Abstract
The security of information systems is a serious issue because computer abuse is increasing. It is important, therefore, that systems analysts and designers develop expertise in methods for specifying information systems security. The characteristics found in three generations of general information system design methods provide a framework for comparing and understanding current security design methods. These methods include approaches that use checklists of controls, divide functional requirements into engineering partitions, and create abstract models of both the problem and the solution. Comparisons and contrasts reveal that advances in security methods lag behind advances in general systems development methods. This analysis also reveals that more general methods fail to consider security specifications rigorously.
- AGRESTI, W. 1986. What are the new paradigTns. In New Paradigms for Software Development. IEEE Press, Washington, D.C., 6-10.Google Scholar
- AMERICAN BAR ASSOCIATION 1984. Report on Computer Crzme. American Bar Ass., Section on Criminal Justice, Task Force on Computer Crime, Washington, D.C.Google Scholar
- AVISON, D., AND FITZGERALD, G. 1988. Information Systems Development: Methodologies, Techniques and Tools. Blackwell Scientific, Oxford, U.K. Google Scholar
- AWSON, D., AND WOOD-HARPER, T. 1991. Information systems development research: An exploration of ideas in practice. Comput. J. 34, 2, 98-112. Google Scholar
- BADENHORST, K., AND ELOFF, J. 1990. Computer security methodology: Risk analysis and project definition. Comput. Sec. 9, 4 (June), 339 346. Google Scholar
- BANNON, L. 1989. Discussant notes on Baskerville and Hellman. In Systems Development for Human Progress. North-Holland, Amsterdam, 257-260.Google Scholar
- BANSLER, J., AND BODKER, K. 1993. A reappraisal of structured analysis: Design in an organizational context. ACM Trans. Inf. Syst. 11, 2, 165-193. Google Scholar
- BASKERVILLE, R. 1993. The threat in security for the adaptive organization. Inf. Syst. Sec. 2, 1 (Spring), 40-47.Google Scholar
- BASKERViLLE, R. 1992. The developmental duality of information systems security. J. Manage. Syst 4, 1, i 12.Google Scholar
- BASKERVILLE, R. 1991. Risk analysis as a source of professional knowledge. Comput. Sec. 10, 8 (Dec.), 749 764. Google Scholar
- BASKERVILLE, R. 1989. Logical controls specification: An approach to information systems security. In Systems Development for Human Progress. North-Holland, Amsterdam, 241-256.Google Scholar
- BASKERVILLE, R. 1988. Destgnmg Informatzon Systems Securzty. Wiley, Chichester, U.K. Google Scholar
- BASKERVlLLE, R., TRAVIS, J., AND TRUEX, D. 1992. Systems without method. In IFIP Transactzons on The Impact of Computer Supported Technologies on Information Systems Development. North-Holland, Amsterdam, 241 270. Google Scholar
- BASS, B. 1985. Leadership and Performance Beyond Expectation. Free Press, New York.Google Scholar
- BLOOMBECKER, B. 1990. Spectacular Computer Crtmes: What They Are And How They Cost American Bus~ness Half A Billzon Dollars A Year. Dow Jones-Irwin, Homewood, Ill. Google Scholar
- BROWNE, P. 1979. Securzty: Checklist /br Computer Center Self-Audits. AFIPS Press, Arlington, Va.Google Scholar
- Bui T., and Sivasankaran, T. 1987. Cost-effectiveness modeling for a decision support system in computer security. Comput. Sec. 6, 2, 139-151. Google Scholar
- CARROLl,, J., AND MACIVER, W. 1984. Towards an expert system for computer facility certification. In Computer Security' A Global Challenge North-Holland, Amsterdam, 293 306. Google Scholar
- CCTA 1991. SSADM-CRAMM Subject Guzde {br SSADM Version 3 and CRAMM Version 2 Central Computer and Telecommunications Agency, IT Security and Privacy Group, Her Majesty's Government, London.Google Scholar
