Abstract
Traditionally, information security management standards listing generic means of protection have received a lot of attention in the field of information security management. In the background a few information security management-oriented maturity standards have been laid down, albeit they have been elided by the information security community in great measure. The aim of this study is to analyze the alternative maturity criteria — SSE-CMM, Security Program Maturity Grid, Software Security Metrics — for developing secure IS/software (SW). First, a framework synthesized from the information systems (IS) and software engineering (SE) literatures is advanced. Secondly, the existing information security maturity criteria are pored over in the light of this framework. Thirdly, on the basis of results of this analysis, implications for practice and research are presented.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35586-3_46
Chapter PDF
Similar content being viewed by others
References
Baskerville, R., (1993), Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys 25, (4) December, pp. 375–414.
Baskerville, R., Pries-Heje, J., (2001), Racing the E-Bomb: How the Internet Is Redefining Information Systems Development Methodology. In B. Fitzgerald et al. (eds): Realigning Research and Practice in IS development: The social and organizational perspective (pp. 49–68). New York: Kluwer.
Baskerville, R. & Siponen, M.T. (2002), An Information Security Meta-policy for Emergent Organizations. Journal of Logistics Information Management, special issue on Information Security, forthcoming.
Boehm, B., (2000), Unifying Software Engineering and Systems Engineering. IEEE Computer, pp. 114–116.
Bollinger, T.B. & McGowan, C., (1991), A critical look at software capability evaluations. IEEE Software, Vol. 8, no. 4, July, pp. 25–41.
Caplan, K. & Sanders, J.L., (1999), Building an international security standard. IT Professional, vol. 1, no. 2, March-April, pp. 29 –34.
Chokhani, S., (1992), Trusted products evaluation. CACM. Vol. 35, Issue 7, pp. 64–76.
Curtis, B., (2000), The global pursuit of process maturity. Software, Vol. 17, No. 4, p. 76–78.
Dhillon, G. & Backhouse, J., (2001), Current directions in IS security research: toward sociotechnical perspectives. Information Systems, Vol 11, No 2.
Eloff, M.M. & Solms, S.H., (2000a), Information Security Management: A Hierarchical Framework for Various Approaches. Computers & Security, Vol. 19, pp. 243–256.
Eloff, M.M. & Solms, S.H., (2000b), Information Security: Process Evaluation and Product Evaluation. Sixteenth Annual Working Conference on Information Security, Beijing, China.
Fitzgerald, K.J., (1995), Information security baselines. Information Management & Computer Security, Vol. 3 Issue 2, pp. 8–12.
Harré, R., (2000), Laws of nature. In W.H. Newton-Smith (ed): A Companion to the Philosophy of Science, Blackwell Publisher, Oxford, UK, pp. 213–224.
Hirschheim, R., (1985), Information systems epistemology: An historical perspective. In: Research methods in information systems. E. Mumford et al. (eds), Elsevier Science Publisher.
Hopkinson, J.P., (2001), Security Standards Overview. Proceedings of the Second Annual ISSE Conference.
Murine, G.E. & Carpenter, C. L., (1984), Measuring Computer System Security Using Software Security Metrics. In Computer Security: A global challenge, J.H. Finch and E.G. Dougall (eds.). Elsevier Science Publisher.
O’Connell, E. & Saidian, H., (2000), Can you trust software capability evaluations? Computer, Vol. 33, Issue 2, pp. 28–35.
Overbeek, P.L., (1995), Common Criteria for IT Security Evaluation — Update Report. Proceedings of the 11th International Conference on Information Security (IFIP/SEC’95).
Paulk, M.C., Curtis, B., Chrissis, M.B, Weber, C.V., (1993), Capability Maturity Model. Version 1.1. IEEE Software, Vol. 10, issue 4, pp. 18–27.
Pfleeger, S.H. & Rombach, H.D., (1994), Measurement Based Process Improvement. IEEE Software, vol. 11, no. 4, Pp. 9–11.
Pfleeger, S.H., Fenton, N., & Page, S., (1994), Evaluating Software Engineering standards. IEEE Computer, Vol. 27, no. 9, pp. 71–79.
Pfleeger, S.H., (1999), Albert Einstein and Empirical Software Engineering. IEEE Computer, Vol. 32, no. 10, pp. 32–37.
Ray, C., (2000), Logical positivism. In W.H. Newton-Smith (eds): A Companion to the Philosophy of Science, Blackwell Publisher, Oxford, UK, pp. 243–256.
Rifkin, S., (2001), What makes measuring software so hard? Computer, May/June, p. 41–45.
Siponen, M.T., (2001), An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In G. Dhillon (eds:) Information Security Management — Global Challenges in the Next Millennium, Idea Group.
Siponen, M.T. & Baskerville, R., (2001), A New Paradigm For Adding Security Into IS Development Methods. Advances in information security management & small systems security. MA: Kluwer Academic Publishers.
Solms, R., (1996), Information security management: The Second Generation. Computers & Security, vol. 15, no. 4, pp. 281–288.
Solms, R., (1997), Can Security Baseline replace Risk Analysis? Proceedings of the 13th International Conference on Information Security, 14–16 May, Copenhagen, Denmark.
Solms, R., (1998), Information security management: the Code of Practice for Information Security Management. Information Mgt & Computer Security. Vol. 6, no. 5, pp. 224–225.
Solms, R., (1999), Information security management: why standards are important. Information Management and Computer Security, Vol. 7, Issue 1, pp. 50–58.
SSE-CMM, (1998), http://www.sse-cmm.org.
Stacey, T.R., (1996), Information Security Program Maturity Grid. IS Security. Vol. 5, No.2.
Truex, D.P., Baskerville, R. & Klein H., (1999), Growing Systems in Emergent Organizations. Communications of the ACM, vol. 42, no. 8, pp. 117–123.
Truex, D., Baskerville, R. & Travis, J. (2000), Amethodical Systems Development: The Deferred Meaning of Systems Development Methods. Accounting, Management and Information Technology, Vol. 10, pp. 53–79.
Voas, J., (1999), Software quality’s eight greatest myths. Software, vol. 16, no. 5, p. 118–120.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Siponen, M.T. (2002). Maturity Criteria for Developing Secure IS and SW. In: Ghonaimy, M.A., El-Hadidi, M.T., Aslan, H.K. (eds) Security in the Information Society. IFIP Advances in Information and Communication Technology, vol 86. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35586-3_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-35586-3_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-1026-7
Online ISBN: 978-0-387-35586-3
eBook Packages: Springer Book Archive