Abstract
Because the methods of development for Information Systems (IS) do not pay attention to security aspects, several information systems (ISS) security methods have been presented. This paper will analyze traditional/conventional approaches, namely normative standards (e.g. checklists, management and evaluation standards), formal methods, common sense principles and risk management. These approaches will be analyzed in the light of I) the research objectives; II) the organizational role of IS security; III) research approaches used; IV) applicability; and V) a conceptual meta-model for IS. The contribution of the paper is twofold. First the analysis sheds new light on the underlying foundations of the conventional approaches. Second, the analysis suggests several implications for researchers and practitioners.
Chapter PDF
Similar content being viewed by others
Key words
References
Abadi, M. & Needham, R., (1994), Prudent Engineering Practice for Cryptographic Protocols. Proceedings of the 1994 IEEE Symposium on Research in Security and privacy.
Abrams, M.D. & Bailey, D., (1995), Abstraction and Refinement of Layered Security Policy. In: Information Security-An integrated Collection of Essays. Edited by M. D. Abrams, S. Jajodia & H. J. Podell. IEEE Computer Society Press, Los Alamitos, California, USA.
Abrams, M.D., & Podell, H.J., (1995), Evaluation issues. In: Information Security-An Integrated Collection of Essays, Edited by M. D. Abrams, S. Jajodia & H. J. Podell, IEEE Computer Society Press, CA, USA.
Angel, I., (1993), Computer Security in these uncertain times: the need for a new approach. Proceedings of the 10th International Conference on Computer Security, Audit and Control (CompSec), London, October.
Anderson, R., (1993), Why Cryptosystems Fail. Communication of the ACM, November, vol. 37, no. 11., pp. 32–44.
Barnes, B.H., (1998), Computer security research: a British perspective. IEEE Software. Volume 15, no 5, Sept.–Oct. Pp. 30–33.
Baskerville, R., (1988), Designing Information Systems Security. John Wiley Information Systems Series.
Baskerville, R., (1991a), Risk Analysis: An Interpretative Feasibility Tool In Justifying Information Systems Security. European Journal of Information Systems Vol. 1, Issue 2, pp. 121–130.
Baskerville, R., (1991b), Risk Analysis As A Source of Professional Knowledge. Vol. 10, Issue 8, pp. 749–764.
Baskerville, R., (1992), The Developmental Duality of Information Systems Security. Journal of Management Systems. Vol. 4, no. 1, pp. 1–12.
Baskerville, R., (1993), Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys 25,(4) December, pp. 375–414.
Bennett, S. P., & Kailay, M. P., (1992), An application of qualitative risk analysis to computer security for the commercial sector. Proceedings of the Eighth ACM Annual Computer Security Applications conference.
Blakley, B, Kienze, D.M., (1997), Some Weaknesses of the TCB model. Proceedings of the 1997 IEEE Symposium on Security and Privacy. IEEE Computer Society Press.
Booysen, H.A.S., & Eloff, J.H.P., (1995), A Methodology for the development of secure Application Systems. In proceeding of the 11th IFIP TC11 international conference on information security, IFIP/SEC’95.
Chokhani, S., (1992), Trusted products evaluation. Communications of the ACM. Vol. 35, Issue 7, pp. 64–76.
Chua, W.F., (1986), Radical Developments in Accounting Thought. Accounting Review, vol. 61, issue 5, pp. 583–598.
Cooper, J.A., (1989), Computer and Communications Security: Strategies for the 1990s. McGraw-Hill, New York, USA.
Custance, N.D.E., (1996), The use of baseline measures in risk assessment. Proceedings of the 30th Annual International Carnahan Conference on Security Technology. IEEE Computer Society Press.
Dhillon, G., (1997), Managing Information Systems Security. MacMillan Press LTD, UK.
Dhillon, G. & Backhouse, J., (2000), Information system security management in the new millennium. Communications of the ACM, Volume 43, Issue 7, pp. 125–128.
Dhillon, G. and Backhouse, J., (2001), Current directions in IS security research: toward socio-organizational perspectives. Information Systems Journal. Vol 11, No 2.
Evans, A.S. & Welling, A.J., (1999), UML and the formal development of safety-critical realtime systems. IEE Colloquim on Applicable Modelling, Verification and Analysis Techniques for Real-Time Systems.
