Title :
User-Centered Information Security Policy Development in a Post-Stuxnet World
Author :
Faily, Shamal ; Fléchais, Ivan
Author_Institution :
Dept. of Comput. Sci., Univ. of Oxford, Oxford, UK
Abstract :
A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements Engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa, it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, we describe a case study where Usability and Requirements Engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. We motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate Security, Usability, and Requirements Engineering techniques for secure system design.
Keywords :
security of data; systems analysis; water supply; Stuxnet worm; UK water company; balanced approach; critical national infrastructure; requirements engineering method; requirements engineering technique; usability technique; user-centered information security policy development; Analytical models; Context; Information security; Interviews; Unified modeling language; Usability; CAIRIS; KAOS; misuse cases; personas;
Conference_Titel :
Availability, Reliability and Security (ARES), 2011 Sixth International Conference on
Conference_Location :
Vienna
Print_ISBN :
978-1-4577-0979-1
Electronic_ISBN :
978-0-7695-4485-4
DOI :
10.1109/ARES.2011.111
