Organization & Business

• Security Engineering
• Dependability Engineering
• Privacy Engineering
• Content Protection systems
• Business Models and Security
• Legal models and Management standards

Key findings :

Security at organizational level
Indeed, a number of management standards exist to specify security policies at the organizational levels that can be eventually refined down to low-level protection measures. The EU legislation and the national legislations that implement it also have similar template forms and guidance for privacy and security policies.
Yet, the standards do not deal with the choice of alternatives but just offer a classification and structure to the security experts that would lay down the policy. Only recently a number of proposals have started to design also methodologies to support the structured design of security policies and security solutions at enterprise level. Indeed, in the IT market it is often the case that the drawing of a security policy is outsourced to consultants that simply describe the existing situation of the corporation.

Security at engineering level
The situation is somehow opposite in the domain of security requirements engineering. The last years have seen a major interest in the development of requirements engineering methodologies which are able to capture security requirements.
Some works have focused on modelling security and privacy concepts within existing requirements engineering frameworks. For example Tropos/i*. Others have modified the requirements engineering constructs to account for special constructs for privacy and security. The most notable proposal is UMLsec where security tags are added to UML constructs. Abuse cases have been introduced : interactions between a system and one or more actors, where the results are harmful to the system, or to one of the stakeholders of the system.
The concept of a misuse case, the inverse of a use case, describes a function that the system should not allow. An analogous proposal introduces the notion of anti-goals, i.e., goals of the attacker that can be refined. A framework extending Tropos considers security during the whole process of requirements analysis, and trust and delegation relationships are used to model the interactions among actors involved in the system. Many of those proposals are backed up by a number of formal analysis tools that can be used to support the requirement engineer in the validation and verification of the analysis.
Here, what seems missing is the proof-of-concept ability to support organizations in the definition of complex security policies as dictated by ISO security standards (e.g. ISO-17799) or complex national Data Protection Legislation. Indeed, it should be possible to use the RE methodology to derive the policy itself using its refinement mechanism and verify and validate the same policy using the analysis tools available with the framework. In contrast, many papers present the methodology and supply some (toy) examples but only a handful describe complex case studies which really cope with the complexity required by an ISO-17799 compliance.

In the realm of privacy modelling and support we find sophisticated proposals such as the Enterprise Privacy Authorization Language (EPAL), developed by IBM, enable an enterprise to formalize the exact privacy policy that shall be enforced within the enterprise. An EPAL policy is essentially a set of privacy rules that includes a data user, an action, a data category, and a purpose with conditions and obligations. On the other hand, P3P aims at formalizing privacy statements that are published by an enterprise. The goal is to define a machine-readable equivalent for the human readable privacy promises that are published as a privacy statement on a web page. Unlike EPAL, P3P defines a global terminology that can be used to describe the privacy promises for any enterprise.