Requirements Engineering for Improving Business/IT Alignment in Security Risk Management Methods

Information systems (IS) security within organizations is more and more focused around risk management approaches. Central to these approaches is the need for a better understanding of the required alignment between the business view of the organization and the architecture of its underlying IS. Through the use of requirements engineering techniques, the paper suggests how this business/IT interoperability issue is tackled together with the clarification of the underlying security risk management ontology.

[1]  Jaap Gordijn,et al.  Developing a domain-specific cross-organizational RE method , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[2]  Eric Dubois,et al.  If Business Models Could Speak! Efficient: a Framework for Appraisal, Design and Simulation of Electronic Business Transactions , 2004, ICEIMT/DIISM.

[3]  Eric Dubois,et al.  Bridging the Gap between Risk Analysis and Security Policies , 2003, SEC.

[4]  Julio Cesar Sampaio do Prado Leite,et al.  On Non-Functional Requirements in Software Engineering , 2009, Conceptual Modeling: Foundations and Applications.

[5]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[6]  Marc M. Lankhorst Enterprise Architecture at Work - Modelling, Communication and Analysis, 3rd Edition , 2005, The Enterprise Engineering Series.

[7]  Jan Trobitius,et al.  Anwendung der "Common Criteria for Information Technology Security Evaluation" (CC) / ISO 15408 auf ein SOA Registry-Repository , 2007, Informatiktage.

[8]  Jaap Gordijn,et al.  Exploring Web services from a business value perspective , 2005, 13th IEEE International Conference on Requirements Engineering (RE'05).

[9]  Martin S. Feather,et al.  Security engineering: systems engineering of security through the adaptation and application of risk management , 2004 .

[10]  E. Dubois,et al.  Towards a Risk-Based Security Requirements Engineering Framework , 2005 .

[11]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[12]  Bashar Nuseibeh,et al.  Using abuse frames to bound the scope of security problems , 2004, Proceedings. 12th IEEE International Requirements Engineering Conference, 2004..

[13]  Yves Pigneur,et al.  4 – An ontology for e-Business models , 2004 .

[14]  Bashar Nuseibeh,et al.  Core Security Requirements Artefacts , 2004 .

[15]  日本規格協会 情報技術 : 情報セキュリティ管理実施基準 : 国際規格 : ISO/IEC 17799 = Information technology : code of practice for infromation security management : international standard : ISO/IEC 17799 , 2000 .

[16]  Chris Ford,et al.  Non-Functional Requirements , 2007 .

[17]  Motoshi Saeki,et al.  Embedding Metrics into Information Systems Development Methods: An Application of Method Engineering Technique , 2003, CAiSE.

[18]  Haralambos Mouratidis,et al.  Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems , 2003, CAiSE.