WHY ESPRE?

When specifying a system, security and privacy need to be addressed as early as possible, yet stakeholders find doing so difficult in the face of conflicting priorities. When these concerns are addressed, we discover how intrinsically difficult specifying usable security and privacy can be towards meeting business and developmental needs, and the subsequent blurred distinction between requirements and security and privacy concepts.

The theme of this year's Evolving Security and Privacy Requirements Engineering (ESPRE) workshop will be Large Language Models (LLMs) and their applications. In the last few years, Large Language Models (LLMs) have redefined many paradigms.

The potential of LLMs lies in their abilities to manipulate text and knowledge, with the concrete chance to impact in many aspects of requirement engineering heavily. This is especially true for security and privacy requirements, where LLMs will greatly improve aspects such as correctness or coverage. On the other side of the coin, LLMs must comply with and fulfill security and privacy requirements, too, yet the shape of these requirements and their enforcement have only marginally been explored.

The ESPRE workshop provides a multi-disciplinary one-day workshop, bringing together practitioners and researchers from across the world interested in evolving security and privacy requirements engineering practice.

The workshop will include an invited keynote talk, paper presentations and discussions, and a facilitated roadmap discussion session towards future Security and Privacy Requirements Engineering activities.

We look forward to seeing you in Valencia.

TOPICS

These include, but are not limited to:

  • Large language models for privacy and security requirements
  • Privacy and security requirements of large language models
  • Prompt engineering for security and privacy requirement elicitation and definition
  • Privacy-compliant design and creation of machine learning models
  • Specification of security requirements for prompt defense
  • AI for security and privacy
  • Security and privacy for AI
  • Ethics and security and privacy requirements
  • Security and privacy requirements for accessibility and inclusivity
  • Modelling of trust, reputation, and risk
  • Security and privacy enforcement using blockchain technologies
  • Security and privacy drawbacks of blockchain technologies
  • Security and privacy requirements elicitation and analysis
  • Identification and management of all stakeholders (including attackers)
  • Modelling of domain knowledge for security and privacy requirements
  • Security and privacy requirements engineering processes
  • Security and privacy requirements-based testing
  • Formal and informal modelling of laws, policies, and requirements
  • Requirements verification: monitoring, documenting, and auditing evidence of compliance
  • Positive (and especially negative) lessons learned applying security and requirements engineering in practice
  • User studies of security or privacy technology
ESPRE2025

Download the ESPRE 2025 Call for Papers

Don't forget, ESPRE25 will be again be held in-person. We'll add any on-going updates about the event for you here. See here for more details about the RE conference

UPDATE: Good News! - The ESPRE workshop submission deadline has been extended. See below for the new date.

Keynote Speaker

Prof. Frank Pallas
Title: Recognizing 2nd-order Non-Functional Requirements in Privacy Engineering

Bio: Frank is EXDIGIT professor for Privacy Engineering and Policy-Aligned Systems (PEPSys) at the Paris Lodron University of Salzburg. His PEPSys research group focuses on the interplay between the design and engineering of cutting-edge enterprise- and society-grade systems on the one and the legal and policy-related aspects shaping such systems on the other hand. Frank received his Diploma and Ph.D. in computer science from TU Berlin, Germany, followed by senior research positions at the KIT’s Center for Applied Legal Studies and the FZI Forschungszentrum Informatik – both in Karlsruhe, Germany. Before joining PLUS, I held an interim professorship for Computers & Law / Computers & Society at TU Berlin and was senior researcher at TU Berlin’s department for Information Systems Engineering. Further Information.

Keynote:

Accepted Papers

Can we use LLMs to recover Trace Links between Source Code and Security Requirements?, Jan-Marc Paßlack, Alexander Specht, Marc Herrmann, Duaa Adel Ali Elsofi, Marco Ehl, Katharina Grosser, Jan Juerjens and Kurt Schneider. (Leibniz University Hannover and University of Koblenz, Germany)

LLMPathy: A Multi-Agent LLM Approach for Eliciting Inclusive Security Requirements, Waleed Bin Shahid, Bilal Naqvi and Hammad Afzal. (Information Security Group, Royal Holloway, University of London and University of Leicester, UK, and LUT University, Lappeenranta, Finland)

Generating Context-Aware Learning Materials for Software Security via LLM Agents and Traceability, Ben Luca Schüring, Marc Herrmann, Alexander Specht, Marco Ehl, Duaa Adel Ali Elsofi, Katharina Großer, Jan Jürjens and Kurt Schneider. (Leibniz University Hannover, University of Koblenz and Fraunhofer ISST, Germany)

Expanding ML-Documentation Standards For Better Security, Cara Ellen Appel. (Universität Hamburg, Germany)

A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools, Giovanni Corti, Gianluca Sassetti, Amir Sharif, Serena Elisa Ponta, Matteo Rizzi, Pietro De Matteis, Luca Piras, Roberto Carbone and Silvio Ranise. (Fondazione Bruno Kessler and Co-Innovation Lab, Dedagroup SpA, Italy, and SAP Labs France, France)

