Accepted in the workshop on Security, Privacy, and Identity Management in the Cloud (SECPID) 2016 at the 11th International Conference on Availability, Reliability and Security (ARES 2016) conference.
The elicitation and the analysis of security and privacy requirements are generally intended as being mainly performed by field experts. In this paper we show how it is possible to integrate practical Co-Creation processes into Security-and-Privacy-by-Design methodologies. In addition, we present some guidelines showing how it is possible to translate the high-level requirements obtained from the end-user engaging into verifiable low-level requirements and technological requirements. The paper demonstrates as well the feasibility of our approach by applying it in two realistic scenarios where the outsourcing of personal and sensitive data requires high-level of security and privacy.