Information Systems Security and Privacy


Defining security requirements is the important first step in designing, implementing and evaluating a secure system. In thispaper, we propose a formal approach for designing security requirements, which is flexible for a user to express his/hersecurity requirements with different levels of details and for the system developers to take different options to design andimplement the system to satisfy the user’s requirements. The proposed approach also allows the user to balance the requiredsystem security properties and some unfavorable features (e.g., performance degrading due to tight control and strongsecurity). Given the importance of social-technical factors in information security, the proposed approach also incorporateseconomic and organizational security management factors in specifying user’s security requirements. We demonstrate theapplication of our approach with the help of a concrete pervasive information system.