Information Science , 2010, pp. 895–900.

25. S. Babar, A. Stango, N. Prasad, J. Sen, and R. Prasad, “Proposed embedded security framework for internet of things (IoT),” in 2nd International Conference on Wireless Communication, Vehicular Technology, Information Theory and Aerospace Electronic Systems Technology (Wireless VITAE) , 2011, pp. 1–5.

26. A. Jacobsson, M. Boldt, and B. Carlsson, “A risk analysis of a smart home automation system,” Future Generation Computer Systems , Vol. 56, 2016, pp. 719–733.

27. G. Gan, Z. Lu, and J. Jiang, “Internet of things security analysis,” in International Conference on Internet Technology and Applications , 2011, pp. 1–4.

28. A.W. Atamli and A. Martin, “Threat-based security analysis for the internet of things,” in International Workshop on Secure Internet of Things , 2014, pp. 35–43.

29. D.H. Kim, J.Y. Cho, S. Kim, and J. Lim, A Study of Developing Security Requirements for Internet of Things (IoT) , 2015. [Online]. https://www.semanticscholar.org/paper/A-Study-of-Developing-Security-Requirements-for-of-Kim-Cho/

30. R.L. Kissel, Ed., Glossary of Key Information Security Terms . National Institute of Standards and Technology, 2013. [Online]. https://www.nist.gov/publications/glossary-key-information-security-terms-1

31. G. Stoneburner, “Underlying technical models for information technology security,” National Institute of Standards and Technology, Tech. Rep. 800-33, 2001.

32. A. Shostack, Threat Modeling: Designing for Security . Wiley, 2014.

33. A. Nguyen Duc, K. Khalid, T. Lønnestad, S. Bajwa Shahid, X. Wang, and P. Abrahamsson, “How do startups develop internet-of-things systems – A multiple exploratory case study,” in IEEE/ACM International Conference on Software and System Processes (ICSSP) , 2019, pp. 74–83.

34. A. Nguyen-Duc, X. Weng, and P. Abrahamsson, “A preliminary study of agility in business and production: Cases of early-stage hardware startups,” in Proceedings of the 12th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement , ESEM ’18. ACM, 2018, pp. 51:1–51:4.

35. A. Nguyen-Duc, S.M.A. Shah, and P. Ambrahamsson, “Towards an early stage software startups evolution model,” in 42th Euromicro Conference on Software Engineering and Advanced Applications (SEAA) , 2016, pp. 120–127.

36. M. Hassanalieragh, A. Page, T. Soyata, G. Sharma, M. Aktas, G. Mateos, B. Kantarci, and S. Andreescu, “Health monitoring and management using Internet-of-Things (IoT) sensing with cloud-based processing: Opportunities and challenges,” in IEEE International Conference on Services Computing , 2015, pp. 285–292.

37. X. Sun and C. Wang, “The research of security technology in the internet of things,” in Advances in Computer Science, Intelligent System and Environment , Advances in Intelligent and Soft Computing, D. Jin and S. Lin, Eds. Springer, 2011, pp. 113–119.

38. H. Suo, J. Wan, C. Zou, and J. Liu, “Security in the internet of things: A review,” in International Conference on Computer Science and Electronics Engineering , Vol. 3, 2012, pp. 648–651.

39. National Institute of Standards and Technology, “Standards for security categorization of federal information and information systems,” U.S. Department of Commerce, Tech. Rep. Federal Information Processing Standard (FIPS) 199, 2004.

40. F.Y. Sattarova and T.H. Kim, “IT security review: Privacy, protection, access control, assurance and system security,” International Journal of Multimedia and Ubiquitous Engineering , Vol. 2, No. 2, 2007, pp. 17–31.

41. L. Bass, P. Clements, and R. Kazman, Software architecture in practice . Addison-Wesley, 2003.

42. D. Fischer, B. Markscheffel, S. Frosch, and D. Buettner, “A survey of threats and security measures for data transmission over GSM/ UMTS networks,” in International Conference for Internet Technology and Secured Transactions , 2012, pp. 477–482.

43. M. Scholl, K. Stine, J. Hash, P. Bowen, L. Johnson, C. Smith, and D. Steinberg, “An introductory resource guide for implementing the health insurance portability and accountability act (HIPAA) security rule,” National Institute of Standards and Technology, Tech. Rep. 800-66, 2008. [Online]. https://csrc.nist.gov/publications/detail/sp/800-66/rev-1/final

44. K. Scarfone, D. Dicoi, M. Sexton, K. Scarfone, D. Dicoi, M. Sexton, C. Tibbs, and C.M. Gutierrez, “Guide to securing legacy IEEE 802.11 wireless networks recommendations of the national,” NIST, Tech. Rep. 800-48 Rev 1, 2008.

45. D. Gislason, Zigbee Wireless Networking . Newnes, 2008.

46. P. Mell and T. Grance, “The NIST definition of cloud computing,” National Institute of Standards and Technology, Tech. Rep. 800-145, 2011.

47. S. Caplan, “Using focus group methodology for ergonomic design,” Ergonomics , Vol. 33, No. 5, 1990, pp. 527–533.

48. K. Garmer, J. Ylven, and M. Karlsson, “User participation in requirements elicitation comparing focus group interviews and usability tests for eliciting usability requirements for medical equipment: A case study,” International Journal of Industrial Ergonomics , Vol. 33, No. 2, 2004, pp. 85–98. [Online]. http://www.sciencedirect.com/science/article/pii/S0169814103001318

49. H. Edmunds, Focus Group Research Handbook . McGraw-Hill, 2000.

50. P. Salini and S. Kanmani, “Survey and analysis on security requirements engineering,” Computers and Electricale Engineering , Vol. 38, No. 6, 2012, pp. 1785–1797. [Online]. http://www.sciencedirect.com/science/article/pii/S0045790612001644

51. M. Sliger, Agile project management with Scrum . Project Management Institute, 2011.

©2015 e-Informatyka.pl, All rights reserved.

Built on WordPress Theme: Mediaphase Lite by ThemeFurnace.