Hier finden Sie wissenschaftliche Publikationen aus den Fraunhofer-Instituten.

Requirements elicitation and derivation of security policy templates - an industrial case study

: Rudolph, Manuel; Feth, Denis; Doerr, Joerg; Spilker, Joerg


Institute of Electrical and Electronics Engineers -IEEE-; IEEE Computer Society:
IEEE 24th International Requirements Engineering Conference, RE 2016. Proceedings : 12-16 September 2016, Beijing, China
Los Alamitos, Calif.: IEEE Computer Society Conference Publishing Services (CPS), 2016
ISBN: 978-1-5090-4122-0 (Print)
ISBN: 978-1-5090-4121-3 (Online)
International Requirements Engineering Conference (RE) <24, 2016, Beijing>
Conference Paper
Fraunhofer IESE ()
requirements elicitation; industry transfer; case study; DATEV eG

The technical or organizational enforcement of security policies is a necessity for modern enterprises such as DATEV eG. However, security policy specification is challenging, especially for users inexperienced in security. The provision of project-and domain-specific security policy templates can support users in the specification of security policies. However, existing elicitation approaches focus on general security requirements or risk assessment and do not support domain-specific policy template derivation. In this paper, we present a methodology for eliciting and deriving such security policy templates. We use and adapt established techniques known from requirements engineering to elicit assets, threats, and countermeasures. The policy templates, derived from the gathered information, are used to instantiate domain-specific security requirements at run-time. We successfully applied our method in an industrial case study at DATEV eG to show its principle applicability.