Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems

While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore, security and privacy policies are either developed as an afterthought to the system or not at all. One reason for this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise''s security policy and privacy policy. Consequently, we tailor our goal-based approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Our integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.

[1]  Stanley Rothman,et al.  Computers and Society , 1972 .

[2]  B. Blanchard,et al.  Life-cycle cost and economic analysis , 1991 .

[3]  Bernard P. Zajac Applied cryptography: Protocols, algorithms, and source code in C , 1994 .

[4]  Jon Ølnes,et al.  Development of security policies , 1994, Comput. Secur..

[5]  Annie I. Antón,et al.  Goal Decomposition and Scenario Analysis in Business Process Reengineering , 1994, CAiSE.

[6]  V M Brannigan,et al.  Patient privacy in the era of medical computer networks: a new paradigm for a new technology. , 1995, Medinfo. MEDINFO.

[7]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Comput. Secur..

[8]  Charles Cresson Wood,et al.  Writing infosec policies , 1995, Computers & security.

[9]  Brannigan Vm,et al.  Patient privacy in the era of medical computer networks: a new paradigm for a new technology. , 1995 .

[10]  Electronic Commerce , 1996, Lecture Notes in Computer Science.

[11]  Annie I. Antón,et al.  Goal-based requirements analysis , 1996, Proceedings of the Second International Conference on Requirements Engineering.

[12]  Nathaniel S. Borenstein Perils and pitfalls of practical cybercommerce , 1996, CACM.

[13]  William N. Robinson,et al.  Electronic brokering for assisted contracting of software applets , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[14]  Sharman Lichtenstein,et al.  Developing Internet security policy for organizations , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[15]  Richard W. Oliver Corporate policies for electronic commerce , 1997, Proceedings of the Thirtieth Hawaii International Conference on System Sciences.

[16]  Ana I. Anton,et al.  Goal identification and refinement in the specification of software-based information systems , 1997 .

[17]  Nasir D. Memon,et al.  Protecting digital media content , 1998, CACM.

[18]  Klaus Pohl,et al.  Adapting traceability environments to project-specific needs , 1998, CACM.

[19]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[20]  Anthony M. Townsend,et al.  The threat of long-arm jurisdiction to electronic commerce , 1998, CACM.

[21]  Matthias Jarke,et al.  Scenario Management: An Interdisciplinary Approach , 1998, Requirements Engineering.

[22]  Balasubramaniam Ramesh,et al.  Factors influencing requirements traceability practice , 1998, CACM.

[23]  Annie I. Antón,et al.  The use of goals to surface requirements for evolving systems , 1998, Proceedings of the 20th International Conference on Software Engineering.

[24]  Colette Rolland,et al.  Guiding Goal Modeling Using Scenarios , 1998, IEEE Trans. Software Eng..

[25]  Annie I. Antón,et al.  Managing Use Cases During Goal-Driven Requirements Engineering: Challenges Encountered and Lessons Learned , 1999 .

[26]  Mark S. Ackerman,et al.  Beyond Concern: Understanding Net Users' Attitudes About Online Privacy , 1999, ArXiv.

[27]  Paola Benassi,et al.  TRUSTe: an online privacy seal program , 1999, CACM.

[28]  Lorrie Faith Cranor,et al.  Internet privacy , 1999, CACM.

[29]  Tamara Dean,et al.  Network+ Guide to Networks , 1999 .

[30]  Roger Clarke,et al.  Internet privacy concerns confirm the case for intervention , 1999, CACM.

[31]  T.J. Shimeall,et al.  Software Security in an Internet World: An Executive Summary , 1999, IEEE Softw..

[32]  Harold McGraw Online Privacy: Self-Regulate or Be Regulated , 1999 .

[33]  Shirley M. Radack,et al.  Basic intrusion protection: the first line of defense , 1999 .

[34]  Tiffany Barnes,et al.  An integrated scenario management strategy , 1999, Proceedings IEEE International Symposium on Requirements Engineering (Cat. No.PR00188).

[35]  Colin Potts,et al.  ScenIC: a strategy for inquiry-driven requirements determination , 1999, Proceedings IEEE International Symposium on Requirements Engineering (Cat. No.PR00188).

[36]  Lorrie Faith Cranor,et al.  The platform for privacy preferences , 1999, CACM.

[37]  Fay Cobb Payton,et al.  Dirty laundry: privacy issues for IT professionals , 2000 .

[38]  Denis Trcek,et al.  Security policy management for networked information systems , 2000, NOMS 2000. 2000 IEEE/IFIP Network Operations and Management Symposium 'The Networked Planet: Management Beyond 2000' (Cat. No.00CB37074).

[39]  John Hampton Dempster Inconsistency Identification and Resolution in Goal-Driven Requirements Analysis. , 2000 .

[40]  Fay Cobb Payton,et al.  Privacy of medical records: IT implications of HIPAA , 2000, CSOC.

[41]  Aldo Dagnino,et al.  Deriving Goals from a Use-Case Based Requirements Specification , 2001, Requirements Engineering.

[42]  Susan Carlson Skalak House of Quality , 2002 .