Security policies determine which security requirements have to be met in a domain and how they are implemented organizationally and/or technically. However, their specification at run-time poses a challenge for policy authors (e.g., IT administrators or end users), especially if they are inexperienced in this task. Thus, specification interfaces have to guide the policy author during the specification process. However, matching appropriate specification processes to the policy authors' individual needs is challenging due to a high variability in the authors' skill levels and security perceptions. In this paper, we identify existing specification approaches, derive generic specification paradigms and show the feasibility of one of them in an industrial case study.