Security policies can be defined using a separate module that may have interfaces to other applications to provide support for risk assessment and the development of a security strategy. This avoids high level mistakes and assures proper policy definition. A definition application that uses AS-API 2 needn't have knowledge about how the rules have to be inserted in the rule-base or about how the central management service communicates with other applications. The back-end processors from the security management service deal with implementation specific details of peripheral applications. If the security subsystem cannot handle the request, the management service notifies the definition application of the lacking functionality.