Abstract
A growing concern for information systems (ISs) is their quality, such as security, accuracy, user-friendliness and performance. Although the quality of an IS is determined largely by the development process, relatively little attention has been paid to the methodology for achieving high quality. A recent proposal [32] takes a process-oriented approach to representing non-functional, or quality, requirements (NFRs) as potentially conflicting or harmonious goals and using them during the development of software systems. By treating security requirements as a class of NFRs, this paper applies this process-oriented approach to designing secure ISs. This involves identification and representation of various types of security requirements (as goals), generic design knowledge and goal interactions. This treatment allows reusing generic design knowledge, detecting goal interactions, capturing and reasoning about design rationale, and assessing the degree of goal achievement. Security requirements serve as a class of criteria for selecting among design decisions, and justify the overall design. This paper also describes a prototype design tool, and illustrates it using a credit card system example.
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
Download to read the full chapter text
Chapter PDF
References
J. A. Adam, “Threats and Countermeasures,” IEEE Spectrum, vol. 29, no. 8, Aug. 1992, pp. 21–28.
E. Amoroso, T. Nguyen, J. Weiss, J. Watson, P. Lapiska, and T. Starr, “Towards an Approach to Measuring Software Trust,” Proc. IEEE Symp. Security and Privacy, May 1991, pp. 198–218.
BIM Prolog 3.1 Manual. BIM sa/nv, Belgium, 1992.
T. C. Vickers Benzel, “Developing Trusted Systems Using DOD-STD-2167A,” 5th Annual Computer Security Appl. Conf., Tucson, Arizona, Dec. 4–8, 1989, pp. 166–176.
B. W. Boehm, “A Spiral Model of Software Development and Enhancement”, Vol. 11, No. 4, ACM Software Eng. Notes, Aug. 1986.
T. Bui and T. R. Sivasankaran, “Cost-Effective Modeling for a Decision Support System in Computer Security,” Computers & Security, vol. 6, no. 2, Apr. 1987, pp. 139–151.
Canadian System Security Centre, The Canadian Trusted Computer Product Evaluation Criteria, Version 2.0. Ottawa, Apr. 1992.
Canadian Bankers' Association, MasterCard and Visa Statistics, Toronto, Dec. 1991.
L. Chung, “Representation and Utilization of Non-Functional Requirements for Information System Design.” In R. Anderson, J. A. Bubenko, Jr., A. Solvberg (Eds.), Advanced Information Systems Eng., Proc., 3rd Int. Conf. CAiSE '91, Trondheim, Norway, May 13–15, 1991. Berlin: Springer-Verlag, 1991, pp. 5–30.
K. L. Chung, P. Katalagarianos, M. Marakakis, M. Mertikas, J. Mylopoulos and Y. Vassiliou, “From Information System Requirements to Designs: A Mapping Framework,” Information Systems, vol. 16, no. 4, 1991, pp. 429–461.
D. D. Clark and D. R. Wilson, “A Comparison of Commercial and Military Computer Security Policies,” Proc. IEEE Symp. Security and Privacy, 1987, pp. 184–194.
S. D. Crocker, “Software Methodology for Development of a Trusted BMS: Identification of Critical Problems,” 5th Annual Computer Security Appl. Conf., Tucson, Arizona, Dec. 4–8, 1989, pp. 148–165.
U. S. Department of Defense, Military Standard: Defense System Software Development, Feb. 29, 1988.
A. Dardenne, A. van Lamsweerde and S. Fickas, “Goal-directed Requirements Acquisition,” Science of Computer Programming, to appear; earlier version appeared in 6th Int. Workshop on Software Specification and Design, Como, Italy, 1991.
B. Di Vito, C. Garvey, D. Kwong, A. Murray, J. Solomon and A. Wu, “The Deductive Theory Manager: A Knowledge Based System for Formal Verification,” Proc. IEEE Symp. Security and Privacy, 1990, pp. 306–318.
E. B. Fernandez, E. Gudes and H. Song, “A Security Model for Object-Oriented Databases,” Proc. IEEE Symp. Security and Privacy, 1989, pp. 110–115.
S. Greenspan, Requirements Modeling: A Knowledge Representation Approach to Software Requirements Definition. Ph.D. Thesis, Dept. of Computer Science, Univ. of Toronto, 1984.
U. Hahn, M. Jarke and T. Rose, “Teamwork Support in a Knowledge-Based Information Systems Environment,” IEEE Trans. Software Eng., vol. 17, no. 5, May 1991, pp. 467–482.
H. R. Hartson and D. K. Hsiao, “Full Protection Specification in the Semantic Model for Database Protection Languages,” Proc. ACM Annual Conf., Houston, TX, Oct. 1976, pp. 90–95.
German Information Security Agency, Criteria for the Evaluation of Trustworthiness of Information Technology (IT) Systems, 1st Version, Bundesanzeiger, Köln, Germany, 1989.
Office for Official Publications of the European Communities, Information Technology Security Evaluation Criteria, Provisional Harmonised Criteria, Version 1.2, June 1991, Luxembourg.
M. Jarke, J. Mylopoulos, J. W. Schmidt, Y. Vassiliou, “DAIDA: An Environment for Evolving Information Systems,” ACM Trans. Information Systems, vol. 10, no. 1, Jan. 1992, pp. 1–50.
