Strategies for Developing Policies and Requirements for Secure E-Commerce Systems
Abstract
While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore security and privacy policies are either developed as an afterthought to the system or not at all. One reason or this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise's security policy and privacy policy. Consequently, we tailor our goal-based approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Out integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.
Institution
NCSU Dept. of Computer Science
Note
To appear: Recent Advances in E-Commerce Security and Privacy,
Kluwer-Academic Publishers, 2001
Publication Date
2001-01-01
Keywords
Requirements engineering, Internet security and privacy policies, electronic commerce