- Checkland, P. 1981 Systems Theory, Systems Practice. Wiley, Chichester, U.KGoogle Scholar
- CHEN, P. 1976. The entity-relationship model: Toward a unified view of data. ACM Trans Database Syst. 1, I (Mar.), 9 36 Google Scholar
- CLEMENTS, D. 1977. Fuzzy models for computer security system metrics Ph.D. thesis, Dept. of Electrical Engineering and Computer Sciences, Univ of California at Berkeley, Berkeley, CalifGoogle Scholar
- COAD, P., AND YOURDON, E. 1991. Object-Oriented Analysis 2d ed. Yourdon Press, Englewood Cliffs, N.J. Google Scholar
- COMMISSION OF EUROPEAN COMMUNITIES 1990. hiformation Technology Security Evaluation Criteria (ITSEC), Provtszonal Harmonized Criteria, Versmn 1.2 Commission of European Communities. Directorate--General XIII, Brussels, Belgium.Google Scholar
- COMMUNICATIONS SECURITY ESTABLISHMENT 1990. Automated Rtsk Analv~Is Product Assessment. Canadian System Security Center, Government of Canada, Ottawa.Google Scholar
- COMPUTER SECURITY CONSULTANTS 1988. Using Decision Analysts to Estimate Computer Security Risk. Computer Security Consultants, Ridgefield, Conn.Google Scholar
- COMPUTERWORLD 1983. Computer crime in Japan. Computerworld 17, 45 (Nov. 7), ID7-ID8, ID17 ID20.Google Scholar
- COUGER, J. 1982. Evolution of system development techniques. In Advanced System Deve/- opment/Feasibthty Technlques. Wiley, New York, 6 13Google Scholar
- COURTN}EY, R. 1977. Security risk assessment in electronic data processing. In the AFIPS Conference Proceedtngs of the Nattonal Computer Conference 46. AFIPS, Arhngton, Vs., 97-104.Google Scholar
- DAVIS, G. 1982. Strategies for information requirements determination IBM Syst. J 21, 1, 4-30.Google Scholar
- D}EMARCO, T. 1979. Structured A,alysts arid System Spect~cahon Yourdon Press, New York. Google Scholar
- DIXON, R, MARSTON, C., AND COLLi}ER, P 1992. A report on the joint CIMA and IIA computer fraud survey. Comput Sec. 11, 4 (July), 3O7 313. Google Scholar
- EHN, P 1989 The art and science of desigmng computer artifacts. Scand. J. In{. Syst. 1, (Aug), 21-42 Google Scholar
- EMBRY, D., KURTZ, B., AND WOODFIELD, S. 1992. Object-Oriented Systems Analysts. A Model- Drwen Approach Yourdon Press, Englewood Cliffs, N.J. Google Scholar
- FARQUHAR, B. 1991. One approach to risk assessment. Comput. Sec 10, 1, 21-23 Google Scholar
- FiNKELSTEIN, C. 1989. An Introduction to Informatron Engineering. From Strategtc Plann~ng to Informahot~ Systems. Addison-Wesley, Sydney, Australia. Google Scholar
- FISHER, R 1984. Information Systems Secumty. Prentice-Hail, Englewood Cliffs, N J Google Scholar
- FITES, P., JOHNSTON, P., AND KARTZ, M. 1989 The Computer Virus Crlszs. Van Nostrand Reinhold, New York. Google Scholar
- FITZGERALD, J. 1978 Internal Controls for Computerized Systems. Underwood Press, San Ceandro, Calif.Google Scholar
- FITZGERALD, J., AND FITZGERALD, A. 1990 Designlng Controls into Computerized Systems. 2d ed. Jerry FitzGerald & Associates, Redwood City, Cahf Google Scholar
- FRIEDMAN, A. 1989 Computer Systems Development: Htsto~v, Organization and Implementation. Wiley, Chichester, U K. Google Scholar
- GALL}EGOS, r., RICHARDSON, D, AND BORTHICK, A. 1987. Audit a,d Control of Information Systems. South-Western, Cincinnati, Ohio.Google Scholar
- GANE, C., AND SARSON, T. 1984. Structured Systems Analysts' Tools and Techniques Prentice- Hall, Englewood Cliffs, N.J. Google Scholar
- GANNON, P 1992. French losses rise sharply. Comput. Fraud Sec Bull. 14, 12 (Oct), 3.Google Scholar
- GAUSE, D., AND WEINBERG, G. 1989. Explomng Requtrements: Quahty Be{ore Design. Dorset House, New York. Google Scholar