An Alignment Between the CRA’s Essential Requirements and the ATT&CK's Mitigations, Jukka Ruohonen, Eun-Young Kang and Qusai Ramadan. (University of Southern Denmark, Denmark)

A Mapping Analysis of Requirements Between the CRA and the GDPR, Jukka Ruohonen, Kalle Hjerppe and Eun-Young Kang. (University of Southern Denmark, Denmark, and University of Turku, Finland)

Towards Evidence-Based Conceptual Modeling for International Data Protection Requirements, Claudia Negri-Ribalta, Rene Noel, Anastasia Sergeeva and Lenzini Gabriele. (University of Luxembourg and SnT/University of Luxembourg, Luxembourg, and Escuela de Ingenieria Civil Informatica, Universidad de Valparaiso, Chile)

SAGE: A Context-Aware Approach for Mining Privacy Requirements Relevant Reviews from Mental Health Apps, Aakash Sorathiya and Gouri Ginde. (University of Calgary, Canada)

See the schedule below for other details




Important Dates

NOW

Write-up your research

Formatting instructions can be accessed here

Submission Deadline

Due by 23:59:59 AoE, Monday, 16 June 2025

Submissions to EasyChair

(8 Pages, plus 2 pages for references)

Author Notifications

From Monday, 7 July 2025

Conference Registration

For more information, see the RE25 website about how to register to attend the event

Camera-Ready Submission

Due by 23:59:59 AoE, Thursday, 17 July 2025

Submission link to be supplied

ESPRE25 Workshop

Monday, 01 September 2025

Schedule - 2025

Throughout the day, the workshop organisers will note potential research challenges that form the basis of a roadmap for evolving security and privacy requirements engineering. Following the final session, we will close the workshop with a wrap-up session, in which these challenges and a potential roadmap for addressing them will be proposed.

Schedule

Workshop Room - Salon de Grados

09:30 - 09:40

Workshop Opening

Opening Remarks - Dr. Mattia Salnitri, Workshop Co-Chair. (Università degli studi di Bergamo, Italy)
09:40 - 10:40

Invited Talk

By Prof. Frank Pallas (Universität Salzburg, Austria) - Recognizing 2nd-order Non-Functional Requirements in Privacy Engineering
10:40 - 11:00

Coffee Break - Ground Floor

11:00 - 12:30

Presentations

  • 11:00 - 11:30 > Can we use LLMs to recover Trace Links between Source Code and Security Requirements?, Jan-Marc Paßlack, Alexander Specht, Marc Herrmann, Duaa Adel Ali Elsofi, Marco Ehl, Katharina Grosser, Jan Juerjens and Kurt Schneider. (Leibniz University Hannover and University of Koblenz, Germany)
  • 11:30 - 12:00 > LLMPathy: A Multi-Agent LLM Approach for Eliciting Inclusive Security Requirements, Waleed Bin Shahid, Bilal Naqvi and Hammad Afzal. (Information Security Group, Royal Holloway, University of London and University of Leicester, UK, and LUT University, Lappeenranta, Finland)
  • 12:00 - 12:30 > Generating Context-Aware Learning Materials for Software Security via LLM Agents and Traceability, Ben Luca Schüring, Marc Herrmann, Alexander Specht, Marco Ehl, Duaa Adel Ali Elsofi, Katharina Großer, Jan Jürjens and Kurt Schneider. (Leibniz University Hannover, University of Koblenz and Fraunhofer ISST, Germany)
12:30 - 14:00

Lunch Break - Ground Floor and 4th Floor

14:00 - 15:30

Presentations

  • 14:00 - 14:30 > Expanding ML-Documentation Standards For Better Security, Cara Ellen Appel. (Universität Hamburg, Germany)
  • 14:30 - 15:00 > A First Appraisal of NIS2 and CRA Compliance Leveraging Open Source Tools, Giovanni Corti, Gianluca Sassetti, Amir Sharif, Serena Elisa Ponta, Matteo Rizzi, Pietro De Matteis, Luca Piras, Roberto Carbone and Silvio Ranise. (Fondazione Bruno Kessler and Co-Innovation Lab, Dedagroup SpA, Italy, and SAP Labs France, France)
  • 15:00 - 15:30 > An Alignment Between the CRA’s Essential Requirements and the ATT&CK's Mitigations, Jukka Ruohonen, Eun-Young Kang and Qusai Ramadan. (University of Southern Denmark, Denmark)
15:30 - 16:00

