Structural Artifacts in Method Engineering: The Security Imperative

  • Richard Baskerville
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT)


The organizational structure has to do with human relationships, and is distinguished from the various artifacts (like information technology, systems development methods, and other mechanical products) that reflect those relationships. Information technology represents a first-level artifact and systems development methods represent a second-level artifact. This paper explains and illustrates a theory in which method engineering introduces third-level structural artifacts in organizations. A demonstration is included that uses security as one of the system imperatives that must be captured by third-level structural artifacts such as method engineering. This demonstration shows how method engineering may produce methods that are more complete and more harmonized with the organizational situation.


Information Systems Development Systems Development Methods Software Engineering Organizational Structure Information Systems Security 


  1. Amoroso, D. and P. Cheney (1992) Quality end user developed applications: some essential ingredients, Database 23 (1) (Winter) 1–12.Google Scholar
  2. Avison, D. and G. Fitzgerald (1988) Information Systems Development: Methodologies, Techniques and Tools. Oxford: Blackwell Scientific.Google Scholar
  3. Bansler, J. and K. Bedker (1993) A reappraisal of structured analysis: Design in an organizational context, ACM Transactions on Information Systems 11 (2) 165–193.CrossRefGoogle Scholar
  4. Baskerville, R. (1988) Designing Information Systems Security. Chichester: Wiley.Google Scholar
  5. Baskerville, R. (1992) The developmental duality of information systems security, Journal of Management Systems 4 (1) 1–12.Google Scholar
  6. Baskerville, R. (1993a) Information systems security design methods: Implications for information systems development, Computing Surveys 25, (4) December 375–414.Google Scholar
  7. Baskerville, R. (1993b) Information systems security: Adapting to survive, Information Systems Security 2 (1), 1993, 40–47. Reprinted, as New approaches to information systems security in Umbaugh, Robert (Ed.) Handbook of IS Management 1994–95 Yearbook. New York: Auerbach, 1994, pp S257 - S265.Google Scholar
  8. Baskerville, R. (1995) The second order security dilemma, in Orlikowski, W., Walsham, G., Jones, M., and DeGross, J. (Eds.) Information Technology and Changes in Organizational Work. London: Chapman & Hall, pp. 239–249.Google Scholar
  9. Baskerville, R., J. Travis, and D. Truex (1992) Systems without method in Kendall, K. Lyytinen, K. and DeGross, J. (Eds.) IFIP Transactions on The Impact of Computer Supported Technologies on Information Systems Development. Amsterdam: North-Holland, pp. 241–270.Google Scholar
  10. Berger, P. and T. Luckmann (1967) The Social Construction of Reality, A Treatise in the Sociology of Knowledge,Penguin Books.Google Scholar
  11. Bostrom, R. and S. Heinen (1977) MIS problems and failures: A socio-technical perspective, Part I: The causes, MIS Quarterly, (September), 17–32, and MIS problems and failures: A socio-technical perspective, Part II: The application of socio-technical theory, MIS Quarterly, (December 1977), 11–28.Google Scholar
  12. Browne, P. (1979) Security: Checklist For Computer Center Self-Audits. AFIPS, Arlington, Va.Google Scholar
  13. Checkland, P. and J. Scholes (1990) Soft Systems Methodology in Practice. Chichester: J. Wiley.Google Scholar
  14. Coad, P. and E. Yourdon (1991) Object-Oriented Analysis 2nd Ed.. Englewood Cliffs: Yourdon.Google Scholar
  15. Commission of European Communities (1990) Information Technology Security Evaluation Criteria (ITSEC), Provisional Harmonized Criteria, Version 1.2. Brussels, Belgium: Commission of European Communities, Directorate-General XIII (June).Google Scholar
  16. Connell, J. and L. Shafer (1989) Structured Rapid Prototyping: An Evolutionary Approach to Software Development. Englewood Cliffs: Yourdon Press.Google Scholar
  17. Davenport, Thomas and James Short (1990) The new industrial engineering: Information technology and business process redesign, Sloan Management Review (Summer) 11–27.Google Scholar
  18. Davis, G. (1982) “Strategies for information requirements determination,” IBM Systems Journal 21 (1) 4–30.CrossRefGoogle Scholar
  19. Embley, D., B. Kurtz and S. Woodfield (1992) Object-Oriented Systems Analysis: A Model-Driven Approach. Englewood Cliffs, N.J.: Yourdon Press.Google Scholar
