A New Framework to Model a Secure E-Commerce System
The existing information system (IS) developments
methods are not met the requirements to resolve the security related
IS problems and they fail to provide a successful integration of
security and systems engineering during all development process
stages. Hence, the security should be considered during the whole
software development process and identified with the requirements
specification. This paper aims to propose an integrated security and
IS engineering approach in all software development process stages
by using i* language. This proposed framework categorizes into three
separate parts: modelling business environment part, modelling
information technology system part and modelling IS security part.
The results show that considering security IS goals in the whole
system development process can have a positive influence on system
implementation and better meet business expectations.
[1] Chung, L. and B.A. Nixon, Dealing with non-functional requirements:
three experimental studies of a process-oriented approach, in
Proceedings of the 17th international conference on Software
engineering. 1995, ACM: Seattle, Washington, United States. p. 25-37.
[2] Haley, C.B., et al., A framework for security requirements engineering,
in Proceedings of the 2006 international workshop on Software
engineering for secure systems. 2006, ACM: Shanghai, China. p. 35-42.
[3] Yu, E. and L. Cysneiros. Designing for privacy and other competing
requirements. in 2nd Symposium on Requirements Engineering for
Information Security (SREIS- 02). 2002. Raleigh, North Carolina.
[4] Backes, M., B. Pfitzmann, and M. Waidner, Security in business process
engineering. Business Process Management, Springer Berlin /
Heidelberg, 2003: p. 1019-1019.
[5] McDermott, J. and C. Fox. Using abuse case models for security
requirements analysis. in Computer Security Applications Conference,
1999. (ACSAC '99) Proceedings. 15th Annual. 1999.
[6] Anderson, R.J., Security Engineering: A guide to building dependable
distributed systems. 2008.
[7] Mayer, N., E. Dubois, and A. Rifaut, Requirements Engineering for
Improving Business/IT Alignment in Security Risk Management
Methods Enterprise Interoperability II, R.J. Gonçalves, et al., Editors.
2007, Springer London. p. 15-26.
[8] Mouratidis, H. and J. Jurjens, From goal-driven security requirements
engineering to secure design. International Journal of Intelligent
Systems, 2010. 25(8): p. 813-840.
[9] Rohrig, S. and S.S. Ag, Using process models to analyze health care
security requirements, in International Conference Advances in
Infrastructure for e-Business, e-Education, e-Science, and e-Medicine on
the Internet. 2002: Italy.
[10] Ullah, A. and R. Lai, Managing Security Requirements: Towards Better
Alignment Between Information Systems And Business, in 15th Pacific
Asia Conference on Information System (15th PACIS) 2011:
Queensland University of Technology (QUT) in Brisbane, Australia.
[11] J├╝rjens, J., Towards Development of Secure Systems Using UMLsec
Fundamental Approaches to Software Engineering, H. Hussmann,
Editor. 2001, Springer Berlin / Heidelberg. p. 187-200.
[12] Liu, L., E. Yu, and J. Mylopoulos. Security and privacy requirements
analysis within a social setting. in Proceedings on 11th IEEE
International Requirements Engineering Conference, . 2003.
[13] Lodderstedt, T., D. Basin, and J. Doser, SecureUML: A UML-Based
Modeling Language for Model-Driven Security, in the Proceedings of
the 5th International Conference on the Unified Modeling Language, J.-
M. Jézéquel, H. Hussmann, and S. Cook, Editors. 2002, Springer Berlin
/ Heidelberg. p. 426-441.
[14] Mana, A., et al. A business process-driven approach to security
engineering. in Proceedings on 14th International Workshop on
Database and Expert Systems Applications, . 2003.
[15] Rodríguez, A., E. Fernández-Medina, and M. Piattini, A bpmn extension
for the modeling of security requirements in business processes. IEICE
transactions on information and systems, 2007. 90(4): p. 745-752.
