Abstract
While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore, security and privacy policies are either developed as an afterthought to the system or not at all. One reason for this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise—s security policy and privacy policy. Consequently, we tailor our goal-based approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Our integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
T. Alspaugh, A.I. Antón, T. Barnes and B. Mott. An Integrated Scenario Management Strategy,IEEE 4th International Symposium on Requirements Engineering (RE—99), University of Limerick, Ireland, pp. 142–149, 7–11 June 1999.
M.D. Abrams and D. Bailey. Abstraction and Refinement of Layered Security Policy,Information Security - an Integrated Collection of Essays(Abrams, Jajodia and Podell, eds.), IEEE Computer Society Press, Los Alamitos, CA, 1995.
A.I. Antón, R.A. Carter, A. Dagnino, J.H. Dempster and D.F. Siege. Deriving Goals from a Use-Case Based Requirements Specification, To appear in Requirements Engineering Journal, Springer-Verlag, May 2001.
R. Alexander. Ecommerce Security: An Alternative Business Model,Journal of Retail Banking Services, (20)4, pp. 45–50, 1998.
A.I. Antón, W.M. McCracken and C. Potts. Goal Decomposition and Scenario Analysis in Business Process Reengineering,Advanced Information System Engineering: Proceedings 6th International Conference (CAiSE —94), pp. 94–104, 6–10 June 1994.
R. Anderson. A Security Policy for Clinical Information Sys-tems,Proceedings of the 15th IEEE Symposium on Security and Privacy, 1996.
A.I. Antón. Goal-Based Requirements Analysis,Second IEEE International Conference on Requirements Engineering (ICRE —96),pp. 136–144, 15–18 April 1996.
A.I. Antón.Goal Identification and Refinement in the Specification of Software-Based Information Systems, Ph.D. Dissertation, Georgia Institute of Technology, Atlanta, GA, 1997.
A.I. Antón and C. Potts. The Use of Goals to Surface Requirements for Evolving Systems, International Conference on Software Engineering (ICSE —98), pp. 157–166, 19–25 April 1998.
R.J. Alberts, A.M. Townsend and M.E. Whitman. The Threat of Long-arm Jurisdiction to Electronic Commerce,Communications of the ACM, 41(12), pp. 15–20, December 1998.
V.M. Brannigan and B.R. Beier. Patient Privacy in the Era of Medical Computer Networks: A New Paradigm for a New Technology,Medinfo, 8 Pt 1, pp. 640–643, 1995.
D. Baumer, J.B. Earp and F.C. Payton. Privacy of Medical Records: IT Implications of HIPAA,ACM Compute and Society, 30(4), pp.40–47, December 2000.
P. Benessi. TRUSTe: An Online Privacy Seal Program,Communications of the ACM, 42(2), pp. 56–59, February 1999.
N.S. Borenstein. Perils and Pitfalls of Practical Cybercommerce,Communications of the ACM, 39(6), pp. 36–44, June 1996.
B. Schneier.Applied Cryptography: Protocols,Algorithms and Source Code in C, 2nd ed., New York: Wiley, 1996.
R. Clarke. Internet Privacy Concerns Confirm the Case for Intervention,Communications of the ACM, 42(2), pp. 60–67, February 1999.
L.F. Cranor, J. Reagle and M.S. Ackerman. Beyond Concern: Understanding Net Users— Attitudes About Online Privacy,AT&T Labs-Research Technical Report TR 99.4.3,April 1999. http://www.research.att.com/library/trs/TRs/99/99.4/99.43/report.htm/library/trs/TRs/99/99.4/99.43/report.htm
L.F. Cranor. Internet privacy,Communications of the ACM, 42(2), pp. 28–38, February 1999.
T. Dean.Network+: Guide to Networks, Course Technology, 2000.
J.H. Dempster.Inconsistency Identification and Resolution in Goal-Driven Requirements Analysis, M.S. Thesis, NC State University, Raleigh, NC, May 2000.
R. Dömges and K. Pohl, Adapting Traceability Environments to Project-Specific Needs,Communications of the ACM, 41(12), pp. 54–62, December 1998.
J.B. Earp and F. C. Payton.Information Privacy Concerns Facing Health Care Organizations in the New Millennium, NCSU Working Paper, April 2000.
J.B. Earp and F.C. Payton. Dirty Laundry: Privacy Issues for IT Professionals,IT Professional, March/April 2000.
W.J. Fabrycky and B.S. Blanchard.Life Cycle Cost and Economic Analysis, Prentice-Hall, 1991.
Privacy Online: A Report to Congress, Federal Trade Commission,http://www.ftc.gov/reports/privacy3/June 1998.
