User-Centered Information Security Policy Development in a Post-Stuxnet World

Author

Faily, Shamal ; Fléchais, Ivan

Author_Institution

Dept. of Comput. Sci., Univ. of Oxford, Oxford, UK

fYear

2011

fDate

22-26 Aug. 2011

Firstpage

716

Lastpage

721

Abstract

A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa, it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, we describe a case study where Usability and Requirements Engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. We motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design.

Keywords

security of data; systems analysis; water supply; Stuxnet worm; UK water company; balanced approach; critical national infrastructure; requirements engineering method; requirements engineering technique; usability technique; user-centered information security policy development; Analytical models; Context; Information security; Interviews; Unified modeling language; Usability; CAIRIS; KAOS; misuse cases; personas;

fLanguage

English

Publisher

ieee

Conference_Titel

Availability, Reliability and Security (ARES), 2011 Sixth International Conference on

Conference_Location

Vienna

Print_ISBN

978-1-4577-0979-1

Electronic_ISBN

978-0-7695-4485-4

Type

conf

DOI

10.1109/ARES.2011.111

Filename

6046026