- GILBERT. I 1989. Gutde for Selecting Automated Risk Analysis Tools U.S Department of Commerce, National Institute of Standards and Technology, NIST special publication 500-174 (Oct.), Washington, D.C.Google Scholar
- GLASEMAN, S., TURN, R., AND GAINES, R. 1977 Problem areas m computer security assessment. In Proceedings of The Natlorlal Cornputer Conference NCC 46. AFIPS Press, Arlington, Va, 105-112Google Scholar
- GOLRANG, T., AND HAGERFORS, A. 1989. It's like walking m syrup--a participative change process. In Proceedings of the 12th IRIS Part I. Computer Science Dept., Aarhus Univ., DAIMI PB 296-I, Aarhus, Denmark, 183-202Google Scholar
- GRONBAEK, K. 1989. Extending the boundaries of prototyping: Towards cooperative prototyping. In Procee&ngs of the 12th IRIS. Aarhus Univ., DAIMI PB 2964, Aarhus, Denmark, 219 238.Google Scholar
- GUARRO, S, 1987 Principles and procedures of the LRAM approach to information systems risk analysis and management Comput Sec. 6, 6, 493 504. Google Scholar
- HAFNER, K., AND MARKOFF, J. 1991 Cyberpunk: Outlaws and Hackers on the Computer Frontlet. Simon and Schuster, New York Google Scholar
- HAWRYSZKIEWYCZ, I. 1988. Introductwr~ to Systems Analys~s and Design Prentice-Hall, Englewood Cliffs, N.J Google Scholar
- HEMPHILL, C., AND HEMPHILL, J 1973 Security Procedures for Computer Systems Dow Jones- Irwin, Homewood, IllGoogle Scholar
- HIGHLAND, H 1992 Random bits and bytes: Michelangelo--Part II. Comput. Sec. 11, 4 July), 294-303.Google Scholar
- HIRSCHHEIM, R., AND KLEIN, H. 1992. Paradigmatic influences on information systems development methodologies: Evolution and conceptual advances. Adv. Comput. 34,294 381.Google Scholar
- HOFFER, J., ANt) STRAUB, D. 1989. The 9 to 5 underground: Are you policing computer crimes? Sloan Manage. Rev. 30, 4 (Summer), 35-43.Google Scholar
- HOFFMAN, L., M1CHELMAN, E., AND CLEMENTS, D. 1978. SECURATE--security evaluation and analysis using fuzzy metrics. In AFIPS National Computer Conference Proceedings 47. AFIPS, Arlington, Va., 531-540.Google Scholar
- HOYT, D. 1973. Computer Security Handbook. Macmillan, New York.Google Scholar
- HRUSKA, J. 1990. Computer Viruses and Anti-Virus Warfare. Ellis Horwood, New York. Google Scholar
- HUTT, A., BOSWORTH, S., AND HOYT, D., EDS. 1988. Computer Security Handbook. 2d ed. Macmillan, New York. Google Scholar
- IBM 1972a. Secure Automated Facilities Enwronment Study 3. Part 2 (May). IBM, Armonk, N.Y.Google Scholar
- IBM 1972b. DP Asset Protection Self-Assessment Guide. Reprinted in Information Systems Security. Prentice-Hall, Englewood Cliffs, N.J., 1984, 212-231.Google Scholar
- JENKINS, A M., AND CARLrS, J 1988. Control flowcharting for data driven systems. In/brmatica 2, 76 82.Google Scholar
- KRAUSS, L. 1980. SAFE: Security Audit and Field Evaluatton for Computer Facilities and Information. Revised ed. Amacon, New York. Google Scholar
- Krauss, L. 1972. SAFE: Security Audit and Field Evaluation for Computer Facilities and Information Systems. Amacon, New York. Google Scholar
- LAND, F. 1982. Notes on participation. Comput. J. 25, 2 (May), 283 285.Google Scholar
- LANDRETH, B. 1989. Out of The In~*er Circle: The True Story of A Computer Intruder Capable of Cracking The Nation's Most Secure Computer Systems. Tempus, Redmond, Wash. Google Scholar
- LANDWEHR, C. E. 1981. Formal models for computer security. ACM Comput. Surv. 13, 3 (Sept.), 247-278. Google Scholar
- Leifer, R. 1989. Understanding organizational transformation using a dissipative structure model. Hum. Rel. 42, 10, pp. 899-916.Google Scholar
- LUCAS, H. 1976. The Analysis Design and Implementation of Information Systems. McGraw- Hill Kogakusha, Tokyo. Google Scholar
