The Evolving Security and Privacy Requirements Engineering (ESPRE) Workshop is a multi-disciplinary, one-day workshop. It brings together practitioners and researchers interested in security and privacy requirements.

ESPRE probes the interfaces between Requirements Engineering and Security & Privacy, and aims to evolve security and privacy requirements engineering to meet the needs of stakeholders; these range from business analysts and security engineers, to technology entrepreneurs and privacy advocates.



These include, but do not exclude:

  • Adaptation of security & privacy requirements
  • Elicitation and analysis techniques
  • Evolution of security & privacy requirements
  • Legal compliance in security & privacy RE
  • Leveraging Domain knowledge
  • Modelling trust and risk
  • Ontologies for security & privacy RE
  • Scalability of security RE approaches
  • Security & privacy RE and [Sec]DevOps
  • Security & privacy RE for design innovation
  • Security & privacy RE education
  • Security & privacy RE processes
  • Stakeholder & Attacker perspectives
  • Studies applying security & privacy RE
  • Validation & verification
  • Next


    We invite research and position papers that address any of the workshop topics.

    Please use the IEEE trans template for submissions.

    Further Instructions are also on the RE 2017 site

    Papers have no more than 6 pages of content. An additional page is allowed for references only. Papers should be submitted electronically in PDF format to EasyChair.

    Accepted papers will be published in the workshop proceedings, and made available via IEEE Xplore.


    Lightning Talks

    We will run a ‘Lightning talks’ session of 2-minute talks after lunch. Such talks might share early results, on-going work, annoyances, practical lessons learned, or even plugs for upcoming events. To book a slot, please email sfaily@bournemouth.ac.uk with your name, affiliation, talk title, and brief abstract. Proposals will be accepted on a first come, first served basis until all available slots are filled. We will, however, try to free up space elsewhere on the day if we get more demand than we can satisfy.

    The scope for talk topics is open, but the timings are not. Please keep your talk within the time limit. This will make your talk more focused, and keep the audience excited. Please email any slides (no more than 2) in PDF format to sfaily@bournemouth.ac.uk by 5pm CET on Sunday, September 3rd 2017.


    Important Dates

    • Submission Deadline: June 12th, 2017June 16th, 2017 (Extension)
    • Notifications: June 30th, 2017July 7th, 2017
    • Camera-ready papers due: July 16th, 2017
    • Workshop date: 4th September 2017

    Delivering secure agile systems: Chris Williams (Dstl)

    Greater agility of our infrastructure systems will be a key enabler to address the increasingly volatile, uncertain, complex and ambiguous environment that is characteristic of future operations. In this context, agility is the ability for a system to provide a timely response in relation to changes in the mission, threat or environment. Increasingly systems will operate autonomously to reduce human cognitive demands and to respond faster than a human operator could. In order to achieve this, three high level system capabilities are required:

    1. A means to capture dynamically changing requirements in response to the mission, threat and environment. It is no longer possible to determine all possible combination of these factors at design time. They change too quickly and predicting future demands and threats is not possible. Thus static requirements capture is not possible. In our approach we employ goal driven approach to specifying system requirements. Inherent in this approach is the explicit capture of justification (arguments) and assumptions, that can be tested during system operation.
    2. Policy Based Management (PBM) that takes the output of the goal tree analysis and represents this in a device independent language. This supports scalability and interoperability across a heterogeneous mix of devices and infrastructures. It reports back to the goal analysis on the achievement of goals.
    3. Flexible, software defined infrastructure (e.g. software defined radios and networks), that enable real time adaptable to the changing requirements.

    Underpinning the ability to deliver this capability is the need to assure the operation of the system, but due to the agile nature, a static design time assurance process is no longer sufficient. Instead both design time and real time assurance is required.

    The talk will describe in more detail the architectures and design principles of agile systems, with an emphasis on information systems. It will give exemplars in relation system security and how the architecture supports risk based analysis. Initial concepts in run-time assurance for secure agile systems will also be described.


    Dr Williams graduated from the University of Oxford with a First in Engineering Science, and subsequently gained his PhD from Bristol University on the topic of chaotic waveforms for communications. Alongside periods in industry (Research Manager for Fujitsu) and academia (Research Fellow at Bristol University) much of his career has been in Government defence research (Dstl and predecessors). Areas of expertise include novel waveforms, communications signal processing, dynamic spectrum access, risk based decision making, agile systems and requirements engineering.

