Abstract
In the context of information systems and information technology, information security is a concept that is becoming widely used. The European Network of Excellence INTEROP classifies information security as a nonfunctional aspect of interoperability and as such it is an integral part of the design process for interoperable systems. In the last decade, academics and practitioners have shown their interest in information security, for example by developing security models for evaluating products and setting up security specifications in order to safeguard the confidentiality, integrity, availability and accountability of data. Earlier research has shown that measures to achieve information security in the administrative or organisational level are missing or inadequate. Therefore, there is a need to improve information security models by including vital elements of information security. In this paper, we introduce a holistic view of information security based on a Swedish model combined with a literature survey. Furthermore we suggest extending this model using concepts based on semiotic theory and adopting the view of an information system as constituted of the technical, formal and informal (TFI) parts. The aim is to increase the understanding of the information security domain in order to develop a well-founded theoretical framework, which can be used both in the analysis and the design phase of interoperable systems. Finally, we describe and apply the Information Security (InfoSec) model to the results of three different case studies in the healthcare domain. Limits of the model will be highlighted and an extension will be proposed.
Please use the following format when citing this chapter: Åhlfeldt, R.-M-, Spagnoietti, P., and Sindre, G., 2007, in IFIP International Federation for Information Processing, Volume 232, New Approaches for Security, Privacy and Trust in Complex Environments, eds. Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Sohns, R., (Boston: Springer), pp. 73–84.
Chapter PDF
Similar content being viewed by others
References
Björck, F., 2005a. Knowledge Security [on line]. Available from: http://vww.bjorck.com/3.htm [Accessed 1 November, 2005].
Oscarsson, P., 2002. Information Security, Data Security, IT Security, Computer Security, IS Security... — What Makes the Difference? In Proceedings of Promote IT, pp. 649–655. Skövde, Sweden. 22-24 April 2002.
NE 2005. National Encyclopedia [on-line]. Available from: http://www.ne.se [Accessed 28 October 2005].
U.S. National Information Systems Security Glossary, 2006. Available from: http://security.isu.edu/pdf/4009.pdf [Accessed 25 October 2006].
Wikipedia, 2006. Information Security. Available from: http://www.wikipedia.com [Accessed 29 May, 2006].
SIS, 2003. SIS Handbok 550. Terminologi för informationssäkerhet. SIS Förlag AB. Stockholm (in Swedish).
Åhlfeldt, R-M., 2006. Information Security in a Distributed Healthcare Domain — Exploring the Problems and Needs of Different Healthcare Providers. Licentiate Dissertation. Report series No. 06-003. ISSN 1101-8526.
Firesmith D.G., 2005. “Analyzing the Security Significance of System Requirements,” Requirements Engineering’2005 (RE’05) Symposium on Requirements Engineering for Information Security (SREIS), IEEE Computer Society, Washington, D.C., September 2005.
Jain, A. & Raja, M K 2006. An Exploratory Assessment of Information Security Principles & Practices: An Insight from a Financial Services company, Proceedings of the 5th Security Conference, Las Vegas.
Liebenau and Backhouse 1990 Understanding Information: an Introduction, Macmillan, London
Stamper R., Liu K., Hafkamp M. and Ades Y. 2000 Understanding the Roles of Signs and Norms in Organisations — A semiotic approach to information systems design. Journal of Behaviour & Information Technology, vol. 19(1), pp 15–27.
Dhillon, G. 1997. Managing information system security. London: Macmillan.
Harris, M. & Mishra, S. 2006 Human Behavior Aspects in Information Systems Security. Proceedings of the 5th Security Conference, Las Vegas.
Lee, A.S. (1999). Inaugural Editor’s Comments, MIS Quarterly, 23(1), v–xi.
Dhillon, G. and Backhouse J. 2001 Current Directions in IS Security Research: Toward Socio-Organisational Perspectives. Information Systems Journal 11(2): 127–153.
Siponen M.T. 2000 “A Conceptual Foundation for Organizational Information Security Awareness”, Information Management & Computer Security, 11(1), pp. 31–41.
Whitman, M. 2003. “Enemy at the Gate: Threats to Information Security.” Communications of the ACM 46(8): 91–95.
Bottom, N. 2000. “The human face of information loss.” Security Management 44(6):50–56.
Magklaras, G. and S. Furnell 2005. “A preliminary model of end user sophistication for insider threat prediction in IT systems.” Computers & Security 24:371–380.
Schultz, E. 2002. A framework for understanding and predicting insider attacks. Compsec, London.
Dhillon, G., & Backhouse, J. 1997. Managing for secure organizations: a review of information systems security research approaches. In D. Avison (Ed.), Key issues in information systems: McGraw Hill.
Dhillon, G. 2000 Challenges in Managing IS Security in the new Millennium, Chapter 1 of Challenges in Managing Information Security, Idea Group Publishing.
Jones, C. 2003 The Social Engineering: Understanding and Auditing [Online]. SANS Institute. Available from: http://www.sans.org/rr/whitepapers/engineering/1332.php [Accessed Nov 01 2005].
Björck, F. 2005b Discovering Information Security Management. PhD Dissertation. University of Stockholm. Report series No. 05-010, Stockholm.
Åhlfeldt, R. 2002. Information Security in Home Healthcare: A Case Study, In the Conference Proceedings of the Third International Conference of the Australian Institute of Computer Ethics (AiCE) 2002. Sydney, Australia, 30 September 2002, pp. 1–10. Eds. M. Warren and J. Barlow. Australian Institute of Computer Ethics. ISBN 0-7300-2560-8.
Åhlfeldt, R. and Ask, L. 2004. Information Security in Electronic Medical Records: A case study with the user in focus. In Proceedings of the 2004 Information Resources Management Association International Conference, New Orleans, USA, May, pp 345–347.
Åhlfeldt, R. and Nohlberg, M. 2005. System and Network Security in a Heterogeneous Healthcare Domain: A Case Study. In CD-ROM Proceedings of the 4th Security Conference, Las Vegas, USA, 30-31 March 2005. ISBN 0-9729562-5-5.
Perjons, E., Wangler, B., Wäyrynen, J. and Åhlfeldt, R. 2005a. Introducing a process manager in healthcare: an experience report, Health Informatics Journal, Vol 11(1), 45–61, March 2005. ISSN 1460-4582.
Johannesson, P., Perjons, E., Wangler, B. and Åhlfeldt, R-M. 2005. Design Solutions for Interoperability using a Process Manager. In Proceedings of the 1th International Conference on Interoperability of Enterprise Software and Applications (INTEROP-ESA’2005), Geneva, Switzerland, 23 — 25 February 2005, pp 397–408. ISBN 13-978-1-84628-151-8
ISO/IEC 17799 Part 1: Code of practice for information security management.
Nationell IT-strategi for vård och omsorg. 2006. ISBN 91-631-8541-5 (in Swedish).
Valentine, A., 2006 “Enhancing the employee security awareness model“, Computer Fraud & Security, June 2006, pp 17–19.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Åhlfeldt, RM., Spagnoletti, P., Sindre, G. (2007). Improving the Information Security Model by using TFI. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds) New Approaches for Security, Privacy and Trust in Complex Environments. SEC 2007. IFIP International Federation for Information Processing, vol 232. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-72367-9_7
Download citation
DOI: https://doi.org/10.1007/978-0-387-72367-9_7
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-72366-2
Online ISBN: 978-0-387-72367-9
eBook Packages: Computer ScienceComputer Science (R0)