The Impact of Neglecting Domain-Specific Security and Privacy Requirements
2007 (English)In: Proceedings of the 12th Nordic Workshop on Secure IT Systems (Nordsec 2007), 2007Conference paper (Other academic)
In a previous field study of eleven software projects including e-business, health care and military applications we documented current practice in security requirements. The overall conclusion of the study was that security requirements are poorly and inconsistently specified. However, two important questions remained open; what are the reasons for the inconsistencies, and what is the impact of such poor security requirements? In this paper we seek the answers by performing in-depth interviews with three of the customers from the previous study. The interviews show that mature producers of software (in this case IBM, Cap Gemini, and WM-Data) compensate for poor requirements in areas within their expertise, namely software engineering. But in the case of security and privacy requirements specific to the customer domain, such compensation is not found. In all three cases this has led to security and/or privacy flaws in the systems. Our conclusion is that special focus needs to be put on domain-specific security and privacy needs when eliciting customer requirements.
Place, publisher, year, edition, pages
security and privacy requirements, requirements engineering
IdentifiersURN: urn:nbn:se:liu:diva-90026OAI: oai:DiVA.org:liu-90026DiVA: diva2:611268
The 12th Nordic Workshop on Secure IT Systems (Nordsec 2007), October 11-12, 2007, Reykjavik, Iceland