Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods

Various modern approaches to Information Systems Security (ISS) development, influenced, e.g., by information systems (IS) development methods, have been presented. While we see these approaches as serious attempts to improve ISS, they have not received much attention in the literature. One reason for this is that these methods have been developed by scholars from different research traditions and disciplines. This article first identifies the disciplines and research communities which underlie the modern ISS approaches. Second, the article reveals the assumptions behind these modern approaches. Finally, the article places these ISS approaches in a five-generational classification. It is argued that the extant ISS methods reside on the first four generations, and future ISS methods should move towards the fifth generation, social and adaptable (empirically grounded) ISS methods.

[1]  Jan H. P. Eloff,et al.  A Methodology for the development of secure Application Systems , 1995 .

[2]  Richard T. Watson,et al.  Analyzing the Past to Prepare for the Future: Writing a Literature Review , 2002, MIS Q..

[3]  John E. Dobson,et al.  A Methodology for Analysing Human and Computer-related Issues in Secure Systems , 1990 .

[4]  Mikko T. Siponen,et al.  Critical analysis of different approaches to minimizing user-related faults in information systems security: implications for research and practice , 2000, Inf. Manag. Comput. Secur..

[5]  G.W. Smith The semantic data model for security: representing the security semantics of an application , 1990, [1990] Proceedings. Sixth International Conference on Data Engineering.

[6]  Helen Sharp,et al.  Software Engineering: Community and Culture , 2000, IEEE Softw..

[7]  Ravi S. Sandhu,et al.  Conceptual foundations for a model of task-based authorizations , 1994, Proceedings The Computer Security Foundations Workshop VII.

[8]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[9]  John A. McDermid,et al.  Software engineering research: A critical appraisal , 1999, IEE Proc. Softw..

[10]  Helen L. James,et al.  Managing information systems security: a soft approach , 1996, Proceedings of 1996 Information Systems Conference of New Zealand.

[11]  Frank F. Land,et al.  Viewpoint: choosing appropriate information systems research methodologies , 1987, CACM.

[12]  Guy Fitzgerald,et al.  Research methods in information systems , 1985 .

[13]  T. Broadbent,et al.  Criticism and the Growth of Knowledge , 1972 .

[14]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[15]  Frank Land,et al.  Choosing Appropriate Information Systems Research Methodologies , 2002 .

[16]  Richard Baskerville,et al.  A New Paradigm for Adding Security Into IS Development Methods , 2001, Conference on Information Security Management & Small Systems Security.

[17]  John E. Dobson,et al.  How responsibility modelling leads to security requirements , 1993, NSPW '92-93.

[18]  Jay F. Nunamaker,et al.  Systems Development in Information Systems Research , 1990, J. Manag. Inf. Syst..

[19]  Gerald Quirchmayr,et al.  Organizing MLS databases from a data modelling point of view , 1994, Tenth Annual Computer Security Applications Conference.

[20]  Rudy Hirschheim,et al.  Analyzing Information Systems Development a Comparison and Analysis of Eight IS Development Approaches , 1996, Inf. Syst..

[21]  Geoff Walsham,et al.  The Emergence of Interpretivism in IS Research , 1995, Inf. Syst. Res..

[22]  Shari Lawrence Pfleeger,et al.  Albert Einstein and Empirical Software Engineering , 1999, Computer.

[23]  Marcel E. M. Spruit,et al.  Risk analysis on Internet connection , 1999, Conference on Information Security Management & Small Systems Security.

[24]  A Min Tjoa,et al.  Modelling Data Secrecy and Integrity , 1998, Data Knowl. Eng..

[25]  James Backhouse,et al.  Current directions in IS security research: towards socio‐organizational perspectives , 2001, Inf. Syst. J..

[26]  W. Chua Radical Developments in Accounting Thought , 1986 .

[27]  Peter J. Denning,et al.  Computing as a discipline , 1989, Computer.

[28]  Henk Sol,et al.  Information Systems Design Methodologies: A Feature Analysis , 1983 .

[29]  Tero Vartiainen,et al.  Unauthorized copying of software and levels of moral development: a literature analysis and its implications for research and practice , 2004, Inf. Syst. J..

[30]  Kalle Lyytinen,et al.  Information systems development and data modelling: conceptual and philosophical foundations , 1995 .

[31]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[32]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[33]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[34]  J. Cunningham,et al.  Case study principles for different types of cases , 1997 .