- LYOTARD, J-F. 1987. The postmodern condition. In After Philosophy: End or Transformation. MIT Press, Cambridge, Mass., 73--93.Google Scholar
- MAIR, W., WOOD, W., AND DAVIS, K. 1978. Cornputer Control and Audit. Prentice-Hall, Englewood Cliffs, N.J.Google Scholar
- MARTIN, J. 1990. In/brmatLon Engineering. Books I IV. Prentice-Hall, Engtewood Cliffs, N.J.Google Scholar
- MARTIN, J. 1973. Security, Accuracy and Privacy in Computer Systems. Prentice-Hall, Englewood Cliffs, N.J. Google Scholar
- MCLEAN, J. 1990. The specification and modeling of computer security. Computer 23, i (Jan.), 9-16. Google Scholar
- MUMFORD, E., AND WEre, M. 1979. Computer Systems in Work Design: The ETHICS Method. Associated Business Press, London.Google Scholar
- MURDICK, R. 1980. MIS Concepts and Design. Prentice-Hall, Englewood Cliffs, N.J. Google Scholar
- NATIONAL RESEARCH COUNCIL 1991. Computers At Risk: Safe Computmg m the Information Age. National Academy Press, Washington, D.C. Google Scholar
- NECCO, C. 1989. Evaluating methods of systems development: A management survey. J. Inf. Syst. Manage. 6, i (Winter), 8 16.Google Scholar
- NECCO, C., GORDON, C., AND TSAI, N. 1987. Systems analysis and design: Current practices. MIS Q. 11, 4 (Dec.), 461 476. Google Scholar
- NIELSEN, N., AND RUDER, B. 1980. Computer system integrity vulnerability. Inf. Privacy 2, 1 (Jan.), 21-25.Google Scholar
- NOLAN, R. 1979. Managing the crisis in data processing. Harvard Bus. Rev. 57, 2 (Mar. Apr.), 115-126.Google Scholar
- NORDBOTTEN, J. 1985. The Analysis and Design of Computer-Based Information Systems. Houghton Mifflin, Boston. Google Scholar
- OZIER, W. 1992. Risk assessment and management. In Data Security Ma,agement. Report 85-01-20. Auerbach, New York.Google Scholar
- OZlER, W. 1989. Risk quantification problems and Bayesian Decision Support System solutions. Inf. Age 11, 4 (Oct.), 229-234. Google Scholar
- PARKER, D. 1986. Computer Crime: Computer Securtty Techntques. U.S Department of Justice, Bureau of Justice Statistics Document J29.2:C86, Washington, D.C.Google Scholar
- PARKER, D. 1981. Computer Security Management. Reston, Reston, MassGoogle Scholar
- PARKER, D. 1976. Crime by Computer. Chas Scribners Sons, New York.Google Scholar
- PARNAS, D., AND CLEMENTS, P 1986. A rational design process: How and why to fake it. IEEE Trans. Softw. Eng. SE 12, 2 (Feb.), 251-257. Google Scholar
- PATRICK, B. 1974. Book review of SAFE. Datamatton 20, 7 (Apr.), 208-209.Google Scholar
- RUMBAUGH, J., BLAHA, M., PREMERLANI, W., EDDY, F., AND LORENSEN, W. 1991. Object-Oriented Modeling and Destgn. Prentice-Hall, Englewood Cliffs, N.J. Google Scholar
- Saari, J. 1991. Top management challenge: From quantitative guesses to prudent baseline of security. In Proceedings of the 1991 IFIP Computer Securtty Conference (Brighton, England, May). IFIP, Geneva, Switzerland, 295 300.Google Scholar
- Saari, J. 1987. Computer crime: Numbers lie. Comput. Sec. 6, 2~ 111-117. Google Scholar
- Saarinen, T. 1990. System development methodology and project success: An assessment of situational approaches. Inf. Manage. 19, 3 (Oct.), 183 193. Google Scholar
- SAARINEN, T., AND SAAKSJAVI, M. 1989 The missing concepts of user participation: An empirical assessment of user participation and information system success. In Proceedlng's of the 12th IRIS Port II Computer Science Department, Aarhus Univ., DAIMI PB 296-II (Dec.), Aarhus, Denmark, 533 551Google Scholar
- SALTMARSH, T., AND BROWNE, P. 1983 Data processing--nsk assessment. In Advances in Computer Securtty Management 2. Wiley, Chichester, U.K., 93-116.Google Scholar
- Schön, D. 1983. The Reflective Practitioner: How Professionals Think in Action. Basic, New York.Google Scholar
- SHELLY, G , AND CASHMAN, T. 1975 Business Systems Analysis and Design. Fullerton, Anaheim, Calif. Google Scholar
