Abstract
Information systems (IS) security (ISS) methods can be broken down into process (what steps developers should take) to develop IS and modeling notation (how to model reality). Of these, modeling notation has attracted a lot of attention. Whereas process has been largely ignored. As a step towards remedying the situation, this paper first analyzes the limits of the processes of the existing ISS approaches in the light of the analytical framework. Second, the implications of the results for research are suggested.
The original version of this chapter was revised: The copyright line was incorrect. This has been corrected. The Erratum to this chapter is available at DOI: 10.1007/978-0-387-35691-4_52
Chapter PDF
Similar content being viewed by others
Key words
References
AFIPS, (1979), Security: Checklist for Computer Center Self-Audits. AFIPS, USA.
Backhouse, J. & Dhillon, G., (1996), Structures of responsibilities and security of information systems. European Journal of Information Systems. 5 (1): 2–10.
Baskerville, R., (1993), Information Systems Security Design Methods: Implications for Information Systems Development. Computing Surveys 25, (4) December, pp. 375–414.
Bennett, S. P. & Kailay, M. P., (1992), An application of qualitative risk analysis to computer security for the commercial sector. Proceedings of the Eighth ACM Annual Computer Security Applications conference.
Booysen, H.A.S., & Eloff, J.H.P. (1995). A Methodology for the development of secure Application Systems. Proceeding of the I Ith IFIP TCI 1 international conference on information security.
Brinkkember, S., (1996), Method engineering: engineering of information systems development methods and tools. Information and software technology, 38 (4): 275–280.
Checkland, P. & Holwell, S., (1998), Information, systems and information systems: making sense of the field. Wiley, cop.
BS7799, Code of Practice for Information Security Management, (1993), Department of Trade and Industry. DISC PD003. British Standard Institution, London, UK.
Ellmer, E., Pernul, G., Kappel, G., (1995), Object-Oriented Modeling of Security Semantics. In: Proceedings of the I lth Annual Computer Society Applications Conference.
Dhillon, G. & Backhouse, J. (2001) Current directions in IS security research: toward socioorganizational perspectives”. Information Systems Journal, 11 (2): 129–156.
Fowler, M. and Scott, K., (1999), UML Distilled: A Brief Guide to the Standard Object Modeling Language. Second edition, The Addison-Wesley.
GASSP, (1999), Generally Accepted System Security Principles (GASSP). Version 2.0. Information Systems Security. June, vol. 8, no. 3.
Halliday, S., Badenhorst, K. & von Solms, R., (1996), A business approach to effective information technology risk analysis and management. Information Management and Computer Security Vol. 4, No, 1, pp. 19–31
Hardy, C.J., Thompson, J.B., Edwards, H.M., (1995), the use, limitations and customization of structured systems development methods in the United Kingdom. Information and software technology, vol. 37, no, 9, pp. 467–477.
Hare R.M. Moral Thinking, Its Levels, Method and Point. Oxford University Press, 1981.
Herrmann, G., Pernul, G., (1999), Viewing Business-Process Security from Different
Perspectives. International Journal of electronic Commerce, Vol. 3, No. 3, pp. 89–103.
Hirschheim, R. and Klein, H., (1992), A Research Agenda for Future Information Systems Development Methodologies. In: in W.W. Cotterman and J.A. Senn (eds): Challenges and Strategies for research in systems development, pp. 235–269.
Hirschheim, R., Klein, H. K. & Lyytinen, K., (1995), Information Systems Development and Data Modeling: Conceptual and Philosophical Foundations. Cambridge University Press, UK.
Hitchings, J. (1995). Achieving an Integrated Design: The Way forward for Information Security. Proceedings of the IFIP TCI 1 11th international conference on information security.
Hutchinson, W. and Warren. M., (2000), Using the Viable Systems Model to Develop an understanding information system security threats to an Organisation. Proceedings of the 1st Australian Information Security Management Workshop.
James, H.L. (1996). Managing information systems security: a soft approach. Proceedings of the Information Systems Conference of New Zealand.
Karya, M., Kokolakis, S., Kiountouzis, E., (2001), Redefining Information Systems Security: Viable Information Systems. Proceedings of the IFIP TCI I 16th International Conference on Information Security (IFIP/SEC’01), June 11–13, Paris, France.