Ferraiolo, K., & Sachs, J.E., (1996), Distinguishing Security Engineering Process Areas by Maturity Levels. Proceedings of the 9th Annual Canadian Information Technology Security Symposium.
Finne, T., (1995), The Information Security Chain in a Company. Computers & Security. Vol. 15, No. 4, pp. 297–316.
Fisher, R.P., (1984), Information Systems Security. Prentice-Hall, New Jersey, USA.
Fites, P. & Kratz, M.P.J., (1993), Information Systems Security: A Practitioner’s Reference. Van Nostrand Reinhold, New York, USA.
Fitzgerald, K.J., (1995), Information security baselines. Information Management & Computer Security, Vol. 3 Issue 2, pp. 8–12.
Fitzgerald, K.J., (1993), Risk Analysis: Ten Years On. Information Management & Computer Security, Vol. 1, issue 5.
Freeman, J.W. & Neely, R.B., (1993), On security policy modeling. Proceedings of the eight Annual Conference on Computer Assurance (COMPASS’93).
Freeman, J.W., Darr, T.C., Neely, R.B. (1997), Risk Assessment for large heterogeneous systems. proceedings of the 13th Annual Computer Security Applications Conference.
Galliers, R.D., & Land F.F., (1987), Choosing appropriate information systems research methodologies. Communication of the ACM, vol. 30, no. 11, pp. 900–902.
Galliers, R.D., & Swan, J.A., (1997), Against structured approaches: information requirements analysis as a socially mediated process. Proceedings of the Thirtieth Hawaii International Conference on Systems Sciences, IEEE Society Press.
Garfinkel S. & Spafford G., (1997), Web Security & Commerce. O’Reilly & Associates, Inc. USA.
Garvey, T.D., (1992), The Inference Problem for Computer Security. Proceedings of the Fifth Computer Security Foundations Workshop. IEEE Computer Society Press.
GASSP, (1999), Generally Accepted System Security Principles (GASSP). Version 2.0. Information Systems Security. June, vol. 8, no. 3
Gollman, D., (1999), Computer Security. Wiley & sons, UK.
Guarro, S.B., (1987), Principles and Procedures of the LRAM Approach to Information Systems Risk Analysis and Management. Computer & Security. Issue 6, pp. 493–504.
Halliday, S. Badenhorst, K., von Solms, R., (1996), A business approach to effective information technology risk analysis and management. Information Management & Computer Security, Vol. 4 Issue 1, pp. 19–31.
Hefner, R., (1997b), A process standard for systems security engineering: development experiences and pilot results. Third IEEE International 1997 Software Engineering Standards Symposium and Forum, Emerging International Standards (ISESS 97).
Hirschheim, R., (1985), Information systems epistemology: An historical perspective. In: Research methods in information systems. E. Mumford et al. (eds), Elsevier Science Publisher.
Hirschheim, R., Klein, H. K., & Lyytinen, K., (1995), Information Systems Development and Data Modelling: Conceptual and Philosophical Foundations. Cambridge University Press, UK.
Iivari, J. & Kerola, P., (1983), A Sociocybernetic framework for the feature analysis of information systems design methodologies. In T.W. Olle, H.G. Sol, C.J. Tully (eds.), Information Systems Design Methodologies: A Feature Analysis. Pp. 87–139, North-Holland, Amsterdam.
Iivari, J & Koskela, E., (1987), The PIOCO model for IS design, MIS Quarterly, Vol. 11, No. 3, pp. 401–419.
Iivari, J., (1989), Levels of abstraction as a Conceptual Framework for an Information Systems. In E. D. Falkenberg and P. Lindgreen (eds): Information System Concepts: An In-depth Analysis. North-Holland, Amsterdam.
Iivari, J. and Hirschheim, R., (1996), Analyzing information systems development: A comparison and analysis of eight IS development approaches, Information Systems
Information Technology Security Evaluation Criteria (ITSEC) (1990), Harmonised Criteria of France, Germany, The Netherlands and the United Kingdom.
Jackson, F., (1980), Ontological Commitment and Paraphrase. Philosophy, Vol. 55, no. 213, pp. 303–315.
James, H.L., (1996), Managing information systems security: a soft approach. Proceedings of the Information Systems Conference of New Zealand. IEEE Society Press.