- SMITH, S., AND LIM, J. 1984. An automated method for assessing the effectiveness of computer security safeguards. In Computer Securtty A Global Challenge. North-Holland, Amsterdam, 321 328. Google Scholar
- Solarz, A. 1987. Computer-related embezzlement. Comput. Sec. 6, 1, 49-53 Google Scholar
- SPAFFORD, E. 1989 The lnternet worm: Crisis and aftermath Cornmz~n. ACM 32, 6 IJune), 678-687. Google Scholar
- STAMPER, R 1979. Lecture notes m systems analysis methodology 1 London School of Economics, London, U KGoogle Scholar
- STOLL, C. 1989. The Cuckoo's Egg Trackin~ a Spy through the Maze of Computer Espiona$~e Doubleday, New York. Google Scholar
- SUMNER, M. 1992. The impact of computer assisted software engineering on systems development. In IFIP Transactions A8 the Impact of Computer Supported Technologies on Information Systems Development. North-Holland, Amsterdam, pp. 43-60. Google Scholar
- U.S. DEPARTMENT OF COMMERCE 1979. Guzdel~ne for Automatic Data Processing Risk Analysis. Federal Information Processing Standards Publication FIPS 65 (Aug.), U.S. Dept. of Commerce, National Bureau of Standards, Washmgton, D.C.Google Scholar
- U.S. DEPARTMENT OF DEFENSE 1985. Trusted Computer Systems Evaluation Cmteria DOD 5200.28-STD. US Dept. of Defense (Dec.), Washington, D C.Google Scholar
- WARD, P., AND MELLOR, S. 1985. Structured Development for Real-Time Systerns vol. 1 I, troduct~on and Tools. Yourdon, Englewood Chfi~, N.J Google Scholar
- WATERS, S. 1973 Introductzon to Computer Systems NCC Publications, Manchester, U.K.Google Scholar
- Weber, R. 1988. EDP Auditing: Conceptual Foundations and Practice, 2nd ed. McGraw-Hill, New York Google Scholar
- WHITESIDE, T, 1978. Computer Capers: Tales of Electronic Thievery, Embezzlement, and Fraud. Fitzhenry and Whiteslde, Toronto.Google Scholar
- Wong, K. 1977. Risk Analysis and Control. National Computer Center Pubhcations, Manchester, U.K.Google Scholar
- WOOD, C 1990 Principles of secure information systems design. Comput Sec 9, 1 (Feb.), 13 24 Google Scholar
- YOURDON, E 1989. Modern Structured Analyszs. Yourdon, Englewood Cliffs, N J. Google Scholar
- Yourdon, E., and Constantine, L. 1979. Structured Design. Prentice-Hall, Englewood Cliffs, N.JGoogle Scholar
- Zviran, M., Hoge, J., and Micuccu, V. 1990, SPAN-a DSS for security plan analysis. Comput. See. 9, 2, 153-160 Google Scholar
Index Terms
- Information systems security design methods: implications for information systems development
Recommendations
Permanent protection of information systems with method of automated security and integrity control
SIN '10: Proceedings of the 3rd international conference on Security of information and networksInformation security is very important nowadays. Every IT system needs protection mechanisms for stability and safety of work. To solve this task, there are proposed a variety of security-providing solutions, but most of them are very expensive and non-...
Goals and Practices in Maintaining Information Systems Security
With the rapid growth of information systems and networks, security is a major concern of organizations. The main goals of information systems security are confidentially, integrity, and availability. The cornerstone of an organization's security lies ...
Internet Attack Methods and Internet Security Technology
AMS '08: Proceedings of the 2008 Second Asia International Conference on Modelling & Simulation (AMS)The Internet is a complex and dynamic environment in terms of both topology and emerging technology. In such an environment, security measures applied for small well-defined networks cannot work effectively. The lack of adequate knowledge and ...
Comments