https://doi.or g/10.31449/inf.v48i2.5945 Informatica 48 (2024) 283–284 283
Concurr ent Consideration of T echnical and Human Aspects in Security
Requir ements Engineering
Damjan Fujs
University of Ljubljana, Faculty of Computer and Information Science, Ljubljana, Slovenia
E-mail: damjan.fujs@fri.uni-lj.si
Thesis summary
Keywords: information security , software feature, training
Received: March 18, 2024
This article is an extended abstract of the doctoral dissertation entitled “T ailoring security-r elated softwar e
and training r equir ements to users based on their categorization” [1]. Security has traditionally been
ensur ed by technical solutions in the concluding stages of softwar e development. The fact that security is
consider ed an additional function means that a vulnerability is fixed with security patches as soon as it
occurs. However , the importance of human factors is incr easingly being r ecognized, as technical solutions
alone ar e not enough to close security gaps. In or der to addr ess this shortcoming, we pr oposed an appr oach
that simultaneously addr esses technical as well as human aspects - alr eady in the initial stages of softwar e
development.
Povzetek: Pr edstavljena je doktorska disertacija z naslovom »Prilagajanje z varnostjo povezanih zahtev
za pr ogramsko opr emo in usposabljanja uporabnikov na podlagi njihove kategorizacije«.
1 Intr oduction
The number of cyber security threats is increasing. Not only
the number of threats, but also in terms of their impact and
severity of consequences [4]. Despite the fact that estab-
lished technical information security mechanisms can be ef-
fective, human factors remain one of the key challenges in
ensuring information security because people are the weak-
est link in information security [3].
The main objective of the doctoral dissertation was to in-
vestigate how the technical and human aspects of informa-
tion security can be addressed simultaneously to improve
overall information security .
2 Methods
Our approach consists of two main phases and three steps.
In the first phase, we developed a novel approach for tai-
loring information security training requirements (iSTR)
based on end user categorization according to their dif ferent
levels of information security performance. In the second
phase, we developed an approach for balancing information
security software requirements (iSSR) and iSTR (See Fig-
ure 1). The overall approach is based on existing studies in
the field of software requirements engineering, human as-
pects of information security (user groups), information se-
curity standards and security-related software requirements
and training.
T o test the proposed approach, we conducted an experi-
ment (our main research method) among experienced infor -
mation system professionals from the wider field of soft-
ware development (N=128 ). For the needs of the experi-
ment, we prepared supporting artefacts in which we intro-
duced the basic concepts, the research process and addi-
tional explanations to the participants. Participants were
randomly assigned to an experimental (N=66) or control
group (N=62).
3 Results
The main result shows a clear dif ference between the two
groups in favour of the experimental group. The dif ference
between the two groups is statistically significant (p-value
< 0. 001 ). Assessments of evaluators (i.e., experienced ex-
perts in the field of information security) show that the re-
quirements created by the experimental group were better
than the requirements created by the control group.
In addition, we conducted a post-hoc survey in which we
asked the participants of the experiment about three indica-
tors: complexity , compatibility and usefulness. The results
are statistically significant (p-value < 0. 001 ) for the use-
fulness. These results indicate that the participants in the
experimental group did not perceive our approach as signif-
icantly more complex or less consistent with their knowl-
edge. In addition, participants in the experimental group
found our approach significantly more useful than the ap-
proach they used in the control group.
284 Informatica 48 (2024) 283–284 D. Fujs
Requirements 
Engineering
(process)
Security 
Requirements 
Engineering
(process)
information Security 
Requirements
(artefacts)
information
Security
Software
Requirements
RE
SRE
iSR
iSSR
Select
Select
Define
LEGEND:
Figure 1: Main research concepts and their relationship.
The green color shows our contribution (i.e. our approach
that enables balancing iSSR and iSTR), while the grey color
represents elements that are already established in the liter -
ature. Figure modified from Fujs [1].
4 Conclusion
The following contributions to science in the field of com-
puter and information science are presented in the doctoral
dissertation [1]: 1. A novel approach for identifying in-
formation security-related training requirements based on
end-user categorization of their information security per -
formance (security-related knowledge, attitudes and behav-
iors). 2. A novel approach that allows iSSR and iSTR to
be considered simultaneously based on end user categoriza-
tion.
Acknowledgements
The author would like to thank the mentors (Damjan
V avpotič and Simon V rhovec) and committee (Denis T rček,
Igor Bernik, Stef fen W endzel and T omaž Curk). Many
thanks to President of the W orld Federation of Scientists,
Prof Antonino Zichichi, for granting a scholarship to sup-
port the completion of the author ’ s doctoral studies.
Refer ences
[1] Fujs, D. (2024). T ailoring security-r elated softwar e
and training r equir ements to users based on their cat-
egorization [Doctoral dissertation]. Repository of the
University of Ljubljana.
[2] Fujs, D., V rhovec, S., & V avpotič, D. (2023).
Balancing software and training requirements for
information security . Computers & security , 134,
103467. https://doi.org/10.1016/j.cose.
2023.103467
[3] W iley , A., McCormac, A., & Calic, D. (2020). More
than the individual: Examining the relationship be-
tween culture and Information Security A wareness.
Computers & Security , 88, 101640. https://doi.
org/10.1016/j.cose.2019.101640
[4] European Union Agency for Cybersecurity , Sve-
tozarov Naydenov , R., Malatras, A., Lella, I.,
Theocharidou, M., Ciobanu, C., T sekmezoglou, E.
(2022). ENISA threat landscape 2022. https://
doi.org/10.2824/764318