Coffee Break - Ground Floor

16:00 - 17:30

Presentations

  • 16:00 - 16:30 > A Mapping Analysis of Requirements Between the CRA and the GDPR, Jukka Ruohonen, Kalle Hjerppe and Eun-Young Kang. (University of Southern Denmark, Denmark, and University of Turku, Finland)
  • 16:30 - 17:00 > Towards Evidence-Based Conceptual Modeling for International Data Protection Requirements, Claudia Negri-Ribalta, Rene Noel, Anastasia Sergeeva and Lenzini Gabriele. (University of Luxembourg and SnT/University of Luxembourg, Luxembourg, and Escuela de Ingenieria Civil Informatica, Universidad de Valparaiso, Chile)
  • 17:00 - 17:30 > SAGE: A Context-Aware Approach for Mining Privacy Requirements Relevant Reviews from Mental Health Apps, Aakash Sorathiya and Gouri Ginde. (University of Calgary, Canada)
17:30 - 17:45

Discussion and Wrap-up

17:45

Workshop Close

Previous Programme Committee

If you would like to be considered towards joining the Programme Committee, do contact us for more information.

Organising Committee

Sepideh Ghanavati

University of Maine,
USA
Portfolio Image Institutional Logo

Duncan Ki-Aries

Bournemouth University,
UK
Portfolio Image Institutional Logo

Seok-Won Lee

Ajou University,
South Korea
Portfolio Image Institutional Logo

Mattia Salnitri

Università degli studi di Bergamo, Italy
Portfolio Image Institutional Logo

Previous Workshops

ESPRE is now celebrating it's 12th year. Although the ESPRE workshop has been co-located with RE since 2014, it builds on the success of earlier workshops in security requirements engineering and secure software engineering.

For example, the Security and Privacy Requirements Engineering (SPREE) Workshop in 2011, the International Workshop for Software Engineering for Secure Systems (SESS) series, and the Requirements for High Assurance Systems (RHAS) workshop series.

During 2020-2022 (the pandemic), workshop and conference sessions were mostly held online, then in 2023 we retunred to in-person sessions in Hannover, Germany, follwoed by Reykjavik, Iceland in 2024.


The eleventh ESPRE workshop was held as a one-day in-person workshop during RE 2024. The workshop consisted of keynote talk by Maya Anderson, and a technical programme of presentations, followed by a closing talk towards addressing future challenges and considerations towards evolving security and privacy requirements engineering. (Website)
The tenth ESPRE workshop was held as a one-day in-person workshop during RE 2023. The workshop consisted of keynote talk by Dr. Sepideh Ghanavati, and a technical programme of presentations, followed by a closing talk towards addressing future challenges and considerations towards evolving security and privacy requirements engineering. (Website)
The ninth ESPRE workshop was held as a one-day online workshop during RE 2022. The workshop consisted of keynote talks by Erlend Andreas Gjære and Nancy R. Mead, and technical programme of presentations, followed by a closing talk towards a roadmap for evolving security and privacy requirements engineering. (Website)
The eighth ESPRE workshop was held as a half-day online workshop during RE 2021. The workshop consisted of a keynote talk by Travis Breaux and José Francisco Ruiz, and technical programme of presentations, followed by a closing talk towards a roadmap for evolving security and privacy requirements engineering. (Website)
The seventh ESPRE workshop was held as a half-day workshop during RE 2020, and became the first online ESPRE workshop. The workshop consisted of a keynote talk by Shamal Faily, a reduced technical programme of presentations, and a closing talk and participant discussion led by Duncan Ki-Aries towards a roadmap for evolving security and privacy requirements engineering. (Website)
The sixth ESPRE workshop was held during RE 2019 in Jeju Island, South Korea. The workshop consisted of a keynote talk by Daehun Nyang, a technical programme of six paper presentations, and a closing talk and participant discussion led by Tiago Gasiba towards a roadmap for evolving security andprivacy requirements engineering. (Website)
The fifth ESPRE workshop was held during RE 2018 in Banff, Canada. The workshop consisted of a keynote talk by Yijun Yu, a technical programme of five paper presentations, a lightning talk session, and a closing talk by Lionel Briand. (Website)
The fourth ESPRE workshop was held during RE 2017 in Lisbon, Portugal. The workshop consisted of a keynote talk by Chris Williams, a technical programme of seven paper presentations, and a closing talk by Tiago Gasiba. (Website)
The third ESPRE workshop was held during RE 2016 in Beijing, China. The workshop consisted of a keynote talk by Lin Liu, a technical programme of six paper presentations, a lightening talk session, and an interactive demo session.
The second ESPRE workshop was held during RE 2015 in Ottawa, Canada. The workshop consisted of a keynote talk by Robert Biddle, a technical programme of five paper presentations, and a closing talk by Fabio Massacci. For the first time, the programme also included a lightening talk session containing a number of brief presentations from attendees on new and emerging results from our field. (Website)
The first ESPRE workshop was held during RE 2014 in Karlskrona, Sweden. The workshop consisted of a keynote talk by Angela Sasse, a technical programme of eight paper presentations, and a closing talk by Aljosa Pasic. Three selected papers of the workshop were extended for an ESPRE special issue of the International Journal of Secure Software Engineering, which was published in 2015. (Website)
Top