Abstract
Information system (IS) development methods pay little attention to security aspects. Consequently, several alternative approaches for designing and managing secure information systems (SIS) have been proposed. However, many of these approaches have shortcomings. These approaches lack fully comprehensive modeling schemes in terms of security, i.e. no single method covers all modeling needs. Rarely can these approaches be integrated into existing IS development methods. Also, these approaches do not facilitate the autonomy of developers. This paper describes a framework that helps us understand the fundamental barriers preventing the alternative SIS design approaches from more effectively addressing these shortcomings. This framework is illustrated with an example of a framework-based solution: meta-notation for adding security into IS development methods. Future research questions and implications for research and practice are presented.
Chapter PDF
Similar content being viewed by others
Key words
References
Anderson, R., (1999), How to Cheat at the Lottery (or, Massively Parallel Requirements Engineering), Annual Computer Security Applications Conference (ACSAC99).
Baskerville, R., (1988), Designing Information Systems Security. John Wiley Information System Series.
Baskerville, R., (1989), “Logical Controls Specification: An approach to information system Security”, In H. Klein & K. Kumar (eds.) systems development for human progress. Amsterdam: North-Holland.
Baskerville, R., (1993), Information Systems Security Design Methods: Implications for information Systems Development. ACM Computing Surveys 25,(4) December, pp. 375–414.
Baskerville, R. (1996). Structural Artifacts in Method Engineering: The Security Imperative. In S. Brinkkemper & K. Lyytinen & R. Welke (Eds.), Method Engineering (pp. 8–28). London: Chapman & Hall.
Booysen, H.A.S., & Eloff, J.H.P., (1995), A Methodology for the development of secure Application Systems. In proceeding of the 11th IFIP TC11 international conference on information security, IFIP/SEC95.
Brinkkemper, S., Lyytinen, K., & Welke, R. (Eds.). (1996). Method Engineering. London: Chapman & Hall.
Castano, S., Fugini, M., Martell, G., & Samarati, P., (1995), Database Security. Addison-Wesley.
Dhillon, G. and Backhouse, J., (2001), Current directions in IS security research: toward socio-organizational perspectives. Information Systems Journal. Vol 11, No 2.
Ellmer, E., Pemul, G., Kappel, G., (1995), Object-Oriented Modeling of Security Semantics. In: Proceedings of the 11th Annual Computer Society Applications Conference (ACSAC’95). IEEE Computer Society Press.
Foley, S.N., (1991), A Taxonomy for Information Flow Policies and Models. Proceedings of the 1991 IEEE Computer Security Symposium on Research in Security and Privacy.
Hirschheim, R., Klein, H. K., & Lyytinen, K., (1995), Information Systems Development and Data Modelling: Conceptual and Philosophical Foundations. Cambridge University Press, UK.
Hitchings, J., (1995), Achieving an Integrated Design: The Way forward for Information Security. Proceedings of the IFIP TC 11 eleventh international conference on information security, IFIP/SEC’95.
Hitchings, J., (1996), A Practical solution to the complex human issues of information security design. Proceedings of the 12th IFIP TC11 international conference on information security, IFIP/SEC’96.
Iivari, J., (1989), Levels of abstraction as a Conceptual Framework for an Information Systems. In E. D. Falkenberg and P. Lindgreen (eds): Information System Concepts: An In-depth Analysis. North-Holland, Amsterdam.
Iivari, J & Koskela, E., (1987), The PIOCO model for IS design, MIS Quarterly, Vol. 11, No. 3, pp. 401–419.
Jaaksi, A., (1998), Our Cases with Use Cases. Joumal of Object-Oriented Programming, vol.10, no. 9, pp. 58–65.
Jocobson, I., Christerson, P. Jonsson, P., Övergaard, G., (1992), A Use Case Driven Approach. Addison-Wesley Publishing Company.
James, H.L., (1996), Managing information systems security: a soft approach. Proceedings of the Information Systems Conference of New Zealand. IEEE Society Press.
Kumar, K. & Welke, R.J., (1992), Methodology engineering: A Proposal for situation-specific Methodology construction. In W.W. Cotterman & J.A. Senn (eds): Challenges and Strategies for research in systems development, pp. 257–269.
Lyytinen, K., (1987), Two Views on Information Modeling. Information & Management, Vol. 12, pp. 9–19.
Lyytinen, K., (1991), A Taxonomic Perspective of Information Systems Development: Theoretical Constructs and Recommendations. In R.J. Boland & R.A. Hirscheim (ed): Critical Issues in Information Systems Research, John Wiley & Sons Ltd.
McDermott, J. & Fox, C., “Using abuse case models for security requirements”, Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC). IEEE Computer Society Press (1999).
McLean, J., (1990), The specification and modelling of computer security. IEEE Computer. January, vol. 23, issue 1, pp. 9–16.
Menezes, A.J., van Oorschot, P.C. and Vanstone, S.C., (1999), Handbook of Applied Cryptography. CRC Press, USA.
Odell, J.J. (1996). A primer to method engineering. In S. Brinkkkemper & K. Lyytinen & R. Welke (Eds.), Method Engineering: Principles of method construction and tool support (pp. 1–7). London: Chapman & Hall.
Parker, D.B., (1998), Fighting Computer Crime-A New Framework for Protecting Information. Wiley Computer Publishing. USA.
Pemul, G., Tjoa A. M., & Winiwarter, W., (1998), Modelling Data Secrecy and Integrity. Data & Knowledge Engineering. Vol. 26, pp. 291–308. North Holland.
Röhm, A.W., Pernul, G. & Henmann, G., (1998), Modelling secure and fair electronic commerce. Proceedings of the 14th Annual Computer Security Applications Conference, 1998.
Röhm, A.W., Pernul, G., (1999), COPS: a model and infrastructure for secure and fair electronic markets. Proceedings of the 32nd Annual Hawaii International Conference on Systems Sciences (HICSS-32).
Sandhu, R.S., (1993), Lattice-based access controls. IEEE Computer. Vol. 26, no. 11, November, pp. 9–19.
Siponen, M.T., (2001), An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: G. Dhillon (eds:) Information Security Management-Global Challenges in the Next Millennium, Idea Group (2001).
Summers, R.C., (1997), Secure Computing: Treats and Safeguards. McGraw-Hill.
Straub, D.W. & Welke, R.J., (1998), Coping with Systems Risk: Security Planning Models for Management Decision Making. MIS Quarterly, Vol. 22, No. 4, p. 441–464.
Truex, D.P., Baskerville, R., & Klein, H. K. (1999). Growing Systems in an Emergent Organization. Communications of The ACM, 42(8), 117–123.
Truex, D., Baskerville, R., & Travis, J. (2000). Amethodical Systems Development: The Deferred Meaning of Systems Development Methods. Accounting, Management and Information Technology, 10, 53–79.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Siponen, M., Baskerville, R. (2001). A New Paradigm for Adding Security into is Development Methods. In: Eloff, J.H.P., Labuschagne, L., von Solms, R., Dhillon, G. (eds) Advances in Information Security Management & Small Systems Security. IFIP International Federation for Information Processing, vol 72. Springer, Boston, MA. https://doi.org/10.1007/0-306-47007-1_8
Download citation
DOI: https://doi.org/10.1007/0-306-47007-1_8
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-7923-7506-7
Online ISBN: 978-0-306-47007-3
eBook Packages: Springer Book Archive