  20. Er, M. (1987) Prototyping, participative and phenomenological approaches to information systems development, Journal of Systems Management (August) 12–15.Google Scholar
  21. Farquhar, B. (1991) One approach to risk assessment, Computers & Security 10, 1, 21–23.Google Scholar
  22. Finkelstein, C. (1989) An Introduction to Information Engineering: From Strategic Planning to Information Systems. Sydney: Addison-Wesley.Google Scholar
  23. Fisher, R. (1984) Information Systems Security. Englewood Cliffs: Prentice-Hall.Google Scholar
  24. Fitzgerald, J. and A. F. Fitzgerald (1990) Designing Controls Into Computerized Systems. Jerry Fitzgerald & Associates, Redwood City, Ca.Google Scholar
  25. Forcht, K.A. (1994) Computer Security Management,Danvers, Massachusetts: Boyd & Fraser.Google Scholar
  26. Galletta, D. and R. Heckman (1990) A role theory perspective on end-user development, Information Systems Research 1, (2) (June) 168–187.Google Scholar
  27. Gause, D. and G. Weinberg (1989) Exploring Requirements: Quality Before Design New York: Dorset House.Google Scholar
  28. Giddens, A. (1984) The Constitution of Society: Outline of the Theory of Structure. Berkeley, Calif: Univ. of California Press.Google Scholar
  29. Ginzberg, M. J. (1981) Early Diagnosis of MIS Implementation Failure: Promising Results and Unanswered Questions, Management Science 27, (4).Google Scholar
  30. Hammer, M. (1990) Reengineering work: Don’t automate, obliterate, Harvard Business Review (July-August) 104–112.Google Scholar
  31. Hirschheim, R. and H. K. Klein (1992) Paradigmatic influences on information systems development methodologies: Evolution and conceptual advances. Advances in Computers 34, 294–381.CrossRefGoogle Scholar
  32. Hirschheim, R. and H. K. Klein, (1994) Realizing emancipatory principles in information systems development: The case for ETHICS, MIS Quarterly 18 (March) 83–95.CrossRefGoogle Scholar
  33. Hitchings, J. (1995) Deficiencies of the traditional approach to information security and the requirements for a new methodology. Computers & Security 14 (5), 377–383.Google Scholar
  34. Hutt, A. E., S. Bosworth and D. B. Hoyt (eds.) (1988) Computer Security Handbook. Macmillan Publishing Co., New York, NY.Google Scholar
  35. Jackson, M. C. and P. Keys, (1984) Towards a system of systems methodologies. Journal of The Operational Research Society 35, 473–486.Google Scholar
  36. Jayaratna, N. (1988) Guide to methodology understanding in information systems practice. International Journal of Information Management 8, 43–53.CrossRefGoogle Scholar
  37. Jayaratna, N. (1993) Methodology assistance in practice: A critical evaluation. Systemist 15, (1) February, 5–16.Google Scholar
  38. Kettinger, W., V. Grover, S. Guha, and A. Segars (1994) Strategic information systems revisited: A study in sustainability and performance. MIS Quarterly 18 (1) (March) 3158.Google Scholar
  39. Krauss, L. I. (1980) SAFE: Security Audit And Field Evaluation For Computer Facilities And Information. AMACOM, New York, NY.Google Scholar
  40. Kumar, K. and R. Welke (1992) Methodology engineering: A proposal for situation-specific methodology construction, in W. Cotterman, and J. Semi (Eds.) Challenges and Strategies for Research in Systems Development. New York: John Wiley & Sons, pp. 257–268.Google Scholar
  41. Kyng, M. (1991) Designing for cooperation: Cooperating in design, Communications of the ACM 34 (12) (December) 65–73.Google Scholar
  42. Lane, V.P. (1985) Security of Computer Based Information Systems. London: Macmillan.Google Scholar
  43. Lyytinen, K. (1987) Different perspectives on information systems: Problems and solutions, ACM Computing Surveys (1) (March) 5–42.Google Scholar
  44. Lyytinen, K. (1988) Expectation failure concept and systems analysts view of information system failures: Results of an exploratory study, Information & Management 14, 45–56.Google Scholar
  45. Lyytinen, K. and R. Hirschheim (1987) Information systems failures: A survey and classification of the empirical literature, Oxford Surveys in Information Technology 4.Google Scholar
  46. Manganelli, R. and M. Klein (1994) Should you start from scratch? Management Review 83 (7) (Jul) 45–47.Google Scholar
  47. McLean, E. R. (1979) End users as application developers, MIS Quarterly 3 (4) (December) 37–46.Google Scholar
  48. Mumford, E. (1983) Designing Human Systems For New Technology: The ETHICS Method. Manchester: Manchester Business School.Google Scholar