[16] Goluch, G., et al. Integration of an Ontological Information Security
Concept in Risk-Aware Business Process Management. in Proceedings
of the 41st Annual Hawaii International Conference on System Sciences,
2008.
[17] Mayer, N., et al. Towards a measurement framework for security risk
management. 2008.
[18] Matulevicius, R., N. Mayer, and P. Heymans. Alignment of Misuse
Cases with Security Risk Management. in Third International
Conference on Availability, Reliability and Security (ARES 08) 2008.
[19] Wolter, C., et al., Model-driven business process security requirement
specification. Journal of Systems Architecture, 2009. 55(4): p. 211-223.
[20] Rodríguez, A., et al., Secure business process model specification
through a UML 2.0 activity diagram profile. Decision Support Systems,
2011. 51(3): p. 446-465.
[21] Sindre, G. and A.L. Opdahl. Eliciting security requirements by misuse
cases. in Proceedings of 37th International Conference on Technology of
Object-Oriented Languages and Systems, TOOLS-Pacific 2000.
[22] Sindre, G. and A.L. Opdahl, Eliciting security requirements with misuse
cases. Requirements Engineering, 2005. 10(1): p. 34-44.
[23] Dardenne, A., S. Fickas, and A.v. Lamsweerde, Goal-directed concept
acquisition in requirements elicitation, in Proceedings of the 6th
international workshop on Software specification and design. 1991,
IEEE Computer Society Press: Como, Italy. p. 14-21.
[24] Alotaibi, Y. and F. Liu, Business Process Modelling Towards Derivation
of Information Technology Goals, in Proceedings of the 45st Annual
Hawaii International Conference on System Sciences. 2012: Maui,
Hawaii, US.
[25] Object, M.G., OMG Unified Modeling Language (OMG UML),
Superstructure, V2. 1.2. November 2007.
[1] Chung, L. and B.A. Nixon, Dealing with non-functional requirements:
three experimental studies of a process-oriented approach, in
Proceedings of the 17th international conference on Software
engineering. 1995, ACM: Seattle, Washington, United States. p. 25-37.
[2] Haley, C.B., et al., A framework for security requirements engineering,
in Proceedings of the 2006 international workshop on Software
engineering for secure systems. 2006, ACM: Shanghai, China. p. 35-42.
[3] Yu, E. and L. Cysneiros. Designing for privacy and other competing
requirements. in 2nd Symposium on Requirements Engineering for
Information Security (SREIS- 02). 2002. Raleigh, North Carolina.
[4] Backes, M., B. Pfitzmann, and M. Waidner, Security in business process
engineering. Business Process Management, Springer Berlin /
Heidelberg, 2003: p. 1019-1019.
[5] McDermott, J. and C. Fox. Using abuse case models for security
requirements analysis. in Computer Security Applications Conference,
1999. (ACSAC '99) Proceedings. 15th Annual. 1999.
[6] Anderson, R.J., Security Engineering: A guide to building dependable
distributed systems. 2008.
[7] Mayer, N., E. Dubois, and A. Rifaut, Requirements Engineering for
Improving Business/IT Alignment in Security Risk Management
Methods Enterprise Interoperability II, R.J. Gonçalves, et al., Editors.
2007, Springer London. p. 15-26.
[8] Mouratidis, H. and J. Jurjens, From goal-driven security requirements
engineering to secure design. International Journal of Intelligent
Systems, 2010. 25(8): p. 813-840.
[9] Rohrig, S. and S.S. Ag, Using process models to analyze health care
security requirements, in International Conference Advances in
Infrastructure for e-Business, e-Education, e-Science, and e-Medicine on
the Internet. 2002: Italy.
[10] Ullah, A. and R. Lai, Managing Security Requirements: Towards Better
Alignment Between Information Systems And Business, in 15th Pacific
Asia Conference on Information System (15th PACIS) 2011:
Queensland University of Technology (QUT) in Brisbane, Australia.
