Authors: A. Youseef, F. Liu

Abstract:

The existing information system (IS) developments methods are not met the requirements to resolve the security related IS problems and they fail to provide a successful integration of security and systems engineering during all development process stages. Hence, the security should be considered during the whole software development process and identified with the requirements specification. This paper aims to propose an integrated security and IS engineering approach in all software development process stages by using i* language. This proposed framework categorizes into three separate parts: modelling business environment part, modelling information technology system part and modelling IS security part. The results show that considering security IS goals in the whole system development process can have a positive influence on system implementation and better meet business expectations.

Keywords: Business Process Modelling (BPM), Information System Security, Software Development Process, Requirement Engineering.

Digital Object Identifier (DOI): doi.org/10.5281/zenodo.1330991

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 1991

References:

[1] Chung, L. and B.A. Nixon, Dealing with non-functional requirements: three experimental studies of a process-oriented approach, in Proceedings of the 17th international conference on Software engineering. 1995, ACM: Seattle, Washington, United States. p. 25-37.
[2] Haley, C.B., et al., A framework for security requirements engineering, in Proceedings of the 2006 international workshop on Software engineering for secure systems. 2006, ACM: Shanghai, China. p. 35-42.
[3] Yu, E. and L. Cysneiros. Designing for privacy and other competing requirements. in 2nd Symposium on Requirements Engineering for Information Security (SREIS- 02). 2002. Raleigh, North Carolina.
[4] Backes, M., B. Pfitzmann, and M. Waidner, Security in business process engineering. Business Process Management, Springer Berlin / Heidelberg, 2003: p. 1019-1019.
[5] McDermott, J. and C. Fox. Using abuse case models for security requirements analysis. in Computer Security Applications Conference, 1999. (ACSAC '99) Proceedings. 15th Annual. 1999.
[6] Anderson, R.J., Security Engineering: A guide to building dependable distributed systems. 2008.
[7] Mayer, N., E. Dubois, and A. Rifaut, Requirements Engineering for Improving Business/IT Alignment in Security Risk Management Methods Enterprise Interoperability II, R.J. Gonçalves, et al., Editors. 2007, Springer London. p. 15-26.
[8] Mouratidis, H. and J. Jurjens, From goal-driven security requirements engineering to secure design. International Journal of Intelligent Systems, 2010. 25(8): p. 813-840.
[9] Rohrig, S. and S.S. Ag, Using process models to analyze health care security requirements, in International Conference Advances in Infrastructure for e-Business, e-Education, e-Science, and e-Medicine on the Internet. 2002: Italy.
[10] Ullah, A. and R. Lai, Managing Security Requirements: Towards Better Alignment Between Information Systems And Business, in 15th Pacific Asia Conference on Information System (15th PACIS) 2011: Queensland University of Technology (QUT) in Brisbane, Australia.
[11] J├╝rjens, J., Towards Development of Secure Systems Using UMLsec Fundamental Approaches to Software Engineering, H. Hussmann, Editor. 2001, Springer Berlin / Heidelberg. p. 187-200.
[12] Liu, L., E. Yu, and J. Mylopoulos. Security and privacy requirements analysis within a social setting. in Proceedings on 11th IEEE International Requirements Engineering Conference, . 2003.
[13] Lodderstedt, T., D. Basin, and J. Doser, SecureUML: A UML-Based Modeling Language for Model-Driven Security, in the Proceedings of the 5th International Conference on the Unified Modeling Language, J.- M. Jézéquel, H. Hussmann, and S. Cook, Editors. 2002, Springer Berlin / Heidelberg. p. 426-441.
[14] Mana, A., et al. A business process-driven approach to security engineering. in Proceedings on 14th International Workshop on Database and Expert Systems Applications, . 2003.
[15] Rodríguez, A., E. Fernández-Medina, and M. Piattini, A bpmn extension for the modeling of security requirements in business processes. IEICE transactions on information and systems, 2007. 90(4): p. 745-752.
[16] Goluch, G., et al. Integration of an Ontological Information Security Concept in Risk-Aware Business Process Management. in Proceedings of the 41st Annual Hawaii International Conference on System Sciences, 2008.
[17] Mayer, N., et al. Towards a measurement framework for security risk management. 2008.
[18] Matulevicius, R., N. Mayer, and P. Heymans. Alignment of Misuse Cases with Security Risk Management. in Third International Conference on Availability, Reliability and Security (ARES 08) 2008.
[19] Wolter, C., et al., Model-driven business process security requirement specification. Journal of Systems Architecture, 2009. 55(4): p. 211-223.
[20] Rodríguez, A., et al., Secure business process model specification through a UML 2.0 activity diagram profile. Decision Support Systems, 2011. 51(3): p. 446-465.
[21] Sindre, G. and A.L. Opdahl. Eliciting security requirements by misuse cases. in Proceedings of 37th International Conference on Technology of Object-Oriented Languages and Systems, TOOLS-Pacific 2000.
[22] Sindre, G. and A.L. Opdahl, Eliciting security requirements with misuse cases. Requirements Engineering, 2005. 10(1): p. 34-44.
[23] Dardenne, A., S. Fickas, and A.v. Lamsweerde, Goal-directed concept acquisition in requirements elicitation, in Proceedings of the 6th international workshop on Software specification and design. 1991, IEEE Computer Society Press: Como, Italy. p. 14-21.
[24] Alotaibi, Y. and F. Liu, Business Process Modelling Towards Derivation of Information Technology Goals, in Proceedings of the 45st Annual Hawaii International Conference on System Sciences. 2012: Maui, Hawaii, US.
[25] Object, M.G., OMG Unified Modeling Language (OMG UML), Superstructure, V2. 1.2. November 2007.