  49. Naumann, J. and A. Jenkins (1982) Prototyping: The new paradigm for systems development, MIS Quarterly (Sept) 29–44.Google Scholar
  50. Naur, P. (1993) Understanding Turing’s universal machine: Personal style in program description. The Computer Journal 36 (4) 351–372.CrossRefGoogle Scholar
  51. Neugent, W. (1982) Acceptance criteria for computer security, NCC Conference Proceedings. Arlington, Va: AFIPS Press.Google Scholar
  52. Neumann, Peter G. (1995) Computer Related Risks. New York: ACM Press.Google Scholar
  53. Oliga, J. (1988) Methodological foundations of systems methodologies. System Practice, 1 (1) (March), 87–112.Google Scholar
  54. Olle, A., J. Hagelstein, I. Macdonald, C. Rolland, H. Sol, F. Van Assche, and A. Verrijn-Stuart (1988) Information Systems Methodologies: A Framework for Understanding. Wokingham• Addison Wesley.Google Scholar
  55. Olle, T. W., H. G. Sol and A. A. Verrijn-Stuart, (1982) (eds) Information Systems Design Methodologies: A Comparative Review, Amsterdam: North Holland.Google Scholar
  56. Olle, T. W., H. G. Sol and C. J. Tully, (1983) (eds), Information Systems Design Methodologies: A Feature Analysis, Proceedings of the IFIP WG 8.1 Working Conference on Feature Analysis of Information Systems Design Meeting, York, UK, 5–7 July, 1983, Amsterdam: North-Holland.Google Scholar
  57. Orlikowski, W. and D. Robey (1991) Information technology and the structuring of organizations, Information Systems Research 2 (2) (June) 143–169.Google Scholar
  58. Ozier, W. (1992) Risk Assessment and Management Data Security Management Report 85–01–20. New York: Auerbach.Google Scholar
  59. Palmas, D. and P. Clements (1986) A rational design process: How and why to fake it. IEEE Transactions on Software Engineering SE 12 (2), February, 251–257.Google Scholar
  60. Reich, B. and I. Benbasat (1990) An empirical investigation of factors influencing the success of customer-oriented strategic systems. Information Systems Research 1 (3) (September) 325–347.Google Scholar
  61. Sandman, P., C. Klompus and B. Yarrison (1985) Scientific and Technical Writing. Ft. Worth, Texas: Holt, Rhinehart and Winston.Google Scholar
  62. Schnebeger, S. (1995) Distributed computer system complexity versus component simplicity. Its effects on software maintenance. Georgia State University Manuscript, summarized in J. DeGross, G. Ariav, C. Beath, R. Hoyer and C. Kemerer (eds.), Proceedings of the Sixteenth International Conference on Information Systems. New York: ACM Publ. p. 351.Google Scholar
  63. Schneidewind, N. (1987) The state of software maintenance IEEE Transactions on Software Engineering SE-13 (3) March 303–310.Google Scholar
  64. Sumner, M. and R. Kleer (1987) Information systems strategy and end-user application development, Data Base 18 (4) (Summer) 19–30.Google Scholar
  65. Truex, D. and H. K. Klein (1991) A rejection of structure as a basis for information systems development. In R. Stamper, R. Lee, P. Kerola and K. Lyytinen (Eds.), Collaborative Work, Social Communications and Information Systems. Amsterdam: North-Holland, pp. 213–236.Google Scholar
  66. Verrett, R. and R. Hysert (1993) Summary of findings, working group 2, managerial and structural issues in the draft risk management framework. in Proceedings 5th International Computer Security Risk Management Workshop. Ottawa: National Institute of Standards and Technology and Communications Security Establishment, 7–9.Google Scholar
  67. Wand, Y., and Ron Weber (1995) On the deep structure of information systems, Information Systems Journal 5 (3) (July) 203–223.Google Scholar
  68. Willcocks, L. and G. Fitzgerald (1994) Toward the residual is organization? Research on it outsourcing experiences in the united kingdom. in Baskerville et al. (eds) Transforming Organizations with Information Technology. Amsterdam: North-Holland, pp. 129–152.Google Scholar
  69. Wood, C. C. (1995) Identity token usage at American commercial banks Computer Fraud and Security Bulletin (March) 14–16.Google Scholar
  70. Wynekoop, J. and N. Russo (1993) System development methodologies: Unanswered questions and the research-practice gap, in J. Degross, R. Bostrom, and D. Robey (Eds.), Proceedings of the 14th International Conference Information Systems. New York: ACM Publ. pp. 181–190.Google Scholar
  71. Yourdon, E. (1989) Modern Structured Analysis. Englewood Cliffs, NJ: Yourdon Press.Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 1996

Authors and Affiliations

  • Richard Baskerville
    • 1
  1. 1.Copenhagen Business School and Binghamton UniversityBinghamtonUSA

Personalised recommendations