Abstract

Everyone agrees that security is a problem, ranging from Microsoft to the banks that have been recent victims of rogue traders. What is paradoxical is that there does not seem to be a wholehearted commitment by both academics and industry to treat this topic systematically at the top level of requirements engineering. Our vision is of a future in which we inform the security requirements engineering process by organisational theory. This would act as the bridge between the well-ordered world of the software project informed by conventional requirements and the unexpected world of anti-requirements associated with the malicious user. We frame a vision for the requirements engineering community that would involve the community solving six difficult problems.