Options
2016
Report
Titel
Requirements elicitation and derivation of security policy templates - an industrial case study
Abstract
The technical or organizational enforcement of security policies is a necessity for modern enterprises such as DATEV eG. However, security policy specification is challenging, especially for users inexperienced in security. The provision of project- and domain-specific security policy templates can support users in the specification of security policies. However, existing elicitation approaches focus on general security requirements or risk assessment and do not support domain-specific policy template derivation. In this paper, we present a methodology for eliciting and deriving such security policy templates. We use and adapt established techniques known from requirements engineering to elicit assets, threats, and countermeasures. The policy templates, derived from the gathered information, are used to instantiate domain-specific security requirements at run-time. We successfully applied our method in an industrial case study at DATEV eG to show its principle applicability.
Verlagsort
Kaiserslautern