Abstract Information security is a hot topic nowadays, and while top-class technology exists to safeguard information assets, organizations cannot rely on technical controls alone. Information security policy (ISP) is one of the most important formal controls when organizations work with implementing information security. However, designing ISPs is a challenging task for information security managers and to ease the burden, computerized tools have been suggested to support this design task. One important prerequisite for developing such tools is the requirements. However, existing research has, to a very limited extent, synthesized existing requirements. Against this backdrop, this study aims to elicit a set of requirements, anchored in existing ISP research, for computerized tools that support ISP design. First, we summarize existing ISP research into 14 requirement themes. Second, we suggest a set of user stories that operationalize these requirement themes from an information security manager's perspective. Third, we suggest another set of user stories that operationalize the same requirement themes from an ISP user's perspective. In total, we suggest 28 user stories that can act as a starting point for both researchers and practitioners when developing computerized tools that provide ISP design support for information security managers.

中文翻译：

---

设计信息安全政策的计算机化工具要求

摘要 信息安全是当今的热门话题，虽然存在一流的技术来保护信息资产，但组织不能仅依靠技术控制。当组织实施信息安全时，信息安全策略 (ISP) 是最重要的正式控制之一。然而，设计 ISP 对信息安全管理人员来说是一项具有挑战性的任务，为了减轻负担，有人建议使用计算机工具来支持这项设计任务。开发此类工具的一个重要先决条件是需求。然而，现有的研究在非常有限的程度上综合了现有的需求。在此背景下，本研究旨在针对支持 ISP 设计的计算机化工具，提出一套以现有 ISP 研究为基础的要求。第一的，我们将现有的 ISP 研究总结为 14 个需求主题。其次，我们建议一组用户故事，从信息安全经理的角度来操作这些需求主题。第三，我们建议另一组用户故事，从 ISP 用户的角度来操作相同的需求主题。我们总共提出了 28 个用户故事，它们可以作为研究人员和从业人员在开发为信息安全管理人员提供 ISP 设计支持的计算机化工具时的起点。