Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems

While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore, security and privacy policies are either developed as an afterthought to the system or not at all. One reason for this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise’s security policy and privacy policy. Consequently, we tailor our goalbased approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Our integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.