WHY ESPRE?

The Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop is a multi-disciplinary, one-day workshop. It brings together practitioners and researchers interested in security and privacy requirements.

ESPRE probes the interfaces between Requirements Engineering and Security & Privacy, and aims to evolve security and privacy requirements engineering to meet the needs of stakeholders; these range from business analysts and security engineers, to technology entrepreneurs and privacy advocates.

ESPRE will be run as a one-day workshop (online). The workshop format will consist of an invited talk, paper presentations and discussions, and a facilitated roadmap building session.

ESPRE is suited towards attendees with interests not only in Requirements Engineering, but also in security, privacy, user experience, software engineering, system of systems engineering, and other related areas.

TOPICS

These include, but are not limited to:

  • Adaptation of security & privacy requirements
  • Elicitation and analysis techniques
  • Evolution of security & privacy requirements
  • Legal compliance in security & privacy RE
  • Leveraging Domain knowledge
  • Modelling trust and risk
  • Ontologies for security & privacy RE
  • Scalability of security RE approaches
  • Security & privacy RE and [Sec]DevOps
  • Security & privacy RE for design innovation
  • Security & privacy RE education
  • Security & privacy RE processes
  • Stakeholder & Attacker perspectives
  • Studies applying security & privacy RE
  • Validation & verification
ESPRE2022

Download the ESPRE 2022 Call for Papers

Don't forget, ESPRE22 will be held online as a virtual event. We'll add any on-going updates about the event for you here. See here for more details about the RE conference

There is still time to submit your research. ESPRE22 has extended the submission deadline by 7 days. As indicated below, the new submission deadline will now be on Thursday May 26th.

UPDATE: Details about both Keynote speakers has now been updated, along with the workshop schedule showing presentations for accepted papers.

Keynote 1

Erlend Andreas Gjære
Title: The need for a human touch in security and privacy engineering

Abstract: Studies show that physical contact, like a handshake or hug, can promote trust between people. Technology, on the other hand, is rather cold by nature, and the same could also our engineering process quickly become. Still, people are increasingly depending on technology in their lives, and security or privacy breaches could have life-changing consequences.

People are essential to both the design, development and use of technology. If we are able to take human factors into account at all stages, including in our privacy and security work, could we become better at building solutions which people can really trust, rely upon – and maybe even love?

Erlend Andreas Gjære is a specialist in security and people, with a focus on security awareness, training and culture, risk, behavior and user experience. He received his MSc degree in Informatics from the Norwegian University of Science and Technology (NTNU) in Norway, and then worked six years as a research scientist, before transitioning to industry work as a consultant and security manager. He is now co-founder and CEO of the award-winning security software company Secure Practice.

Keynote 2

Nancy R. Mead
Title: Critical Infrastructure Protection and Supply Chain Risk Management

Abstract: Critical infrastructure is a key area in cybersecurity. In the U.S., it was front and center in 1997 with the report from the President’s Commission on Critical Infrastructure Protection (PCCIP), and now affects countries worldwide. Critical Infrastructure Protection must address all types of cybersecurity threats - insider threat, ransomware, Supply Chain Risk Management issues, and so on. Unsurprisingly, in the past 25 years, the risks and incidents have increased rather than decreased and appear in the news daily.

As an important component of critical infrastructure protection, secure supply chain risk management must be integrated into development projects. Development projects do not always include methods to ensure that code in third party products has not been compromised during the sourcing process. We discuss the threats and actual attacks, mitigation methods, recent research, and the linkages to security requirements engineering.

Nancy Mead is a Fellow of the Software Engineering Institute and Adjunct Professor of Software Engineering at Carnegie Mellon University. Her research areas are security requirements engineering, supply chain risk management, and software assurance curricula. The Nancy Mead Award for Excellence in Software Engineering Education & Training is named for her.

She has more than 150 publications and invited presentations. Her awards and honors include Life Fellow of the IEEE, Distinguished Member of the ACM, IEEE TCSE Distinguished Educator, IEEE TCSE Executive Board, Parnas Fellow at Lero the Irish Software Research Center, IEEE Distinguished Visitor Program. She has a BA, MS, and PhD in mathematics from NYU.

Important Dates

NOW

Write-up your research

Submission Deadline

(Extended) Due by 23:59:59 AoE, Thursday, May 26th, 2022

Submissions to EasyChair

Author Notifications

Friday, June 17, 2022

Conference Registration

For more information, see the RE22 website about how to register to attend the event

Camera-Ready Submission

Due by 23:59:59 AoE, Thursday, July 7, 2022

Submission link to be supplied

ESPRE22 Online Workshop

Tuesday, August 16, 2022

Research Challenges and Roadmap

Throughout the day, the workshop organisers will note potential research challenges that form the basis of a roadmap for evolving security and privacy requirements engineering. Following the final session, we will close the workshop with a wrap-up session, in which these challenges and a potential roadmap for addressing them will be proposed.

Time permitting, we may run a ‘Lightning talks’ session of 2-minute talks during the workshop. Such talks might share early results, on-going work, annoyances, practical lessons learned, or even plugs for upcoming events.

