(Pro-)Seminar Engineering Responsible Information Systems


  • Submission of presentation slides (to your supervisor and Marco Konersmann): until Aug. 30, 6pm
  • Presentations will take place on:
    • Sep. 06., 11:30 - 15:30
    • Sep. 13., 11:30 - 15:30
    • in room B 017.
  • Submission of final version of article (to your supervisor and Marco Konersmann): until July 8th, 6pm
  • Submission of reviews (to your supervisor and Marco Konersmann): until June 17th, 6pm
  • Submission of draft article (to your supervisor and Marco Konersmann): until June 3rd, 6pm
  • Submission of outline (to your supervisor and Marco Konersmann): until May 6th, 6pm
  • Exam Registration: The topics are assigned. If you have been assigned to a topic, please register for the exam in KLIPS until 22.04.2019.
  • Assignment of Topics: Please send an e-mail with subject "[ERIS] Preferred Topics" containing a list of your preferred topics to Prof. Jan Jürjens and until 28. Feb 2019. Please see below for the most up-to-date list of topics we offer.
  • Informationensveranstaltung am 7.2.2019 um 12 Uhr in Raum: B015

Presentation Schedule

Please note that attendence at all presentations is obligatory for all participants.

Date Topic
Sep 6 Security and Privacy Cost-Benefit Approaches (slides)
Privacy Impact Assessment in Industrial Ecosystems (slides)
View-Extraction for Annotating Models with Security Properties (slides)
Do Quality and Security Metrics Allow the Prediction of Bugs and Vulnerabilites? (slides)
Sep 13 How to Write Security Requirements (slides)
Glossary Models (slides)
Software Accountability throughContrastive Explanations (slides)
Deanonymization and Reidentification Techniques (slides)



The participants will get to understand responsible information systems and the requirements on security-critical systems and its types of threats. Nowadays, machine learning, automation, and availability of vast amount of data enable the software systems to make more autonomous decisions. For instance, software might make decision in who get a loan, and which medical treatment a patient should take. The importance of these decisions makes fairness and nondiscrimination in software as important as software quality. Therefore, understanding "Engineering Responsible Information Systems" is pivotal in software design. In this (Pro)Seminar the participants get an overview of requirements engineering of data collection processes, and software models that comprise issues of responsible behaviors.


Moreover, the participants will get an overview of the existing techniques to avoid security risks and to repel threats. They will get to know of the special features of the management of security-related software projects, the benefit of security expenses and the relevant standards and regulations. Finally, they will have concentrated on model-based techniques for developing security-critical systems as well as analyzing and re-engineering of existing software, being able to evaluate gained practical experience and to get an overview of existing tools and its performance.

Guiding themes

The development and maintenance of responsible  and security-critical information systems are big challenges. There are many software-intense systems designed, implemented and in use that have serious security issues. We know from experience as well as from headlines about spectacular malfunction of systems or about successful attacks on them. The reasons are manifold. Sometimes the developers' required security awareness is missing, often the required knowledge for development processes, methods, techniques and tools is missing or they are not used as one supposes not to be able to afford a high time and cost expenditure with the current competitive pressure. In relation to the engineering or re-engineering of responsible and security-critical software systems the following questions need to be answered:


  • Which methods do exist for a comprehensive risk management with which experts are able to perform a complete analysis of the security and fairness risks of business processes and workflows and to derive proposals for appropriate treatments?
  • Which methods do exist for the engineering or re-engineering of security-critical software systems for the selection of suitable development processes and suitable tools as well as quality assurance?
  • Which tools do exist to automatically analyze e.g. business processes, UML specifications, source code and configuration files towards security?
  • Is it possible to intuitively specify security requirements with UML or CASE tools for example, such as AutoFocus? Do tools exist for simulation, consistency checking, code generation, verification and testing of security aspects?
  • Are the created models usable as documentation for certification against relevant standards?
  • Concerning responsible information systems, what are the protected information, and how is it possible to understand hidden information flows?