M. Jarke (Ed.), ConceptBase V3.1 User Manual, 1992.
M. Jarke, J. Bubenko, C. Rolland, A. Sutcliffe and Y. Vassiliou, “Theories Underlying Requirements Engineering: An Overview of NATURE at Genesis,” IEEE Int. Symp. Requirements Eng., Jan. 1993, pp. 19–31.
E. S. Lee, P. I. P. Boulton, B. W. Thomson, and R. E. Soper, Composable Trusted Systems, Tech. Report CSRI-272, Computer Systems Research Institute, Univ. of Toronto, May 31, 1992.
J. Lee, A Decision Rationale Management System: Capturing, Reusing, and Managing the Reasons for Decisions, Ph.D. Thesis, MIT, 1992.
A. Marmor-Squires, B. Danner, J. McHugh, L. Nagy, D. Sterne, M. Branstad, and P. Rougeau, “A Risk Driven Process Model for the Development of Trusted Systems,” 5th Annual Computer Security Appl. Conf., Tucson, Arizona, Dec. 4–8, 1989, pp. 184–192.
N. S. Matloff, “Another Look at the Use of Noise Addition for Database Security,” Proc. IEEE Symp. Security and Privacy, 1986, pp. 173–180.
T. J. McCabe and G. G. Schulmeyer, “The Pareto Principle Applied to Software Quality Assurance,” In G. Gordon Schulmeyer and James I. McManus (Eds.), Handbook of Software Quality Assurance, New York: Van Nostrand Reinhold, 1987, pp. 178–210.
J. D. Moffett and M. S. Sloman, “The Source of Authority for Commercial Access Control,” IEEE Computer, vol. 21, no. 2, Feb. 1988, pp. 59–69.
J. Mylopoulos, A. Borgida, M. Jarke, and M. Koubarakis, “Telos: Representing Knowledge about Information Systems,” ACM Trans. Information Systems, vol. 8, Oct. 1990, pp. 325–362.
J. Mylopoulos, L. Chung and B. Nixon, “Representing and Using Non-Functional Requirements: A Process-Oriented Approach,” IEEE Trans. Software Eng., vol. 18, no. 6, June 1992, pp. 483–497.
P. G. Neumann, “On Hierarchical Designs of Computer Systems for Critical Applications,” IEEE Trans. Software Eng., SE-12, no. 9, Sept. 1986, pp. 905–920.
P. G. Neumann (compiler), “Illustrative Risks to the Public in the Use of Computer Systems and Related Technology,” ACM Software Eng. Notes, vol. 16, no. 1, Jan. 1991, pp. 2–9.
N. Nilsson, Problem-Solving Methods in Artificial Intelligence. New York, McGraw-Hill, 1971.
B. Nixon, “Dealing with Performance Requirements During the Development of Information Systems”, IEEE Int. Symp. Requirements Eng., Jan. 1993, pp. 42–49.
D. B. Parker, “The Many Faces of Data Vulnerability,” IEEE Spectrum, vol. 21, no. 5, May 1984, pp. 46–49.
D. B. Parker, “Restating the Foundation of Information Security,” 2nd Annual North American Information System Security Symp., Toronto, Oct. 21–23, 1991.
T. S. Perry and P. Wallich, “Can Computer Crime be Stopped?”, IEEE Spectrum, Vol. 21, No. 5, May 1984, pp. 34–45.
C. P. Pfleeger, Security in Computing, Englewood Cliffs, NJ: Prentice Hall, 1989.
C. Potts and G. Bruns, “Recording the Reasons for Design Decisions,” Proc. 10th Int. Conf. Software Eng., 1988, pp. 418–427.
H. A. Simon, The Sciences of the Artificial, 2nd ed., Cambridge, MA: The MIT Press, 1981.
G. W. Smith, “Multilevel Secure Database Design: A Practical Application,” 5th Annual Computer Security Appl. Conf., Tucson, Arizona, Dec. 4–8, 1989, pp. 314–321.
G. Steinke, “Design Aspects of Access Control in a Knowledge Base System,” SECURICOM '90, Paris, March, 1990.
U.S. Department of Defense, Trusted Computer Systems Evaluation Criteria, DOD 5200.28-STD, Dec. 1985.
F. G. Tompkins and R. Rice, “Integrating Security Activities Into the Software Development Life Cycle and the Software Quality Assurance Process,” Computers & Security, vol. 5, no. 3, Sept. 1986, pp. 218–242.
Y. Vassiliou, M. Marakakis, P. Katalagarianos, L. Chung, M. Mertikas and J. Mylopoulos, “IRIS-A Mapping Assistant for Generating Designs from Requirements.” In Proc, CAiSE '90, 2nd Nordic Conf. Advanced Information Systems Eng., Stockholm, May 1991. Berlin: Springer-Verlag, 1991, pp. 307–338.
Visa Canada Association, Visa Canada 1990 Regional Report, Toronto, 1990.
C. Wood, E. B. Fernandez and R. C. Summers, “Data Base Security: Requirements, Policies, and Models,” IBM Syst. J., vol. 19, no. 2, 1980, pp. 229–252.
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 1993 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Chung, L. (1993). Dealing with security requirements during the development of information systems. In: Rolland, C., Bodart, F., Cauvet, C. (eds) Advanced Information Systems Engineering. CAiSE 1993. Lecture Notes in Computer Science, vol 685. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-56777-1_13
Download citation
DOI: https://doi.org/10.1007/3-540-56777-1_13
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-56777-6
Online ISBN: 978-3-540-47735-8
eBook Packages: Springer Book Archive