Provisional Schedule (May be subject to change)

19:00 - 19:10

Workshop Opening
(19:00 in Melbourne; 11:00 in EU; 10:00 in UK; 05:00 USA/EST)

19:10 - 20:10

Keynote 1

Erlend Andreas Gjære - The need for a human touch in security and privacy engineering
20:10 - 20:20Break
20:20 - 21:20

Presentations

  • 20:20 - 20:40 > Existing Vulnerability Information in Security Requirements Elicitation
    Md Rayhan Amin and Tanmay Bhowmik, Mississippi State University, USA
  • 20:40 - 21:00 > Threat-driven Risk Assessment for APT Attacks using Risk-Aware Problem Domain Ontology
    Sihn-Hye Park and Seok-Won Lee, Ajou University, South Korea
  • 21:00 - 21:20 > Risk-Based Security Requirements Model for Web Software
    Onyeka Ezenwoye, Augusta University, USA, and Yi Liu, University of Massachusetts Dartmouth, USA
21:20 - 21:40Break
21:40 - 22:40

Keynote 2

Nancy R. Mead - Critical Infrastructure Protection and Supply Chain Risk Management
22:40 - 22:50Break
22:50 - 23:40

Presentations

  • 22:50 - 23:10 > Socio-Technical Modelling for GDPR Principles: an Extension for the STS-ml
    Claudia Negri-Ribalta, Nicolas Herbaut, and Camille Salinesi, Université Paris-1 Panthéon-Sorbonne, and René Noel and Oscar Pastor, Universitat Politècnica de València
  • 23:10 - 23:30 > Capability oriented RE for Cybersecurity and Personal Data Protection: Meeting the challenges of SMEs
    Evangelia Kavakli, Pericles Loucopoulos and Yannis Skourtis, Institute of Digital Innovation & Research (IDIR), Ireland
23:40 - 00:00

Discussion and Wrap-up

00:00

Workshop Close

Programme Committee

Organising Committee

Hanan Hibshi

Carnegie Mellon University,
USA
Portfolio Image Institutional Logo

Duncan Ki-Aries

Bournemouth University,
UK
Portfolio Image Institutional Logo

Seok-Won Lee

Ajou University,
South Korea
Portfolio Image Institutional Logo

Mattia Salnitri

Polytechnic University of Milan,
Italy
Portfolio Image Institutional Logo

Previous Workshops

Although the ESPRE workshop has been co-located with RE since 2014, it builds on the success of earlier workshops in security requirements engineering and secure software engineering.

For example, the Security and Privacy Requirements Engineering (SPREE) Workshop in 2011, the International Workshop for Software Engineering for Secure Systems (SESS) series, and the Requirements for High Assurance Systems (RHAS) workshop series.


The eighth ESPRE workshop was held as a half-day online workshop during RE 2021. The workshop consisted of a keynote talk by Travis Breaux and José Francisco Ruiz, and technical programme of presentations, followed by a closing talk towards a roadmap for evolving security and privacy requirements engineering. (Website)
The seventh ESPRE workshop was held as a half-day workshop during RE 2020, and became the first online ESPRE workshop. The workshop consisted of a keynote talk by Shamal Faily, a reduced technical programme of presentations, and a closing talk and participant discussion led by Duncan Ki-Aries towards a roadmap for evolving security and privacy requirements engineering. (Website)
The sixth ESPRE workshop was held during RE 2019 in Jeju Island, South Korea. The workshop consisted of a keynote talk by Daehun Nyang, a technical programme of six paper presentations, and a closing talk and participant discussion led by Tiago Gasiba towards a roadmap for evolving security andprivacy requirements engineering. (Website)
The fifth ESPRE workshop was held during RE 2018 in Banff, Canada. The workshop consisted of a keynote talk by Yijun Yu, a technical programme of five paper presentations, a lightning talk session, and a closing talk by Lionel Briand. (Website)
The fourth ESPRE workshop was held during RE 2017 in Lisbon, Portugal. The workshop consisted of a keynote talk by Chris Williams, a technical programme of seven paper presentations, and a closing talk by Tiago Gasiba. (Website)
The third ESPRE workshop was held during RE 2016 in Beijing, China. The workshop consisted of a keynote talk by Lin Liu, a technical programme of six paper presentations, a lightening talk session, and an interactive demo session.
The second ESPRE workshop was held during RE 2015 in Ottawa, Canada. The workshop consisted of a keynote talk by Robert Biddle, a technical programme of five paper presentations, and a closing talk by Fabio Massacci. For the first time, the programme also included a lightening talk session containing a number of brief presentations from attendees on new and emerging results from our field. (Website)
The first ESPRE workshop was held during RE 2014 in Karlskrona, Sweden. The workshop consisted of a keynote talk by Angela Sasse, a technical programme of eight paper presentations, and a closing talk by Aljosa Pasic. Three selected papers of the workshop were extended for an ESPRE special issue of the International Journal of Secure Software Engineering, which was published in 2015. (Website)
Top