Abstract
Effectively protecting information systems is a pivotal responsibility of (IT) management, which faces many challenges: technological complexities, business complexities, various stakeholders and conflicting requirements. Yet, there is no holistic modelling approach that comprehensively addresses all these challenges, while accounting for technical, organizational and business aspects. This paper analyzes the requirements of such a comprehensive modelling method for IT security design and management. We argue that enterprise modelling is most suitable to serve as a foundation for such an approach. We apply a method for developing domain specific modelling languages (DSML) that is chiefly based on a structured analysis of use scenarios including prototypical diagrams. It is supplemented by requirements found in literature. Our analysis results in 23 requirements that should be satisfied by the targeted modelling method. These results are intended to serve as a foundation for discussion and discursive evaluation by peers and domain experts.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Rodriguez, A., Fernandez-Medina, E., Piattini, M.: Security Requirements with a UML 2.0 Profile. In: The First International Conference on Availability, Reliability and Security (ARES 2006) (2006)
Nakamura, Y., Tatsubori, M., Imamura, T., Ono, K.: Model-driven security based on web services security architecture. In: 2005 IEEE International Conference on Services Computing (SCC 2005), vol. 1, pp. 7–15 (2005)
Von Solms, B.: Information Security – A multi-dimensional Discipline. Computers and Security 20, 504–508 (2001)
Premkumar, T., Stubblebine, S.: Software engineering for security: a roadmap. In: ICSE 2000, The Future of Software Engineering. ACM, New York (2000)
Zuccato, A.: Holistic security management framework applied in electronic commerce. Computer and Security 26, 256–265 (2007)
Kokolakis, S.A., Demopoulos, A.J., Kiountouzis, E.A.: The use of business process modelling in information systems security analysis and design. Information Management & Computer Security 8(3), 107–116 (2000)
Birch, D.G.W., McEvoy, N.A.: Risk Analysis for Information Systems. Journal of Information Technology 7, 44–53 (1992)
Lodderstedt, T., Basin, D.A., Doser, J.: SecureUML: A UML-Based Modeling Language for Model-Driven Security. In: 5th International Conference on the Unified Modeling Language, pp. 426–441 (2002)
Jung, J.: Supply Chains in the Context of Resource Modelling. ICB Research Report, Universität Duisburg-Essen, No. 5 (2006)
Kirchner, L.: Cost Oriented Modelling of IT-Landscapes: Generic Language Concepts of a Domain Specific Language. In: Desel, J., Frank, U. (eds.) The Workshop on Enterprise Modelling and Information Systems Architectures, pp. 166–179 (2005)
Frank, U.: The MEMO Meta Modelling Language (MML) and Language architecture. ICB Research Report No. 43, Universität Duisburg-Essen, Essen (2011)
Frank, U.: MEMO Organisation Modelling Language (OrgML): Requirements and Core Diagram Types. ICB Research Report No. 46, Universität Duisburg-Essen, Essen (2011)
Frank, U., Lange, C.: A Framework to Support the Analysis of Strategic Options for Electronic Commerce. Arbeitsberichte des Instituts für Wirtschafts- und Verwaltungsinformatik, Universität Koblenz-Landau, No. 41 (2004)
Scheer, A.-W.: ARIS—Business Process Modeling, 3rd edn. Springer, Berlin (2000)
Lankhorst, M.: Enterprise Architecture at Work: Modelling, Communication and Analysis. Springer, Berlin (2005)
Frank, U.: Multi-Perspective Enterprise Modeling: Foundational Concepts, Prospects and Future Research Challenges. Accepted for publication in Software and Systems Modeling
Gulden, J., Frank, U.: MEMOCenterNG. A full-featured modeling environment for organisation modeling and model-driven software development. In: 22nd International Conference on Advanced Information Systems Engineering, Hammamet (2010)
Alam, M., Hafner, M., Breu, R.: A Constraint based Role Based Access Control in the SECTET A Model-Driven Approach. In: 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, article 13. ACM, New York (2006)
Shin, M.E., Ahn, G.-J.: UML-Based Representation of Role-Based Access Control. In: 9th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises, pp. 195–200 (2000)
Wolter, C., Schaad, A.: Modeling of Task-Based Authorization Constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 64–79. Springer, Heidelberg (2007)
Jürjens, J.: UMLsec: Extending UML for Secure Systems Development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002)
Braber, F., Hogganvik, I., Lund, M.S., Stolen, K., Vraalsen, F.: Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technol. J. 25(1), 101–117 (2007)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th ICRE 2005 (2005)
Frank, U.: Outline of a Method for Designing Domain-Specific Modelling Languages. ICB Research Report No. 42, Universität Duisburg-Essen, Essen (2010)
Frank, U.: Multi-perspective enterprise modeling (MEMO): Conceptual framework and modeling languages. In: 35th Annual Hawaii International Conference on System Sciences (HICSS), Honululu, HI, pp. 72–82 (2002)
Open Models - IT Security Scenarios, http://openmodels.wiwinf.uni-due.de/node/204/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Goldstein, A., Frank, U. (2013). A Language for Multi-Perspective Modelling of IT Security: Objectives and Analysis of Requirements. In: La Rosa, M., Soffer, P. (eds) Business Process Management Workshops. BPM 2012. Lecture Notes in Business Information Processing, vol 132. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-36285-9_64
Download citation
DOI: https://doi.org/10.1007/978-3-642-36285-9_64
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-36284-2
Online ISBN: 978-3-642-36285-9
eBook Packages: Computer ScienceComputer Science (R0)