Identifying implied security requirements from functional requirements A replication on the use of security requirements templates

The elicitation of software security requirements in early stages of software development life cycle is an essential task. Using security requirements templates could help practitioners to identify implied software security requirements from functional requirements in the context of a software system. In this paper, we replicated a previous study that analyzed the effectiveness of security requirements templates to support the identification of security requirements. Our objective was to evaluate this approach and compare the applicability of the previous findings. We conducted the first replication of the controlled experiment in 2015, and subsequently conducted two differentiated replications in 2018. We evaluated the responses of 33 participants in terms of quality, coverage, relevance and efficiency and discussed insights regarding the impact of context factors. Participants were divided into treatment (security requirements templates) and control groups (no templates). Our findings support some previous results: treatment group performed significantly better than the control group in terms of the coverage of the identified security requirements. Besides, the requirements elicitation process performed significantly better in relevance and efficiency metrics in two of the three replications. Security requirements templates supported participants to identify a core set of the security requirements and participants were favorable towards the use of templates in identifying security requirements.