    Siemens CT push for Security Requirements Engineering: Tiago Gasiba (Siemens Corporate Technology)

    SIEMENS Corporate Technology (CT) is the central research and development unit of the company. CT invents new methods and technologies and has introduced the product solution and security (PSS) organization to raise the bar on security awareness and to ensure that security is considered in all phases of the product life-cycle.

    In this talk, we show how Siemens CT recommends to conduct Security Requirements Engineering within the PSS life-cycle, which involves multiple security analysis activities, as well as the involvement of key stakeholders. We also illustrate CT best security practices for our complex work environment, in particular for products with long lifespans. We also discuss security requirements w.r.t. applying modern and state-of-the art security techniques to an already established work environment over decades.


    Over the last three years Tiago Gasiba has been working for Siemens AG, Munich, as a Security Consultant and Researcher. During this time he has applied for more than ten patents in the field of IT and OT Security. His main areas of interest include Secure Software and Web Application Development, Coaching and Security Training. In his role as a Security Researcher he is constantly looking at ways to improve the Security Requirements handling within Siemens own processes and in better ways to assist its business units. In particular on accompanying the process from the Requirements specification, through the implementation and reaching until the Requirements Testing phase. Tiago has gathered experience in several different fields, which aid in this systematic approach to product security. He has previously worked as an Incident Handler for Siemens CERT and Security Architect for Java Card Operating System at NXP. Furthermore he has also worked as an Embedded Software Developer, System Designer at Ericsson Modem and Telecom Researcher for Siemens Mobile, where he helped and worked in 3GPP standardization topics, where he also holds some patents. In 2002 he earned his Engineering Degree in Telecommunications, Electronics and Computers from the Oporto University in Portugal and in 2004 he his Master of Science in Communications Engineering from the Technical University of Munich in Germany.


    Previous Workshops




    Workshop Opening

    0930 - 1030

    Keynote talk: Chris Williams (Chair: Shamal Faily) - Slides

    1030 - 1100Coffee break
    1100 - 1230

    Session: Human Centered Design and Engineering (Chair: Nancy Mead)

    • An Ontological Approach to Predict Trade-Offs between Security and Usability for Mobile Application Requirements Engineering
      Woori Roh and Seok-Won Lee (Ajou University, South Korea)
    • Design as Code: Facilitating Collaboration between Usability and Security Engineers using CAIRIS - Slides
      Shamal Faily (Bournemouth University, UK) and Claudia Iacob (University of Portsmouth, UK)
    • From Requirements to Operation: Components for Risk Assessment in a Pervasive System of Systems - Slides
      Duncan Ki-Aries, Huseyin Dogan, Shamal Faily, Paul Whittington (Bournemouth University, UK) and Christopher Williams (Defence Science & Technology Laboratory, UK)
    1230 - 1400Lunch
    1400 - 1530

    Session: Privacy (Chair: Seok-Won Lee)

    • Exploratory Study of the Privacy Extension for System Theoretic Process Analysis (STPA-Priv) to elicit Privacy Risks in eHealth - Slides
      Kai Mindermann, Frederik Riedel, Asim Abdulkhaleq, Christoph Stach and Stefan Wagner (University of Stuttgart, Germany)
    • Challenges of privacy requirements modelling in V2X applications: A telematic insurance case study
      Sarah Schulz Mukisa and Awais Rashid (Lancaster University, UK)
    • An Approach to Privacy Notices in IoT
      Parvaneh Shayegh Boroujeni and Sepideh Ghanavati (Texas Tech University, USA)
    1530 - 1600Coffee break
    1600 - 1630

    Session: Awareness (Chair: Kristian Beckers)

    • An Effective Immersive Cyber Security Awareness Learning Platform for Businesses in the Hospitality sector
      Jack Holdsworth and Edward Apeh (Bournemouth University, UK)
    1630 - 1730

    Invited talk: Tiago Gasiba (Chair: Kristian Beckers)


    Workshop Close



    Organising Committee

    Programme Committee


    Social Dinner

    The workshop social dinner will be held at Solar Dos Presuntos from 1945.