Järvinen, P., (1997), The new classification of research approaches. The IFIP Pink Summary-36 years of IFIP. Edited by H. Zemanek, Laxenburg, IFIP.
Jung, C., Han, I., & Suh, B., (1999), Risk Analysis for Electronic Commerce Using Case-Based Reasoning. International Journal of Intelligent systems in Accounting, Finance & Management. Vol. 8, issue 1, pp. 61–73.
Kahn, J.J., & Abrams, M.D., (1994), Editorial: why bad things happen to good systems, and what to do about it. Proceedings of the 10th Annual Computer Security Application Conference. IEEE Computer Society Press.
Klein, H., & Lyytinen, K., (1985), The Poverty of Scientism in Information Systems. pp. 131–161. In: Research methods in information systems. E. Mumford et al. (eds), Elsevier Science Publisher.
Klein, H.K., Myers, M.D., (1999), A set of Principles for Conducting and Evaluating Interpretative Field Studies in Information Systems. MIS Quarterly, Vo. 23, No. 1, pp. 67–94.
Lichtenstein, S., (1996), Factors in the selection of a risk assessment method. Information Management & Computer Security, Vol. 4 Issue 4, pp. 20–25.
Lyytinen, K., (1987), A Taxonomic Perspective of Information Systems Development: Theoretical Constructs and Recommendations. In R. Boland & R. A. Hirschheim (eds): Critical Issues in Information Systems Research, John Wiley&Sons, Ltd., pp. 3–41.
Mathiassen & Munk-Madsen, A., (1986), Formalizations in System Development. Behaviour and Information Technology, Vol. 5, No. 2.
Mautner, T., (1996), A Dictionary of Philosophy. Blackwell Publishers Ltd, Oxford, UK.
Mingers, J.C., (1995), Information and Meaning: foundations for an intersubjective account. Information Systems Journal, Vol. 5, no. 4, October, Pp. 285–306.
Moore, GE., (1903), Principia Ethicia, Cambridge, UK.
Moses, R., (1995), Corporate risk analysis and management strategies. Proceedings of the European Convention on Security and Detection. IEEE Computer Society Press.
Moulton, R. T., & Moulton, M. E., (1996), Electronic Communications Risk Management: A Checklist for Business Managers. Computer & Security, Vol. 15, No.5.
Murine, G.E. & Carpenter, C. L., (1984), Measuring Computer System Security Using Software Security Metrics. In Computer Security: A global challenge, J.H. Finch and E.G. Dougall (eds.). Elsevier Science Publisher.
Nitzberg, S.D., (1999), The Cyber Battlefield: Is This The Setting for the Ultimate World War? Proceedings of Military Communications Conference (MILCOM). Vol. 1. IEEE Computer Society Press.
Niiniluoto, I.,(1999),Critical Scientific Realism. Clarendon Library of Logic and Philosophy, Oxford University Press, Oxford, UK.
Norman, A.R.D., (1983), Computer Insecurity. Chapman & Hall, NY, USA.
Nunamaker, J.F., Chen, M., Purdin, T.D.M., (1991), Systems development in information systems research. Journal of Management Information Systems, vol. 7., no. 3., pp. 89–106.
Ockham, W., (1990), Philosophical Writings: A selection. Hackett Publishing Company, Indianapolis, USA.
OECD, (1996), Guidelines for the Security of Information Systems. OECD, Paris, France.
O’Leary, T.J., Goul, M., Moffitt, K.E. & Radwan, A.E., (1990), Validating expert systems. IEEE Expert, Vol. 5, Issue 3, pp. 51–58.
Overbeek, P.L., (1995), Common Criteria for IT Security Evaluation-Update Report. Proceedings of the IFIP TC11 Eleventh International Conference on Information Security, IFIP/SEC’95.
Ozier, W., (1999), Risk Analysis and Risk Assessment. Handbook of Information Security Management (eds): M. Krause and H.F. Tipton, CRC Press LLC, Florida.
Pap, A., (1949), Elements of Analytic Philosophy.
Parker, D. B., (1998), Fighting Computer Crime-A New Framework for Protecting Information. Wiley Computer Publishing. USA.