This seminar will take place as a two- or three-day block seminar short after the lecture period.

Links to KLIPS

Please note that the dates and rooms given for the seminar are also obligatory for the proseminar.

      Seminar topics

      1. Privacy and Security Cost-Benefit Approaches

      To ensure that their stakeholders’ privacy concerns are addressed systematically from the early development phases, organizations can perform a privacy enhancement of the system design. Such a privacy enhancement needs to account for three crucial types of input: First, risks to the rights of natural persons. Second, potential interrelations and dependencies among the privacy controls. Third,
      potential trade-offs regarding the costs of the controls.

      Introductory literature:

      2. Privacy Impact Assessment in Industrial Ecosystems

      According to Article 35 of the General Data Protection Regulation (GDPR), the data controllers are obligated to conduct a privacy impact assessment to ensure the protection of sensitive data. Failure to properly protect sensitive data may affect data subjects (customers) negatively, and damage the reputation of data processors. Conducting the proposed PIA methodology implies that the design of a system is analyzed and where necessary appropriate security and privacy measures are suggested to technically improve a concrete system design.

      Introductory literature:

      3. How to Write Security Requirements

      Tackling security issues as early as possible in the development process, thus during requirements elicitation,  is identified as a key factor to reduce security risks and costly rectifications. In many cases requirements have to be phrased textually for different reasons, e.g. to ensure legal liability for contractual documents. There exists many guidelines and template systems on how to phrase high quality requirements of different types, but are they sufficient to fully cover security needs?

      Introductory literature:

      4. Glossary Models

      One important part of each requirements documentation is a glossary defining all relevant terms. While this is often solved by a simple term-definition table with project specific terms, this is not enough to stay on top of things regarding possible misunderstandings. Terms can have different meanings in different contexts, even inside the same project, e.g. because they are imported by standards or other applicable documents. Furthermore, terms are interrelated, e.g. by references in their definitions. A means to represent these complex knowledge structures are Ontologies. While they are useful to build domain models, requirements engineering tools might strive for a more lightweight compromise. 

      Introductory literature:

      5. View-Extraction for Annotating Models with Security Properties

      In recent research, many approaches for considering security in early development phases have been developed. One example is UMLsec which allows software-engineers to annotate UML models with security annotations and check those for conciseness [1]. Unfortunately, it has been shown that large models are already without such an security extension difficult to understand [2]. To keep large models readable and understandable UML supports the concepts of views visualizing excerpts of the large model in the background [3]. Especially when UML models are reverse-engineered from sourcecode those views haven’t been used. A solution is to reconstruct those views at reverse engineering using for example approaches like model slicing [4].

      Introductory literature:

      [1] Jan Jürjens: Towards Development of Secure Systems Using UMLsec, FASE, pp. 187-200, 2001 - https://doi.org/10.1007/3-540-45314-8_14
      [2] Harald Störrle: On the impact of size to the understanding of UML diagrams, SoSyM, pp. 115-134, 2016 - https://doi.org/10.1007/s10270-016-0529-x
      [3] Object Management Group, OMG Unified Modeling LanguageTM (OMG UML), Specification, 2.5.1, 2017 - https://www.omg.org/spec/UML/2.5.1/
      [4] Gabriele Taentzer, Timo Kehrer, Christopher Pietsch, Udo Kelter: A Formal Framework for Incremental Model Slicing. FASE 2018: 3-20 - https://doi.org/10.1007/978-3-319-89363-1_1

      6. Do Quality and Security Metrics Allow the Prediction of Bugs and Vulnerabilites?

      Metics are a commen concept for estimating the design quality or security of software projects during development time. One of the most famous metric suits is the object-oriented metric suite of Chidamber and Kemerer [1]. Many other metric sets have been developed for measuring specific properies like quality or security. However, the open question is if metrics really allow the prediction of bugs and vulerabilities [2,3,4].