[11] J├╝rjens, J., Towards Development of Secure Systems Using UMLsec
Fundamental Approaches to Software Engineering, H. Hussmann,
Editor. 2001, Springer Berlin / Heidelberg. p. 187-200.
[12] Liu, L., E. Yu, and J. Mylopoulos. Security and privacy requirements
analysis within a social setting. in Proceedings on 11th IEEE
International Requirements Engineering Conference, . 2003.
[13] Lodderstedt, T., D. Basin, and J. Doser, SecureUML: A UML-Based
Modeling Language for Model-Driven Security, in the Proceedings of
the 5th International Conference on the Unified Modeling Language, J.-
M. Jézéquel, H. Hussmann, and S. Cook, Editors. 2002, Springer Berlin
/ Heidelberg. p. 426-441.
[14] Mana, A., et al. A business process-driven approach to security
engineering. in Proceedings on 14th International Workshop on
Database and Expert Systems Applications, . 2003.
[15] Rodríguez, A., E. Fernández-Medina, and M. Piattini, A bpmn extension
for the modeling of security requirements in business processes. IEICE
transactions on information and systems, 2007. 90(4): p. 745-752.
[16] Goluch, G., et al. Integration of an Ontological Information Security
Concept in Risk-Aware Business Process Management. in Proceedings
of the 41st Annual Hawaii International Conference on System Sciences,
2008.
[17] Mayer, N., et al. Towards a measurement framework for security risk
management. 2008.
[18] Matulevicius, R., N. Mayer, and P. Heymans. Alignment of Misuse
Cases with Security Risk Management. in Third International
Conference on Availability, Reliability and Security (ARES 08) 2008.
[19] Wolter, C., et al., Model-driven business process security requirement
specification. Journal of Systems Architecture, 2009. 55(4): p. 211-223.
[20] Rodríguez, A., et al., Secure business process model specification
through a UML 2.0 activity diagram profile. Decision Support Systems,
2011. 51(3): p. 446-465.
[21] Sindre, G. and A.L. Opdahl. Eliciting security requirements by misuse
cases. in Proceedings of 37th International Conference on Technology of
Object-Oriented Languages and Systems, TOOLS-Pacific 2000.
[22] Sindre, G. and A.L. Opdahl, Eliciting security requirements with misuse
cases. Requirements Engineering, 2005. 10(1): p. 34-44.
[23] Dardenne, A., S. Fickas, and A.v. Lamsweerde, Goal-directed concept
acquisition in requirements elicitation, in Proceedings of the 6th
international workshop on Software specification and design. 1991,
IEEE Computer Society Press: Como, Italy. p. 14-21.
[24] Alotaibi, Y. and F. Liu, Business Process Modelling Towards Derivation
of Information Technology Goals, in Proceedings of the 45st Annual
Hawaii International Conference on System Sciences. 2012: Maui,
Hawaii, US.
[25] Object, M.G., OMG Unified Modeling Language (OMG UML),
Superstructure, V2. 1.2. November 2007.
@article{"International Journal of Business, Human and Social Sciences:52920", author = "A. Youseef and F. Liu", title = "A New Framework to Model a Secure E-Commerce System", abstract = "The existing information system (IS) developments
methods are not met the requirements to resolve the security related
IS problems and they fail to provide a successful integration of
security and systems engineering during all development process
stages. Hence, the security should be considered during the whole
software development process and identified with the requirements
specification. This paper aims to propose an integrated security and
IS engineering approach in all software development process stages
by using i* language. This proposed framework categorizes into three
separate parts: modelling business environment part, modelling
information technology system part and modelling IS security part.
The results show that considering security IS goals in the whole
system development process can have a positive influence on system
implementation and better meet business expectations.", keywords = "Business Process Modelling (BPM), Information
System Security, Software Development Process, Requirement
Engineering.", volume = "6", number = "2", pages = "186-7", }
