How to Model a Secure Information System (IS): A Case Study

 Abstract—The existing information system (IS) developments methods are not met the requirements to resolve the security related (IS) problems and they fail to provide a successful integration of security and systems engineering during all development process stages. Hence, the security should be considered during the whole software development process and identified with the requirements specification. This paper aims to propose an integrated security and IS engineering approach in all software development process stages by using i* language. This proposed framework categorizes into three separate parts: modelling business environment part, modelling information technology system part and modelling IS security part. Booking hotel room management process is used as a case study to validate the proposed framework. The results show that considering security IS goals in the whole system development process can have a positive influence on system implementation and better meet business expectations.

[1]  John Mylopoulos,et al.  AI Models for Business Process Reengineering , 1996, IEEE Expert.

[2]  Lawrence Chung,et al.  Dealing with Non-Functional Requirements: Three Experimental Studies of a Process-Oriented Approach , 1995, 1995 17th International Conference on Software Engineering.

[3]  Andreas Schaad,et al.  Model-driven business process security requirement specification , 2009, J. Syst. Archit..

[4]  Jan Jürjens,et al.  From goal-driven security requirements engineering to secure design , 2010 .

[5]  Bashar Nuseibeh,et al.  A framework for security requirements engineering , 2006, SESS '06.

[6]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7]  Eric S. K. Yu,et al.  Towards modelling and reasoning support for early-phase requirements engineering , 1997, Proceedings of ISRE '97: 3rd IEEE International Symposium on Requirements Engineering.

[8]  John P. McDermott,et al.  Using abuse case models for security requirements analysis , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[9]  Mario Piattini,et al.  Secure business process model specification through a UML 2.0 activity diagram profile , 2011, Decis. Support Syst..

[10]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[11]  Luiz Marcio Cysneiros,et al.  Designing for privacy and other competing requirements , 2002 .

[12]  Fei Liu,et al.  Business Process Modelling Towards Derivation of Information Technology Goals , 2012, 2012 45th Hawaii International Conference on System Sciences.

[13]  Richard Lai,et al.  Managing Security Requirements: Towards Better Alignment Between Information Systems And Business , 2011, PACIS.

[14]  Eric Dubois,et al.  Requirements Engineering for Improving Business/IT Alignment in Security Risk Management Methods , 2007, IESA.

[15]  Stefan Fenz,et al.  Integration of an Ontological Information Security Concept in Risk Aware  Business Process Management , 2008, Proceedings of the 41st Annual Hawaii International Conference on System Sciences (HICSS 2008).

[16]  John Mylopoulos,et al.  Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[17]  Axel van Lamsweerde,et al.  Handling Obstacles in Goal-Oriented Requirements Engineering , 2000, IEEE Trans. Software Eng..

[18]  Ross J. Anderson Security engineering - a guide to building dependable distributed systems (2. ed.) , 2001 .

[19]  Stephen Fickas,et al.  Goal-directed concept acquisition in requirements elicitation , 1991, Proceedings of the Sixth International Workshop on Software Specification and Design.

[20]  Eric Yu,et al.  Modeling Strategic Relationships for Process Reengineering , 1995, Social Modeling for Requirements Engineering.

[21]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[22]  Birgit Pfitzmann,et al.  Security in Business Process Engineering , 2003, Business Process Management.