WHY ESPRE?

The Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop is a multi-disciplinary, one-day workshop. It brings together practitioners and researchers interested in security and privacy requirements.

ESPRE probes the interfaces between Requirements Engineering and Security & Privacy, and aims to evolve security and privacy requirements engineering to meet the needs of stakeholders; these range from business analysts and security engineers, to technology entrepreneurs and privacy advocates.

ESPRE will be run as a one-day workshop (online). The workshop format will consist of an invited talk, paper presentations and discussions, and a facilitated roadmap building session.

ESPRE is suited towards attendees with interests not only in Requirements Engineering, but also in security, privacy, user experience, software engineering, system of systems engineering, and other related areas.

TOPICS

These include, but are not limited to:

  • Adaptation of security & privacy requirements
  • Elicitation and analysis techniques
  • Evolution of security & privacy requirements
  • Legal compliance in security & privacy RE
  • Leveraging Domain knowledge
  • Modelling trust and risk
  • Ontologies for security & privacy RE
  • Scalability of security RE approaches
  • Security & privacy RE and [Sec]DevOps
  • Security & privacy RE for design innovation
  • Security & privacy RE education
  • Security & privacy RE processes
  • Stakeholder & Attacker perspectives
  • Studies applying security & privacy RE
  • Validation & verification
ESPRE2021

Download the ESPRE 2021 Call for Papers

UPDATE: RE Organisers have decided to hold RE’21 at its scheduled date as a fully virtual conference. ESPRE21 will therefore also be held online as a virtual event. See here for more details

UPDATE: There is still time to submit your research. ESPRE21 has extended the submission deadline. As indicated below, the new submission deadline will now be on Thursday July 1st.

Keynote 1

Dr Travis Breaux
Title: What Are We Afraid Of? Quantifying Risk in Privacy and Security

Abstract: Throughout decades of innovation, privacy and security have continued to be critical attributes in software and system design. This remains true in enterprise networks, today, and has arisen in emerging Internet of Things (IoT) and machine learning applications. Business analysts and system designers have continuously needed to tailor privacy and security requirements to meet the threats to specific systems. Risk, or the likelihood of an adverse consequence, is a key driver for prioritizing investment in mitigating privacy and security threats. In this keynote talk, we will review a brief history of risk estimation, its strengths and its shortcomings, consider how risk differs between privacy and security, discuss novel quantitative approaches to measuring privacy and security risk. At the end, we will examine an important obstacle to automating privacy and security assessment, which is structured and enumerable domain knowledge.

Dr. Breaux is the Director of the CMU Requirements Engineering Lab, where his research program investigates how to specify and design software to comply with policy and law in a trustworthy, reliable manner. His work historically concerned the empirical extraction of legal requirements from policies and law, and has recently studied how to use formal specifications to reason about privacy policy compliance, how to measure and reason over ambiguous and vague policies, and how security and privacy experts and novices estimate the risk of system designs.

Previous keynote talks have been delivered by Angela Sasse (2014), Robert Biddle (2015), Lin Liu (2016), Chris Williams (2017), Yijun Yu (2018), Daehun Nyang (2019), and Shamal Faily (2020).

Keynote 2

José Francisco Ruiz
Title: How secure are we in the digital era? Does anyone truly know?

Abstract: We live in a modern age in which we are very proud of saying "we are digital". Business go digital, governments go digital, lifes go digital, relations go digital...As time advances more and more elements are found, sometimes only, in the digital world, and although it has incredible benefits (both for citizens, companies, and governments) it also has a dark side few people know or talk about. Cybercrimes, cyberwarfare...data is the new gold and there are people that know perfectly how to get it, no matter how hard you or any company try to protect them. Actually, are we protected? where is our data? do we care about it?

In this presentation we will talk about the digital world and the cyberthreats they bring, about their impact in the day to day life and, also, try to show people how unprotected we are...

Mr. José Francisco Ruiz is a senior cybersecurity consultant and technical project manager at Atos. He obtained his bachelor degree and Master Thesis degree in Computer Engineering from the University of Malaga in 2008 and 2012 respectively and is currently finishing his PhD focused on cybersecurity engineering. He has been working in European research projects from more than twelve years in different organizations across Europe. He has lead cybersecurity research activities and act as technical project management in many different projects, among others in FP6 Serenity (security and dependability for AmI), FP7 SecFutur (security engineering for systems of systems), Coco Cloud (security in the cloud), and several H2020 projects. He has been technical project coordinator of the H2020 VisiOn project (security and privacy for public administrations) and is project coordinator of the H2020 project FISHY (cybersecurity for supply chain). Previously he was project coordinator of the H2020 project SMESEC (cybersecurity for SMEs). Additionally, he led the research and creation of a cybersecurity agenda for collaboration of Europe and Japan in the H2020 EUNITY project. His interests include cybersecurity engineering, cybersecurity in the cloud, data protection, and distributed systems. He has also several publications in national and international conferences, journals and books and has served in organization committees and as reviewer in different conferences and workshops. Finally, he is a member of the “Expert Community” of Atos in the cybersecurity domain, and the scientific and innovation committee of ECSO together with being co-chair of the “cybersecurity for verticals” sub-working group.

