Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems

Security is a crucial issue for information systems. Traditionally, security is considered after the definition of the system. However, this approach often leads to problems, which translate into security vulnerabilities. From the viewpoint of the traditional security paradigm, it should be possible to eliminate such problems through better integration of security and systems engineering. This paper argues for the need to develop a methodology that considers security as an integral part of the whole system development process. The paper contributes to the current state of the art by proposing an approach that considers security concerns as an integral part of the entire system development process and by relating this approach with existing work. The different stages of the approach are described with the aid of a case study; a health and social care information system.

[1]  Jan Bosch,et al.  Design and use of software architectures - adopting and evolving a product-line approach , 2000 .

[2]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[3]  Ian Sommerville,et al.  Software engineering (6th ed.) , 2001 .

[4]  Antonio Puliafito,et al.  Which paradigm should I use? An analytical comparison of the client–server, remote evaluation and mobile agent paradigms , 2001, Concurr. Comput. Pract. Exp..

[5]  William Stallings,et al.  Cryptography and network security , 1998 .

[6]  Theodore Tryfonas,et al.  Embedding security practices in contemporary information systems development approaches , 2001, Inf. Manag. Comput. Secur..

[7]  Stephen Fickas,et al.  Goal-Directed Requirements Acquisition , 1993, Sci. Comput. Program..

[8]  Catherine A. Meadows,et al.  A model of computation for the NRL Protocol Analyzer , 1994, Proceedings The Computer Security Foundations Workshop VII.

[9]  Paolo Giorgini,et al.  The TROPOS Analysis Process as Graph Transformation System , 2002 .

[10]  Nicholas R. Jennings Agent-Oriented Software Engineering , 1999, MAAMAW.

[11]  Friedemann Mattern,et al.  Agent Systems, Mobile Agents, and Applications , 2000, Lecture Notes in Computer Science.

[12]  John Mylopoulos,et al.  Applying Tropos Methodology to a real case study : Complexity and Criticality Analysis , 2002 .

[13]  Haralambos Mouratidis,et al.  Analysis and Design of the eSAP: An Integrated Health and Social Care Information System , 2003, Health Informatics J..

[14]  Stephen Fickas,et al.  Goal-directed concept acquisition in requirements elicitation , 1991, Proceedings of the Sixth International Workshop on Software Specification and Design.

[15]  Roy Fielding,et al.  Architectural Styles and the Design of Network-based Software Architectures"; Doctoral dissertation , 2000 .

[16]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[17]  Lawrence Chung,et al.  Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach , 1995, 1995 17th International Conference on Software Engineering.

[18]  Marco Pistore,et al.  Model checking early requirements specifications in Tropos , 2001, Proceedings Fifth IEEE International Symposium on Requirements Engineering.

[19]  Haralambos Mouratidis,et al.  Using Tropos Methodology to Model an Integrated Health Assessment System , 2002, AOIS@CAiSE.

[20]  Susanne Rohrig Using Process Models to Analyze Health Care Security Requirements , 2002 .

[21]  William Stallings,et al.  Cryptography and Network Security: Principles and Practice , 1998 .

[22]  Luiz Marcio Cysneiros,et al.  Designing for privacy and other competing requirements , 2002 .

[23]  Fausto Giunchiglia,et al.  Towards an Agent Oriented Approach to Software Engineering , 2001, WOA.

[24]  Butler W. Lampson,et al.  31. Paper: Computer Security in the Real World Computer Security in the Real World , 2022 .

[25]  Paul Clements,et al.  Software architecture in practice , 1999, SEI series in software engineering.

[26]  Bernhard Bauer,et al.  Agent UML : A formalism for specifying multiagent interaction , 2001 .

[27]  Haralambos Mouratidis,et al.  A Natural Extension of Tropos Methodology for Modelling Security , 2002 .

[28]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[29]  Leonard J. Bass,et al.  SAAM: a method for analyzing the properties of software architectures , 1994, Proceedings of 16th International Conference on Software Engineering.

[30]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[31]  Jörg P. Müller,et al.  Agent UML: A Formalism for Specifying Multiagent Software Systems , 2001, Int. J. Softw. Eng. Knowl. Eng..

[32]  John Mylopoulos,et al.  Analyzing security requirements as relationships among strategic actors , 2002 .

[33]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[34]  John Mylopoulos,et al.  Reasoning with Goal Models , 2002, ER.