Evaluating Organization Security: User Stories of European Union NIS2 Directive
By: Mari Seeba, Magnus Valgre, Raimundas Matulevičius
Potential Business Impact:
Helps companies meet new online safety rules.
The NIS2 directive requires EU Member States to ensure a consistently high level of cybersecurity by setting risk-management measures for essential and important entities. Evaluations are necessary to assess whether the required security level is met. This involves understanding the needs and goals of different personas defined by NIS2, who benefit from evaluation results. In this paper, we consider how NIS2 user stories support the evaluation of the level of information security in organizations. Using requirements elicitation principles, we extracted the legal requirements from NIS2 from our narrowed scope, identified six key personas and their goals, formulated user stories based on the gathered information, and validated the usability and relevance of the user stories with security evaluation instruments or methods we found from the literature. The defined user stories help to adjust existing instruments and methods of assessing the security level to comply with NIS2. On the other hand, user stories enable us to see the patterns related to security evaluation when developing new NIS2-compliant security evaluation methods to optimize the administrative burden of entities.
Similar Papers
A NIS2 pan-European registry for identifying and classifying essential and important entities
Cryptography and Security
Helps EU countries track and protect important computer systems.
Automatic Association of Quality Requirements and Quantifiable Metrics for Cloud Security Certification
Cryptography and Security
Helps cloud services get security approval faster.
Risks and Compliance with the EU's Core Cyber Security Legislation
Cryptography and Security
EU laws help protect computers from online dangers.