Date Added: May 2011
A balanced approach is needed for developing information security policies in Critical National Infrastructure (CNI) contexts. Requirements engineering methods can facilitate such an approach, but these tend to focus on either security at the expense of usability, or vice-versa; it is also uncertain whether existing techniques are useful when the time available for applying them is limited. In this paper, the authors describe a case study where usability and requirements engineering techniques were used to derive missing requirements for an information security policy for a UK water company following reports of the Stuxnet worm. They motivate and describe the approach taken while carrying out this case study, and conclude with three lessons informing future efforts to integrate security, usability, and requirements engineering techniques for secure system design.