Aligning Security and Privacy to Support the Development of Secure Information Systems

The increasing dependency on information systems to process and manage sensitive information requires the usage of development methods that support the development of secure and private information systems. The literature provides examples of methods that focus on security and privacy individually but fail to provide evidence of information systems development methods that consider security and privacy in a unified framework. Security and privacy are very much related, in particular certain security properties and mechanisms support the achievement of privacy goals. Without a development framework to support developers to explicitly model that relationship, conflicts and vulnerabilities can be introduced to a system design that might endanger its security. In this paper, we present our work in developing a framework that supports the unified analysis of privacy and security. In particular, we present a meta-model that combines concepts from security and privacy requirements methods, such as security and privacy goals, properties, constraints, and actor and process patterns within a social context. A real case study is employed to demonstrate the applicability of our work.

[1]  Abigail Sellen,et al.  Design for Privacy in Ubiquitous Computing Environments , 1993, ECSCW.

[2]  Eric S. K. Yu,et al.  Modeling organizations for information systems requirements engineering , 1993, [1993] Proceedings of the IEEE International Symposium on Requirements Engineering.

[3]  Lawrence Chung,et al.  Dealing with Security Requirements During the Development of Information Systems , 1993, CAiSE.

[4]  Pericles Loucopoulos,et al.  Enterprise Knowledge Management and Conceptual Modelling , 1997, Conceptual Modeling.

[5]  A. Antón,et al.  Strategies for Developing Policies and Requirements for Secure Electronic Commerce Systems , 2000 .

[6]  Sjaak Brinkkemper,et al.  From Information Modelling to Enterprise Modelling , 2000 .

[7]  S. Fischer-h bner IT-Security and Privacy: Design and Use of Privacy-Enhancing Security Mechanisms , 2001 .

[8]  Axel van Lamsweerde,et al.  Deriving operational software specifications from system goals , 2002, SIGSOFT '02/FSE-10.

[9]  Q. He A Framework for Modeling Privacy Requirements in Role Engineering , 2003 .

[10]  Jan Jürjens,et al.  Secure systems development with UML , 2004 .

[11]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[12]  J. C. Cannon Privacy: What Developers and IT Professionals Should Know , 2004 .

[13]  Elizabeth D. Mynatt,et al.  STRAP: A Structured Analysis Framework for Privacy , 2005 .

[14]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[15]  Haralambos Mouratidis,et al.  Integrating Security and Software Engineering: Advances and Future Visions , 2006 .

[16]  Stefanos Gritzalis,et al.  Protecting privacy in system design: the electronic voting case , 2007 .

[17]  Mario Piattini,et al.  A common criteria based security requirements engineering process for the development of secure information systems , 2007, Comput. Stand. Interfaces.

[18]  Oscar Barros,et al.  Business process patterns and frameworks: Reusing knowledge in process innovation , 2007, Bus. Process. Manag. J..

[19]  Haralambos Mouratidis,et al.  Security Attack Testing (SAT) - testing the security of information systems at design time , 2007, Inf. Syst..

[20]  Nancy R. Mead Identifying Security Requirements Using the Security Quality Requirements Engineering (SQUARE) Method , 2007 .

[21]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[22]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[23]  Annie I. Antón,et al.  Analyzing Regulatory Rules for Privacy and Security Requirements , 2008, IEEE Transactions on Software Engineering.

[24]  Bashar Nuseibeh,et al.  Arguing Satisfaction of Security Requirements , 2008 .

[25]  Jan Jürjens,et al.  Eliciting security requirements and tracing them to design: an integration of Common Criteria, heuristics, and UMLsec , 2010, Requirements Engineering.

[26]  Stefanos Gritzalis,et al.  Methods for Designing Privacy Aware Information Systems: A Review , 2009, 2009 13th Panhellenic Conference on Informatics.

[27]  Annie I. Antón,et al.  Evaluating existing security and privacy requirements for legal compliance , 2009, Requirements Engineering.

[28]  Jan Jürjens,et al.  A framework to support alignment of secure software engineering with legal regulations , 2011, Software & Systems Modeling.

[29]  Haralambos Mouratidis,et al.  Towards a Framework to Elicit and Manage Security and Privacy Requirements from Laws and Regulations , 2010, REFSQ.

[30]  Shareeful Islam,et al.  Integrating risk management activities into requirements engineering , 2010, 2010 Fourth International Conference on Research Challenges in Information Science (RCIS).

[31]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.