Abstract

Security requirement engineering for services is in practice frequently performed by security non-experts. For them the security requirements and their dependencies are not directly known. To mitigate this, the paper suggests the usage of a business oriented security requirement profiles (e.g. VoIP, IP-TV...) containing information security, privacy, fraud/abuse, resilience and assurance requirements. The criteria and the creation process for such reusable and adaptable profiles are shown. Then the requirement profiles are set in context with a development process. We show how to stepwise adjust the profile to the actual service needs at development stages where the budget and knowledge are available. Finally, experiences from real projects are presented.