      Introductory literature:

      [1] Shyam R. Chidamber, Chris F. Kemerer: A Metrics Suite for Object Oriented Design. IEEE Trans. Software Eng. 20(6): 476-493 (1994) , https://ieeexplore.ieee.org/document/295895
      [2] Yonghee Shin, Laurie Williams: Is complexity really the enemy of software security? QoP 2008: 47-50, https://doi.org/10.1145/1456362.1456372
      [3] Seyyed Ehsan Salamati Taba, Foutse Khomh, Ying Zou, Ahmed E. Hassan, Meiyappan Nagappan: Predicting Bugs Using Antipatterns. ICSM 2013: 270-279, https://doi.org/10.1109/ICSM.2013.38
      [4] Jiang Zheng, Laurie A. Williams, Nachiappan Nagappan, Will Snipes, John P. Hudepohl, Mladen A. Vouk: On the Value of Static Analysis for Fault Detection in Software. IEEE Trans. Software Eng. 32(4): 240-253 (2006), https://doi.org/10.1109/TSE.2006.38

      7. Model-based Security and Data Minimization Conflict Checking

      English Only Topic! The supervisor speaks English only. Therefore the communication with the supervisor, the seminar paper and the presentation have to be in English as well.

      Departing from data minimization is considered as a necessary and foundational first step to engineer privacy-aware systems. Privacy breaches often do not come from loopholes in the applied privacy enhanced technologies, other threats are related to vulnerabilities in the underlying business processes and the architecture of the targeted system. A main sources for such vulnerabilities is conflicts between security and data minimization requirements which if they are propagated to the targeted system might endanger its users’ privacy. The key question is how to detect conflicts between security and data-minimization requirements using a mode-based approach?

      Introductory literature:

      8. Supporting Software Fairness by Design with Model-Based Information Flow Analysis

      English Only Topic! The supervisor speaks English only. Therefore the communication with the supervisor, the seminar paper and the presentation have to be in English as well.

      Due to the proliferation of machine learning and data mining into the decision-making activities of modern enterprises, there is a growing concern that users can be discriminated by a decision algorithms. A promising approach to encounter discrimination during the design of a system with automated decision-making components is to analyze the system's design models to detect possible unknown sources of discrimination based on information flow. The goal of this topic is to explore a practical software-fairness scenario by specifying the necessary design model and studying the applicability of selected information-flow analysis approaches.

      Introductory literature:

      9. Data Usage Control in Distributed Systems

      Access control describes the task to decide, whether it is allowed to read or write a specific piece of data or not. Once the (usually binary) decision is made, access control does not take into consideration later usages of the accessed data. In contrast, data usage control allows to specify and monitor how a piece of data may be used, even after an access has been granted. One challenge is to monitor and to enforce data usage policies in distributed systems. After reading the work, one should be able to understand, what the term data usage control means in the context of distributed systems and which concepts and approaches exist.

      Introductory literature:

      10. Deanonymization and Reidentification Techniques

      Anonymized data isn't always anonym. There are methods to deanonymize formerly anonymized data, e.g. by using additional information not included in an anonymized data set. Since more and more data is collected, the possibilities to gain additional information useful for reidentification as well as the chance to deanonymize some data increases. After defining anonymity and giving an overview of anonymity metrics, the goal is to summarize existing deanonymization and reidentification methods.

      Introductory Literature:


      The grade will take into account:

      • your written seminar paper of the following lengths:
        • Proseminar: 10 pages of main part / 6 pages of text without images
        • Seminar: 15 pages of main part / 10 pages of text without images
      • a presentation of the following lengths:
        • Proseminar: 20 minutes (+/- 2 minutes)
        • Seminar: 25 minutes (+/- 2 minutes)
      • active participation in discussions after the presentations of other participants
      • compliance with formal guidelines (in particular the timely and complete submission)
      • optionally the quality of the written reviews of two draft seminar papers of other participants

      Failing either presentation or the seminar paper automatically leads to failing the whole seminar. Plagiarism in one part immediately leads to failing the seminar and will be reported to the audit committee.


      We are really interested in accompanying feedback to directly respond to change requests. Please express your comments via e-mail. Many thanks!