Parnas, D.L. Schouwen, J. & Kwan, S.P., (1990), Evaluation of Safety-Critical Software. Communications of the ACM, Vol. 33, No. 6, June, pp. 636–648.
Payne, C.N., Froscher, J.N., McDermott, J.P., (1990), On models for a trusted application system. Proceedings of the Sixth Annual Computer Security Applications Conference.
Schaefer, M., (1989), Symbol security condition considered harmful. Proceedings of 1989 IEEE Symposium on Security and Privacy.
Seager, M. Guaspari, D., Stillerman, M & Marceau, C., (1995), Formal Methods in THETA kernel. Proceedings of the 1995 IEEE Symposium on Security and Privacy.
Sherwood, J., (1996), SALSA: A Method for Developing Enterprise Security Architecture and Strategy. Computers & Security. Vol. 15, no. 6, pp. 501–506.
Siponen, M.T., (2001a), An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: G. Dhillon (eds:) Information Security Management-Global Challenges in the Next Millennium, Idea Group (2001).
Siponen, M.T. (2001b): On the scientific background of information security management standards: a critique and an agenda for further development. The Second Annual Systems Security Engineering Conference), 28 February–2 March, Orlando, Florida, USA.
Solms, R., (1997), Can Security Baseline replace Risk Analysis? Proceedings of the IFIP TC11 13th International Conference on Information Security (SEC’97), 14–16 May, Copenhagen, Denmark.
Solms, R., (1998), Information security management (3): the Code of Practice for Information Security Management (BS 7799). Information Management & Computer Security. Vol. 6, Issue 5, pp. 224–225.
Solms, R., (1999), Information security management: why standards are important. Information Management and Computer Security, Vol. 7, Issue 1, pp. 50–58.
Spruit, M. & Samwel, P.H., (1999), Risk analysis on Internet connection. Proceedings of the IFIP TC11 WG11.2/WG11.2 Seventh Annual Working Conference on Information Management & Small Systems Security.
SSE-CMM, (1998a), The Model. v2.0. http://www.sse-cmm.org.
SSE-CMM, (1998b), The Appraisal Method. v2.0. http://www.sse-cmm.org.
Stacey, T.R., (1996), Information Security Program Maturity Grid. Information Systems Security. Vol. 5, No.2.
Thomas, R.K. & Sandhu. R.S. (1994). Conceptual Foundations for a Model of Task-based Authorizations. Proceedings of the 7th IEEE Computer Security Foundations Workshop.
Walsham, G., (1996), The Emergence of Interpretivism in IS research. Information Systems Research, Vol. 6, No. 4, pp. 376–394.
Veatch, J.D., James, J.W., Bosma, P.H., May, T.T., Garner, D.W., Priem, R.G., (1995), Requirements Driven Methodology for conducting risk analyses on unclassified networks. Proceedings of the 29th Annual International Carnahan Conference on Security Technology.
Williams, J.G. & Abrams, M.D., (1995), Formal methods and models. In: Information Security-An integrated Collection of Essays. Edited by M. D. Abrams, S. Jajodia & H. J. Podell. IEEE Computer Society Press, Los Alamitos, California, USA.
Winograd, T. & Flores, F., (1986), Understanding Computers and Cognition. Addison Wesley Publishing Company, USA.
Wong, K.K., (1977), Risk analysis and control: a guide for DP managers. NCC Publications, Southampton, UK.
Wood, C.C., Banks, W.W., Guarro, S.B., Garcia, A.A., Hampel, V.E., Sartorio, H.P., (1987), Computer Security: A Comprehensive controls Checklist. John Wiley & Sons.
Zhou, D., Kuo, J.C., Older, S., Chin, S. K., (1999), Formal development of secure email. Proceeding of the 32nd AnnuaI Hawaii International Conference on Systems Sciences.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this paper
Cite this paper
Siponen, M.T. (2001). A Paradigmatic Analysis of Conventional Approaches for Developing and Managing Secure IS. In: Dupuy, M., Paradinas, P. (eds) Trusted Information. SEC 2001. IFIP International Federation for Information Processing, vol 65. Springer, Boston, MA. https://doi.org/10.1007/0-306-46998-7_30
Download citation
DOI: https://doi.org/10.1007/0-306-46998-7_30
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7389-6
Online ISBN: 978-0-306-46998-5
eBook Packages: Springer Book Archive