Important Dates

NOW

Write-up your research

Submission Deadline (Extended)

Due by 23:59:59 AoE, Thursday, July 1, 2021

Submissions to EasyChair

Author Notifications

Friday, July 23, 2021

Conference Registration

For more information, see the RE21 website about how to register to attend the event

Camera-Ready Submission

Due by 23:59:59 AoE, Thursday, August 12, 2021

Submission link to be supplied

ESPRE21 Online Workshop

Tuesday, September 21, 8.00am-1.00pm EDT (2.00pm-7.00pm CEST)

Research Challenges and Roadmap

Throughout the day, the workshop organisers will note potential research challenges that form the basis of a roadmap for evolving security and privacy requirements engineering. Following the final session, we will close the workshop with a wrap-up session, in which these challenges and a potential roadmap for addressing them will be proposed.

Schedule

08:00 - 08:15

Workshop Opening (14:00 CEST)

08:15 - 9:00

Keynote 1

What Are We Afraid Of? Quantifying Risk in Privacy and Security
Dr Travis Breaux, Carnegie Mellon University, USA
09:00 - 11:00

Presentations

  • 09:00 - 09:30 > Self-Adaptive Security for SLA Based Smart Contract
    Irish Singh and Seok-Won Lee, Ajou University, South Korea
  • 09:30 - 10:00 > Lattice-based Contextual Integrity Analysis of Social Network Privacy Policies
    Stephen Kaplan, Dylan Bulmer, Avery Gosselin, and Sepideh Ghanavati, University of Maine, USA
  • 10:00 - 10:30 > Multi-perspective APT Attack Risk Assessment Framework using Risk-Aware Problem Domain Ontology
    Sihn-Hye Park, Ji-Wook Jung, and Seok-Won Lee, Ajou University, South Korea
  • 10:30 - 11:00 > A Named Entity Recognition Based Approach for Privacy Requirements Engineering
    Guntur Budi Herwanto, Universitas Gadjah Mada, Indonesia, Gerald Quirchmayr, University of Vienna, Austria, and A Min Tjoa, Vienna University of Technology, Austria
11:00 - 11:45

Keynote 2

How secure are we in the digital era? Does anyone truly know?
Jose Francisco Ruiz, Technical project manager and Cybersecurity expert, Atos, Spain
11:45 - 12:30

Presentations

  • 11:45 - 12:00 > D-REQs: Determination of security and safety requirements in workshops based on the use of model-based systems engineering (Short Paper)
    Sergej Japs and Harald Anacker, Fraunhofer IEM, Germany, Jörg Holtmann, University of Gothenburg, Sweden, Lydia Kaiser, Technische Universität Berlin, Germany, Frank Kargl, Ulm University, Germany, and Roman Dumitrescu, University of Paderborn Germany
  • 12:00 - 12:30 > Towards Norm Classification: An Initial Analysis of HIPAA Breaches
    Vedarsh Shah, Duke University, USA, Zedong Peng, Ganesh Malla, and Nan Niu, University of Cincinnati, USA
12:30 - 13:00

Discussion and Wrap-up

13:00

Workshop Close

Programme Committee

Organising Committee

Duncan Ki-Aries

Bournemouth University,
UK
Portfolio Image Institutional Logo

Seok-Won Lee

Ajou University,
South Korea
Portfolio Image Institutional Logo

Mattia Salnitri

Polytechnic University of Milan,
Italy
Portfolio Image Institutional Logo

Previous Workshops

Although the ESPRE workshop has been co-located with RE since 2014, it builds on the success of earlier workshops in security requirements engineering and secure software engineering.

For example, the Security and Privacy Requirements Engineering (SPREE) Workshop in 2011, the International Workshop for Software Engineering for Secure Systems (SESS) series, and the Requirements for High Assurance Systems (RHAS) workshop series.


The seventh ESPRE workshop was held as a half-day workshop during RE 2020, and became the first online ESPRE workshop. The workshop consisted of a keynote talk by Shamal Faily, a reduced technical programme of presentations, and a closing talk and participant discussion led by Duncan Ki-Aries towards a roadmap for evolving security and privacy requirements engineering. (Website)
The sixth ESPRE workshop was held during RE 2019 in Jeju Island, South Korea. The workshop consisted of a keynote talk by Daehun Nyang, a technical programme of six paper presentations, and a closing talk and participant discussion led by Tiago Gasiba towards a roadmap for evolving security andprivacy requirements engineering. (Website)
The fifth ESPRE workshop was held during RE 2018 in Banff, Canada. The workshop consisted of a keynote talk by Yijun Yu, a technical programme of five paper presentations, a lightning talk session, and a closing talk by Lionel Briand. (Website)
The fourth ESPRE workshop was held during RE 2017 in Lisbon, Portugal. The workshop consisted of a keynote talk by Chris Williams, a technical programme of seven paper presentations, and a closing talk by Tiago Gasiba. (Website)
The third ESPRE workshop was held during RE 2016 in Beijing, China. The workshop consisted of a keynote talk by Lin Liu, a technical programme of six paper presentations, a lightening talk session, and an interactive demo session.
The second ESPRE workshop was held during RE 2015 in Ottawa, Canada. The workshop consisted of a keynote talk by Robert Biddle, a technical programme of five paper presentations, and a closing talk by Fabio Massacci. For the first time, the programme also included a lightening talk session containing a number of brief presentations from attendees on new and emerging results from our field. (Website)
The first ESPRE workshop was held during RE 2014 in Karlskrona, Sweden. The workshop consisted of a keynote talk by Angela Sasse, a technical programme of eight paper presentations, and a closing talk by Aljosa Pasic. Three selected papers of the workshop were extended for an ESPRE special issue of the International Journal of Secure Software Engineering, which was published in 2015. (Website)
Top