Skip to main content

SQUARE: Requirements Engineering for Improved System Security

Researcher: Nancy Mead

Research Area: Trustworthy Computing Platforms and Devices

Cross Cutting Thrusts: Formal Methods


If security requirements are not effectively defined, the resulting system cannot be effectively evaluated for success or failure prior to implementation. Security requirements are often missing in the requirements elicitation process. The lack of validated methods is considered one of the factors. If usable approaches to security are developed and mechanisms to promote organizational use are identified, then the organization can ensure that the result product effectively meets security requirements.

SQUARE, developed in previous research, is a nine step process to accomplish that goal. (A description of SQUARE appears on DHS's Build Security In website) Additionally, a four step process called SQUARE-Lite has also been developed.

Next steps include:

  • We plan to expand SQUARE's use in acquisition organizations in addition to development organizations.

  • SQUARE education and training materials have been completed and made publicly available (licensing is required.) We will identify suitable partners for transition and gather feedback on the materials.

  • The SQUARE tool has been provided to CyLab Partners. We will explore the business case for commercialization and possible transition partners for such a task. We also plan to develop a version of the tool for SQUARE-Lite.

  • We will hold a workshop on security requirements engineering.

  • We will work with CyLab Japan to build up a research lab.