What question did this study set out to answer?

The aim is to create a unified model that combines normative and empirical security knowledge while assessing coverage and identifying gaps.

synapse

⌘+K

synapse

⌘+K

April 18, 2026Open Access

Coverage-Preserving Compilation of Normative and Empirical Security Knowledge

Key Points

The aim is to create a unified model that combines normative and empirical security knowledge while assessing coverage and identifying gaps.
Used AppSec Core to integrate security knowledge
Mapped requirements from external frameworks and practitioner content
Conducted a coverage assessment against a security manual
Identified and resolved claim gaps
Achieved 95% coverage after resolving identified gaps
Found only 4 genuine content gaps in the material
Evaluated against 5 frameworks with 91 mapped items

Abstract

We present a method for compiling normative and empirical application security knowledge into a unified, coverage-aware model. The method uses AppSec Core as the integration substrate: requirements from external frameworks and empirical content from a practitioner corpus are independently mapped to shared control objectives, then compared to assess coverage, identify gaps, and detect empirical extensions. Applied to a 15-chapter security manual (4,139 structural units) against 5 frameworks (91 mapped items): 95% coverage after claim-gap resolution, with only 4 genuine content gaps. This is Paper 2 of the SbD-ToE / AppSec Core research programme (P0: 10.17605/OSF.IO/7T849; P1: 10.17605/OSF.IO/WG8PV).

Coverage-Preserving Compilation of Normative and Empirical Security Knowledge

Key Points

Abstract

Cite This Study