Kumar, K. and Welke, R.J. “Methodology engineering: A Proposal for situation-specific Methodology construction”, in W.W. Cotterman and J.A. Senn (eds): Challenges and Strategies for research in systems development, pp. 257–269, (1992).
Malouin, J.L. & Landry, M., (1983), The Miracle of Universal Methods in Systems Design, Journal of Applied Systems Analysis, 10: 47–62.
McDermott, J. & Fox, C. (1999). Using abuse case models for security requirements. Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC).
Murine, G.E. and Carpenter, C. L., (1984), Measuring Computer System Security Using Software Security Metrics. In Computer Security: A global challenge, J.H. Finch and E.G., Dougall (eds.). Elsevier Science Publisher.
Nitzherg, S.D., (1999), The Cyber Battlefield: Is This The Setting for the Ultimate World War? Proceedings of Military Communications Conference ( MILCOM ). Vol. I.
Pernul, G., Tjoa A. M. & Winiwarter, W., “Modelling Data Secrecy and Integrity”, Data and Knowledge Engineering. Vol. 26, pp. 291–308.
North Holland (1998). Peirce, C.S., (1935), “Collected Papers”, Vol. 6, USA.
Popper, K., (1985), “Indeterminism and human freedom”, In: Popper Selections (eds): D. Miller, Princeton University Press, USA, pp. 247–264.
Royce, W.W., (1970), Managing the development of large software: concepts and techniques. Proceedings of the IEEE WESTCON, Los Angeles, CA, USA.
Röhm, A.W., Pernul, G., Herrmann, G., (1998), Modeling Secure and Fair Electronic Commerce. Proceedings of the 14th Annual Computer Security Applications Conference.
Sanders, P.W., Furrell & Warren, M.J., (1996), Baseline Security Guidelines for Health Care Management. In the SEISMED Consortium (eds): Data Security for Health Care: Volume 31: Management Guidelines, Baseline Security Guidelines for Health Care Management, pp. 82–107, IOS Press, The Netherlands.
Sherwood, J., (1996), SALSA: A Method for Developing Enterprise Security Architecture and Strategy. Computers and Security. Vol. 15, no. 6, pp. 501–506.
Siponen, M.T., (2001), An analysis of the recent IS security development approaches: descriptive and prescriptive implications. In: G. Dhillon (eds:) Information Security Management - Global Challenges in the Next Millennium, Idea Group (2001).
Siponen, M.T., (2002), Designing secure information systems and software: Critical evaluation of the existing approaches and a new paradigm. Academic Dissertation, Acta Universitatis Ouluensis A 387, Oulu University Press.
SSE-CMM, (1998), The Model and the Appraisal Method (v2.0). http://www.sse-cmm.org. Stacey, T.R., (1996), Information Security Program Maturity Grid. Information Systems Security. Vol. 5, No.2., pp. 22–34.
Sirens, R. and Dobson, J., (1993), How responsibility modelling leads to security requirements. Proceedings of the 1992 and 1993 ACM New Security Paradigm Workshop.
Thomas, R.K. & Sandhu. R.S. (1994). Conceptual Foundations for a Model of Task-based Authorizations. Proceedings of the 7th IEEE Computer Security Foundations Workshop.
Truex, D., Baskerville, R. & Travis, J. “Amethodical Systems Development: The Deferred Meaning of Systems Development Methods”, Accounting, Management & IT, 10: 53–79, (2000).
Wood, C.C., Banks, W.W., Guarro, S.B., Garcia, A.A., Hampel, V.E., Sartorio, H.P., (1987), Computer Security: A Comprehensive controls Checklist. John Wiley and Sons.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 IFIP International Federation for Information Processing
About this paper
Cite this paper
Siponen, M.T. (2003). New Directions on is Security Methods. In: Gritzalis, D., De Capitani di Vimercati, S., Samarati, P., Katsikas, S. (eds) Security and Privacy in the Age of Uncertainty. SEC 2003. IFIP — The International Federation for Information Processing, vol 122. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-35691-4_28
Download citation
DOI: https://doi.org/10.1007/978-0-387-35691-4_28
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-6489-5
Online ISBN: 978-0-387-35691-4
eBook Packages: Springer Book Archive