Expressing Security Requirements: Usability of Taxonomy-Based Requirement Identification Scheme

Abstract

Users want to enjoy online services without sacrificing their security. Although there is a trade-off between the security of a service and its usability, the level of security required will differ depending on the user and the situation. To optimize the balance between security and usability, it can be customized for each user and each online transaction. Yet in order to do that, both users and service providers need to stipulate their security requirements. We have been working on a framework that provides security requirement classifications in multiple dimensions to help users identify and select their security requirements, and then apply these requirements to different dimensions. This paper shows how we implemented this framework and then evaluated it by conducting a user study along with our implementation. The study verifies that ordinary users without any particular technical knowledge prefer to clarify their security requirements using a taxonomy-based selection scheme (our scheme) as opposed to a free-form input scheme. It also discusses the coverage of pre-defined taxonomies and users' requirements. Through this study, we clarify the future direction of our research.