unsplash-logoMeriç Dağlı


The Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop is a multi-disciplinary, one-day workshop. It brings together practitioners and researchers interested in security and privacy requirements.

ESPRE probes the interfaces between Requirements Engineering and Security & Privacy, and aims to evolve security and privacy requirements engineering to meet the needs of stakeholders; these range from business analysts and security engineers, to technology entrepreneurs and privacy advocates.



These include, but do not exclude:

  • Adaptation of security & privacy requirements
  • Elicitation and analysis techniques
  • Evolution of security & privacy requirements
  • Legal compliance in security & privacy RE
  • Leveraging Domain knowledge
  • Modelling trust and risk
  • Ontologies for security & privacy RE
  • Scalability of security RE approaches
  • Security & privacy RE and [Sec]DevOps
  • Security & privacy RE for design innovation
  • Security & privacy RE education
  • Security & privacy RE processes
  • Stakeholder & Attacker perspectives
  • Studies applying security & privacy RE
  • Validation & verification
  • Next


    We will run a ‘Lightning talks’ session of 2-minute talks during the workshop. Such talks might share early results, on-going work, annoyances, practical lessons learned, or even plugs for upcoming events. To book a slot, please email sfaily@bournemouth.ac.uk with your name, affiliation, talk title, and brief abstract. Proposals will be accepted on a first come, first served basis until all available slots are filled. We will, however, try to free up space elsewhere on the day if we get more demand than we can satisfy.

    The scope for talk topics is open, but the timings are not. Please keep your talk within the time limit. This will make your talk more focused, and keep the audience excited. If your proposal is accepted, you will be contacted with more details about timings and logistics on the day.


    Important Dates

    • Submission Deadline: June 12th, 2018June 18th, 2018 (Extension)
    • Notifications: July 6th, 2018
    • Camera-ready papers due: July 17th, 2018
    • Workshop date: 20th August 2018

    Dark Matter in Adaptive Security and Privacy Requirement: Yijun Yu (Open University)

    Dark matter and dark energy have not been observed directly. However, their very existence may be used to account for the implication of abnormal observations which cannot be explained otherwise using the equation of general relativity. Similarly, unknowns often distort our understanding in the evolution of security and privacy requirements. In an attempt to eliminate the phenomena, this talk will use examples to shed some light on where unknowns could exist and what implications they could have on our understanding of security and privacy requirements.


    Dr. Yijun Yu is a Senior Lecturer in Computing at The Open University, UK. He is interested in developing automated, efficient and scalable software techniques and tools to better support human activities in software engineering. He has a vision to improve aviation security through cloud computing and blockchains by live streaming blackboxes, which was featured in interviews with BBC after the missing MH370 flight, and subsequently received a Microsoft Azure and Amazon AWS awards (2017). His research on Requirements-driven Self-Adaptation receives a 10 Year Most Influential Paper award (CASCON’16), 5 Best Paper awards and 3 Distinguished Paper awards at International Conferences (including RE’11). This talk is based on recent joint work with colleagues at The Open University, UK, inspired by his international collaborators from over 10 countries. His current research is funded by grants on Secure Adaptive and Usable Software Engineering (EPSRC Platform, 2018-2022), and Adaptive Security and Privacy (ERC Adv. Grant, 2012-2018). You can find out more about his work here and about his research team here.

    Modeling Security and Privacy Requirements to Enable Test Automation: Lionel Briand (University of Luxembourg)

    To facilitate communication among stakeholders, software security and privacy (S&P) requirements are typically written in natural language and capture both positive requirements (i.e., what the system is supposed to do to ensure S&P) and negative requirements (i.e., undesirable behavior undermining S&P). An important question is how to test a system to ensure the conformance of a system with its S&P requirements and, further, how to do that in a systematic, automated, and effective way.

    This talk will present Misuse Case Programming (MCP), an approach to automatically generate security test cases from misuse case specifications (i.e., use case specifications capturing the behavior of malicious users). MCP relies on natural language processing techniques to extract relevant concepts (e.g., inputs and activities) appearing in requirements specifications and generates executable test cases by matching the extracted concepts to a provided test driver API. MCP has been evaluated in an industrial case study, which provides initial evidence of the feasibility and benefits of the approach.


    Lionel C. Briand is professor in software verification and validation at the SnT centre for Security, Reliability, and Trust, University of Luxembourg, where he is also the vice-director of the centre. He is currently running multiple collaborative research projects with companies in the automotive, satellite, financial, and legal domains. Lionel has held various engineering, academic, and leading positions in five other countries before that. He was one of the founders of the ICST conference (IEEE Int. Conf. on Software Testing, Verification, and Validation, a CORE A event) and its first general chair. He was also the EiC of Empirical Software Engineering (Springer) for a long time and led the journal to the top tier of the very best publication venues in software engineering.

    Lionel was elevated to the grade of IEEE Fellow in 2010 for his work on the testing of object-oriented systems. He was granted the IEEE Computer Society Harlan Mills award and the IEEE Reliability Society engineer-of-the-year award for his work on model-based verification and testing, respectively in 2012 and 2013. He received an ERC Advanced grant in 2016 — on the topic of modelling and testing cyber-physical systems — which is the most prestigious individual research grant in the European Union. His research interests include: software testing and verification, model-driven software development, search-based software engineering, and empirical software engineering.


    Previous Workshops




    Workshop Opening (Seok-Won Lee)

    0930 - 1030

    Keynote talk: Dark Matter in Adaptive Security and Privacy Requirement (Yijun Yu)

    1030 - 1100Coffee break
    1100 - 1230

    Session: People and Systems (Chair: Raian Ali)

    • Towards the Design of Usable Privacy by Design Methodologies
      Argyri Pattakou, Aikaterini-Georgia Mavroeidi, Christos Kalloniatis, Vasiliki Diamantopoulou and Stefanos Gritzalis (University of the Aegean, Greece)
    • The Importance of Empathy for Analyzing Privacy Requirements
      Meira Levy (Shenkar - Engineering. Design. Art, Israel) and Irit Hadar (University of Haifa, Israel)
    • Assessing System of Systems Security Risk and Requirements with OASoSIS
      Duncan Ki-Aries, Shamal Faily, Huseyin Dogan (Bournemouth University, UK) and Christopher Williams (Defence Science & Technology Laboratory, UK)
    1230 - 1400Lunch
    1400 - 1530

    Session: Privacy by Design and Lightning Talks (Chair: Seok-Won Lee)

    • Tool-supporting Data Protection Impact Assessments with CAIRIS
      Joshua Coles, Shamal Faily and Duncan Ki-Aries (Bournemouth University, UK)
    • Privacy Consistency Analyzer for Android Applications
      Sayan Maitra, Bohyun Suh and Sepideh Ghanavati (Texas Tech University, USA)
    • Lightning Talks
      • Use case ontology for eliciting security requirements (Imano Williams)
      • The role of organizational climate in security and privacy requirements engineering (Irit Haider)
      • Security as a Behaviour: Potential for Persuasive Technology (Raian Ali, John McAlaney)
      • The role of usability in security and privacy in Information Systems within the GDPR era (Vasiliki Diamantopoulou)
      • The CAIRIS web API (Duncan Ki-Aries)
    1530 - 1600Coffee break
    1600 - 1700

    Keynote talk: Modeling Security and Privacy Requirements to Enable Test Automation (Lionel Briand)

    1700 - 1730

    Wrap-up and Workshop Close (Seok-Won Lee)