The Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop is a multi-disciplinary, one-day workshop. It brings together practitioners and researchers interested in security and privacy requirements.

ESPRE probes the interfaces between Requirements Engineering and Security & Privacy, and aims to evolve security and privacy requirements engineering to meet the needs of stakeholders; these range from business analysts and security engineers, to technology entrepreneurs and privacy advocates.



These include, but do not exclude:

  • Adaptation of security & privacy requirements
  • Elicitation and analysis techniques
  • Evolution of security & privacy requirements
  • Legal compliance in security & privacy RE
  • Leveraging Domain knowledge
  • Modelling trust and risk
  • Ontologies for security & privacy RE
  • Scalability of security RE approaches
  • Security & privacy RE and [Sec]DevOps
  • Security & privacy RE for design innovation
  • Security & privacy RE education
  • Security & privacy RE processes
  • Stakeholder & Attacker perspectives
  • Studies applying security & privacy RE
  • Validation & verification
  • Next


    We invite research and position papers that address any of the workshop topics.

    Please use the IEEE trans template for submissions.

    Further Instructions are also on the RE 2017 site

    Papers have no more than 6 pages of content. An additional page is allowed for references only. Papers should be submitted electronically in PDF format to EasyChair.

    Accepted papers will be published in the workshop proceedings, and made available via IEEE Xplore.


    Important Dates

    • Submission Deadline: June 12th, 2017June 16th, 2017 (Extension)
    • Notifications: June 30th, 2017July 7th, 2017
    • Camera-ready papers due: July 16th, 2017
    • Workshop date: 4th September 2017

    Delivering secure agile systems: Chris Williams (Dstl)

    Greater agility of our infrastructure systems will be a key enabler to address the increasingly volatile, uncertain, complex and ambiguous environment that is characteristic of future operations. In this context, agility is the ability for a system to provide a timely response in relation to changes in the mission, threat or environment. Increasingly systems will operate autonomously to reduce human cognitive demands and to respond faster than a human operator could. In order to achieve this, three high level system capabilities are required:

    1. A means to capture dynamically changing requirements in response to the mission, threat and environment. It is no longer possible to determine all possible combination of these factors at design time. They change too quickly and predicting future demands and threats is not possible. Thus static requirements capture is not possible. In our approach we employ goal driven approach to specifying system requirements. Inherent in this approach is the explicit capture of justification (arguments) and assumptions, that can be tested during system operation.
    2. Policy Based Management (PBM) that takes the output of the goal tree analysis and represents this in a device independent language. This supports scalability and interoperability across a heterogeneous mix of devices and infrastructures. It reports back to the goal analysis on the achievement of goals.
    3. Flexible, software defined infrastructure (e.g. software defined radios and networks), that enable real time adaptable to the changing requirements.

    Underpinning the ability to deliver this capability is the need to assure the operation of the system, but due to the agile nature, a static design time assurance process is no longer sufficient. Instead both design time and real time assurance is required.

    The talk will describe in more detail the architectures and design principles of agile systems, with an emphasis on information systems. It will give exemplars in relation system security and how the architecture supports risk based analysis. Initial concepts in run-time assurance for secure agile systems will also be described.


    Dr Williams graduated from the University of Oxford with a First in Engineering Science, and subsequently gained his PhD from Bristol University on the topic of chaotic waveforms for communications. Alongside periods in industry (Research Manager for Fujitsu) and academia (Research Fellow at Bristol University) much of his career has been in Government defence research (Dstl and predecessors). Areas of expertise include novel waveforms, communications signal processing, dynamic spectrum access, risk based decision making, agile systems and requirements engineering.


    Previous Workshops


    Accepted Papers

    An Approach to Privacy Notices in IoTParvaneh Shayegh Boroujeni and Sepideh Ghanavati (Texas Tech University, USA)
    An Effective Immersive Cyber Security Awareness Learning Platform for Businesses in the Hospitality sectorJack Holdsworth and Edward Apeh (Bournemouth University, UK)
    An Ontological Approach to Predict Trade-Offs between Security and Usability for Mobile Application Requirements EngineeringWoori Roh and Seok-Won Lee (Ajou University, Korea)
    Challenges of privacy requirements modelling in V2X applications: A telematic insurance case studySarah Schulz Mukisa and Awais Rashid (Lancaster University, UK)
    Design as Code: Facilitating Collaboration between Usability and Security Engineers using CAIRISShamal Faily (Bournemouth University, UK) and Claudia Iacob (University of Portsmouth, UK)
    Exploratory Study of the Privacy Extension for System Theoretic Process Analysis (STPA-Priv) to elicit Privacy Risks in eHealthKai Mindermann, Frederik Riedel, Asim Abdulkhaleq, Christoph Stach and Stefan Wagner (University of Stuttgart, Germany)
    From Requirements to Operation: Components for Risk Assessment in a Pervasive System of SystemsDuncan Ki-Aries, Huseyin Dogan, Shamal Faily, Paul Whittington (Bournemouth University, UK) and Christopher Williams (Defence Science and Technology Laboratory, UK)


    Organising Committee

    Programme Committee