Add to my Schedule Session Block—Standards and Applications
09 Sep 2019 03:40 PM - 04:00 PM (UTC)
20190909T1540 20190909T1600 UTC A practical approach to stakeholder-driven determination of security requirements based on the GDPR In order to develop secure software, it is necessary to actively "build in" security measures during the entire software development life cycle. As a basis serves an application scenario of routing ph... Transforming Privacy Law into Practice | 9-10 September | University of Oxford

In order to develop secure software, it is necessary to actively "build in" security measures during the entire software development life cycle. As a basis serves an application scenario of routing physical goods in the logistics industry, e.g., mail, packages, luggage. 

When analyzing how to determine security requirements for software that controls routing decisions in the distri- bution of discrete physical goods, a first step is to derive requirements from stakeholder interests and threat scenarios [1]. Stakeholders in this specific context include: vendor, operator, supplier, sender, receiver, society, government, and law enforcement. Their interests are determined referring to the security properties confidentiality, integrity, and availability as well as the privacy properties transparency, unlinkability, data minimisation, and intervenability. Then, threat scenarios are identified by applying the methodology STRIDE. This is combined with a risk analysis of the threat scenarios by using DREAD. Eventually, security requirements are derived from corresponding threat scenarios. 

Extending the requirements mining based on laws, a closer look is taken at the General Data Protection Regulation (GDPR) which applies to processing of personal data in EU member states as well as to controllers offering services to data subjects in the EU. The GDPR specifically requires that pro- cessing of personal data must comply with the GDPR and this compliance must be verifiable. This is postulated through the principles of lawfulness and transparency, for example, in Art. 5(1)(a). However, the requirements defined in the articles and paragraphs of legislative texts are usually not serviceable for requirements engineering in software development. Therefore, the method KORA "Konkretisierung rechtlicher Anforderun- gen" (concretization of legal requirements) is used to identify software requirements from the GDPR. KORA is a method that was introduced by [2] and has been used in German legal research. KORA bridges the gap between abstract legal requirements and concrete technical requirements, exemplary applications can be found in [3], [4], [5]. 

As a result, in [6] it was possible to identify 74 generic, reusable technical requirements for the software development process that satisfy the key principles of the GDPR. The requi- rements can be traced back to the corresponding articles and recitals, thus, making regulatory compliance demonstrable. 

In order to demonstrate applicability of the findings, the derived technical requirements are refined into technical design proposals for the specified application scenario of routing phy- sical goods in the logistics industry. The technical design pro- posals are then matched to the previously determined STRIDE threat scenarios as well as security functional components of the Common Criteria. Consequently, for the development of an exemplary software product, an overview is provided that reveals which technical requirements are connected to which legal GDPR requirements, Common Criteria security functional components as well as STRIDE threat scenarios. 


  • 1) Introduction a) Domain b) Scenario 
  • 2) Stakeholder interests 
  • 3) Threat scenarios (STRIDE + DREAD) 
  • 4) Deriving requirements from GDPR a) Method b) Categories c) Example: legal requirements d) Example: legal criteria e) Example: technical requirements f) Example: matching requirements from STRIDE + DREAD analysis, GDPR, and Common Criteria 5) Conclusion & future work