[35]  Günther Pernul,et al.  Security constraint processing during multilevel secure database design , 1992, [1992] Proceedings Eighth Annual Computer Security Application Conference.

[36]  Salvatore T. March,et al.  Design and natural science research on information technology , 1995, Decis. Support Syst..

[37]  Günther Pernul,et al.  COPS: a model and infrastructure for secure and fair electronic markets , 2000, Decis. Support Syst..

[38]  Pertti Järvinen,et al.  Research Questions Guiding Selection of an Appropriate Research Method , 2000, ECIS.

[39]  Rudy Hirschheim,et al.  A Paradigmatic Analysis Contrasting Information Systems Development Approaches and Methodologies , 1998, Inf. Syst. Res..

[40]  Barry W. Boehm,et al.  A spiral model of software development and enhancement , 1986, Computer.

[41]  Charles Cresson Wood,et al.  Computer Security: A Comprehensive Controls Checklist , 1987 .

[42]  D. Morgan,et al.  Sociological Paradigms and Organizational Analysis. , 1983 .

[43]  K. Lyytinen,et al.  Exploring the intellectual structures of information systems development: A social action theoretic analysis , 1996 .

[44]  K. Popper Criticism and the Growth of Knowledge: Normal Science and its Dangers , 1970 .

[45]  Kalle Lyytinen,et al.  Information Systems Development and Data Modeling: Philosophical Foundations , 1995 .

[46]  Forrest Shull,et al.  Building Knowledge through Families of Experiments , 1999, IEEE Trans. Software Eng..

[47]  Ross J. Anderson Why cryptosystems fail , 1994, CACM.

[48]  Evangelos A. Kiountouzis,et al.  Redefining Information Systems Security: Viable Information Systems , 2001, SEC.

[49]  Watts S. Humphrey,et al.  Characterizing the software process: a maturity framework , 1988, IEEE Software.

[50]  Helen L. Armstrong Managing Information Security in Healthcare - an Action Research Experience , 2000, SEC.

[51]  K. Eisenhardt Building theories from case study research , 1989, STUDI ORGANIZZATIVI.

[52]  Sacha Brostoff,et al.  Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security , 2001 .

[53]  Günther Pernul,et al.  Viewing Business-Process Security from Different Perspectives , 1999, Int. J. Electron. Commer..

[54]  Juhani Iivari,et al.  A paradigmatic analysis of contemporary schools of IS development , 1991 .

[55]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[56]  Gordon B. Davis,et al.  A Research Perspective for Information Systems and Example of Emerging Area of Research , 1999, Inf. Syst. Frontiers.

[57]  Jean Hitchings A practical solution to the complex human issues of information security design , 1996, SEC.

[58]  Sebastiaan H. von Solms,et al.  Information Security Management: A Hierarchical Framework for Various Approaches , 2000, Comput. Secur..

[59]  Kalle Lyytinen,et al.  THE POVERTY OF SCIENTISM IN INFORMATION SYSTEMS , 2000 .

[60]  Rudy Hirschheim,et al.  A Dynamic Framework for Classifying Information Systems Development Methodologies and Approaches , 2000, J. Manag. Inf. Syst..

[61]  Detmar W. Straub,et al.  Validating Instruments in MIS Research , 1989, MIS Q..

[62]  Dianne P. O'Leary Teamwork: computational science and applied mathematics , 1997 .

[63]  Richard Baskerville,et al.  Diversity in information systems action research methods , 1998 .

[64]  Detmar W. Straub,et al.  Security concerns of system users: A study of perceptions of the adequacy of security , 1991, Inf. Manag..

[65]  Richard Baskerville Designing information systems security , 1988 .

[66]  Omar El Sawy,et al.  Building an Information System Design Theory for Vigilant EIS , 1992, Inf. Syst. Res..

[67]  Peter Checkland,et al.  Systems Thinking, Systems Practice , 1981 .

[68]  RICHAFID BASKERVILLE,et al.  Information systems security design methods: implications for information systems development , 1993, CSUR.

[69]  Jean Hitchings Achieving an Integrated Design: The Way Forward for Information Security , 1995 .

[70]  Rossouw von Solms,et al.  Information security management: why standards are important , 1999, Inf. Manag. Comput. Secur..

[71]  David Lorge Parnas,et al.  Software Engineering Programs Are Not Computer Science Programs , 1999, IEEE Softw..

[72]  John Werth,et al.  Directions in software engineering education , 1991, [1991 Proceedings] 13th International Conference on Software Engineering.