C. Germain. Summary of the City University Security Survey 1997,http://www.city.ac.uk/eu687/security/summary.html,1997
Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission.Study Director M.J. Culnan.http://www.msb.edu/faculty/culnanm/gippshome.html 1999.
J.R. Hauser and D. Clausing, The House of Quality,Harvard Business Review, 32(5), pp. 63–73, 1988.
Common Criteria for Information Technology Security Evaluation, ver 2.0, parts 1–3. ISO/IEC 15408, Geneva, May 1998.
M. Jarke, X.T. Bui and J.M. Carroll. Scenario Management: An Interdisciplinary Approach,Requirements Engineering Journal, Springer-Verlag, 3(3–4), pp. 154–173, 1998.
S. Lichtenstein. Developing Internet Security Policy for Organizations,Proceedings of the 30th Hawaii International Conference on System Sciences,. Vol4, p. 350–357, 1997.
J. Makris. Firewall Services: More Bark than Bite, Data Communications International, 28(3), pp.36–50, March 1999.
H. McGraw III. Online Privacy: Self-Regulate or Be Regulated,IT Professional,IEEE Computer Society, 1(2), pp. 18–19, 1999.
N. Memon and P.W. Wong. Protecting Digital Media Content,Communications of the ACM, 41(7), pp. 35–43, July 1999.
Computer Security Policy,Computer Systems Laboratory Bulletin, 1994.
I.M. Olson and M.D. Abrams. Information Security Policy,In-formation Security — an Integrated Collection of Essays(Abrams, Ja-jodia and Podell, eds.), IEEE Computer Society Press, Los Alamitos,CA, 1995.
R.W. Oliver. Corporate Policies for Electronic Commerce, Pro-ceedings of the Thirtieth Hawaii International Conference on Systems Sciences, pp. 254–264, 1997.
J. Olnes.Development of Security Policies,Computers and Security, 13(8), 1994.
Policy Framework for Interpreting Risk in CCommerce Security.CERIAS Technical Report, Purdue University,http://www.cerias.purdue.edu/techreports/public/PFIRES.pdf1999.
C. Potts .ScenIC: A Strategy for Inquiry-Driven Requirements Determination,Proceedings IEEE 4th International Symposium on Requirements Engineering (RE`99), Limerick, Ireland, 7–11 June 1999.
B. Ramesh. Factors Influencing Requirements Traceability Practice,Communications of the ACM, 41(12), pp. 37–44, December 1998.
J. Reagle and L. F. Cranor. The Platform for Privacy Preferences,Communications of the ACM, 42(2), pp.48–55, February 1997.
W.N. Robinson. Electronic Brokering for Assisted Contracting of Software Applets,Proceedings of the 30th Hawaii International Conference on System Sciences, Vol. 4, pp. 449–458, 1997.
C. Rolland, C. Souveyet and C.B. Achour. Guiding Goal Modeling Using Scenarios,IEEE Transactions on Software Engineering, 24(12), pp. 1055–1071, December 1998.
D. Seinauer, S. Katzke and S. Radack. Basic Intrusion Protection: The First Line of Defense,IT Professional(IEEE Computer Society), 1(1), pp. 43–48, 1999.
T.J. Shimeall and J.J. McDermott. Software Security in An Internet World: An Executive Summary,IEEE Software, 16(4), pp. 58–61, July/August 1999.
G.P. Schneider and J.T.Perry.Electronic Commerce, Course Technology, 2000.
Sun Microsystems.Protecting From Within:A Look at Intranet Security Policy and Management.http://www.sun.com/software/white-papers/wp-security-intranet//software/white-papers/wp-security-intranet/
D.W. Straub and R.J. Welke. Coping With Systems Risk: Security Planning Models for Management Decision Making,MIS Quarterly, 2(4), pp. 441–469, 1998.
H.T. Tavini. Informational Privacy, Data Mining and the Internet,Ethics and Information Technology, 1(2), pp. 137–45, 1999.
D. Trcek. Security Policy Management for Networked Information Systems,Proceedings of the Network Operations and Management Symposium, pp. 817–830, 2000.
C.C. Wood. Writing InfoSec Policies,Computers and Society. Vol. 14, 1995.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2001 Springer Science+Business Media New York
About this chapter
Cite this chapter
Antón, A.I., Earp, J.B. (2001). Strategies for Developing Policies and Requirements for Secure and Private Electronic Commerce. In: Ghosh, A.K. (eds) E-Commerce Security and Privacy. Advances in Information Security, vol 2. Springer, Boston, MA. https://doi.org/10.1007/978-1-4615-1467-1_5
Download citation
DOI: https://doi.org/10.1007/978-1-4615-1467-1_5
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4613-5568-7
Online ISBN: 978-1-4615-1467-1
eBook Packages: Springer Book Archive