A New Paradigm for Adding Security Into IS Development Methods

Information system (IS) development methods pay little attention to security aspects. Consequently, several alternative approaches for designing and managing secure information systems (SIS) have been proposed. However, many of these approaches have shortcomings. These approaches lack fully comprehensive modeling schemes in terms of security, i.e. no single method covers all modeling needs. Rarely can these approaches be integrated into existing IS development methods. Also, these approaches do not facilitate the autonomy of developers. This paper describes a framework that helps us understand the fundamental barriers preventing the alternative SIS design approaches from more effectively addressing these shortcomings. This framework is illustrated with an example of a framework-based solution: meta-notation for adding security into IS development methods. Future research questions and implications for research and practice are presented.

[1]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[2]  Kalle Lyytinen,et al.  Two views of information modeling , 1987, Inf. Manag..

[3]  John McLean,et al.  The specification and modeling of computer security , 1990, Computer.

[4]  Juhani Iivari,et al.  The PIOCO Model for Information System Design , 1987, MIS Q..

[5]  Mikko T. Siponen,et al.  An Analysis of the Recent IS Security Development Approaches: Descriptive and Prescriptive Implications , 2001 .

[6]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[7]  Simon N. Foley A taxonomy for information flow policies and models , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[8]  Jean Hitchings A practical solution to the complex human issues of information security design , 1996, SEC.

[9]  James A. Senn,et al.  Challenges and strategies for research in systems development , 1992 .

[10]  Silvana Castano,et al.  Database Security , 1997, IFIP Advances in Information and Communication Technology.

[11]  Richard Baskerville Designing information systems security , 1988 .

[12]  Ross J. Anderson How to cheat at the lottery (or, massively parallel requirements engineering) , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[13]  Ravi S. Sandhu,et al.  Lattice-based access control models , 1993, Computer.

[14]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[15]  Ari Jaaksi,et al.  Our Cases with Use Cases , 1998, J. Object Oriented Program..

[16]  Sjaak Brinkkemper,et al.  Method engineering : principles of method construction and tool support : proceedings of the IFIP TC8, WG8.1/8.2 Working Conference on Method Engineering, 26-28 August 1996, Atlanta, USA , 1996 .

[17]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[18]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[19]  Jean Hitchings Achieving an Integrated Design: The Way Forward for Information Security , 1995 .

[20]  K. Lyytinen A taxonomic perspective of information systems development: theoretical constructs and recommendations , 1987 .

[21]  Richard Baskerville,et al.  Structural artifacts in method engineering: the security imperative , 1996 .

[22]  J. J. Odell,et al.  A primer to method engineering , 1996 .

[23]  A Min Tjoa,et al.  Modelling Data Secrecy and Integrity , 1998, Data Knowl. Eng..

[24]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[25]  Jan H. P. Eloff,et al.  A Methodology for the development of secure Application Systems , 1995 .

[26]  Richard Baskerville,et al.  Growing systems in emergent organizations , 1999, CACM.

[27]  Donn B. Parker,et al.  Fighting computer crime - a new framework for protecting information , 1998 .

[28]  Richard Baskerville,et al.  Amethodical systems development: the deferred meaning of systems development methods , 2000 .

[29]  Juhani Iivari,et al.  Levels of Abstraction as a Conceptual Framework for an Information System , 1989, ISCO.

[30]  Günther Pernul,et al.  COPS: a model and infrastructure for secure and fair electronic markets , 1999, Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences. 1999. HICSS-32. Abstracts and CD-ROM of Full Papers.

[31]  Kalle Lyytinen,et al.  Information systems development and data modelling: conceptual and philosophical foundations , 1995 .

[32]  Günther Pernul,et al.  Modelling secure and fair electronic commerce , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).