Building an Information System Design Theory for Vigilant EIS

advertisement
Reviewed by
Fahad Al Ruwaili
Copyright © 2009, Fahad F. AlRuwaili. This work may be copied under conditions set forth in the Creative
Commons Attribution-NonCommercial License. To view a copy of this license, visit
http://creativecommons.org/licenses/by-nc-nd/3.0/us/ or send a letter to Creative Commons, 559 Nathan Abbott
Way, Stanford, California 94305, USA.
Oct 12th, 2010
About the Paper

Authors:
 D'Aubeterre F*
 Singh R*
 Iyer L*
*Information Systems and Operations Management – Bryan
School of Business and Economics – The University of North
Carolina a Greensboro
Published: Oct 2008
ISSN: 0960-085X
Citation: Zero – according to ISI web of knowledge℠
 Source: European Journal of Information Systems (2008)



17, 528–542.doi:10.1057/ejis.2008.42
2
Distinct Points

Sharing information and knowledge resources is
surrounded with risks  loss of valuable asset

Security requirements have been always an
afterthought in system development phases

No conceptualization of secure business process
 no integration of security requirements in the
design of BP
3
The Goal
A DR model based on defined set of security
constraints in order to develop secure
exchange of information resources that is insync to business processes
Ultimately: increase the security awareness
Role Based Access Control
(RBAC)*  next slide
*NIST Standard 2004
4
Design Phase
“the best approach to development of security
analysis and design methodology, would
essentially be to nest it as a component part of an
existing, established, successful overall
information systems analysis and design
methodology” Baskerville (1988)*
*
BASKERVILLE R (1988) Designing Information Systems Security. John Wiley &
Sons, New York.
5
RBAC & SARC
Secure Activity Resource Coordination
(SARC)
 Role-Based Access Control (RBAC)

RBAC
SARC
Activity
resource
coordination
6
Secure BP

Modeling concepts for SARC secure
business processes via defined rules
7
Hypotheses
H1:
A business process model developed using
SARC artifacts is informationally equivalent to
a business process model developed using
Enriched-Use Case and standard UML Activity
Diagrams.
H2:
A business process model developed using
SARC artifacts creates a higher level of security
awareness than a business process model
developed using Enriched-Use Cases and
standard UML-Activity Diagrams.
H3:
A business process model developed using SARC
artifacts creates a higher level of security
awareness than a business process model
developed using Enriched-Use Cases and standard
UML-Activity Diagrams for users with experience in
business process analysis.
8
Design Cycle - Evaluation

Extension of Security Awareness
Situational Awareness(SA)
 3 levels of SA (Endsley)*
○ Ability to perceive the statue
○ Ability to comprehend the current statue
○ Ability to predict the future
*ENDSLEY MR (1995) Toward a theory of situational awareness in dynamic
systems. Human Factors 37(1), 32–64.
9
Critique

DSR guidelines
Guideline 1: Design as an artifact
 The authors provide a conceptual model
which represents the artifact

Guideline 2: Problem relevance
 The DSR is relevant because
○ The proposed the methodology is technologybased and supports securing BP
10
Critique
√
DSR guidelines
Guideline 3: Design evaluation
 Analysis based on empirical design in
evaluating
√
Guideline 4: Research contributions
 Model of concepts to increase the level of
awareness in securing BP
√
Guideline 5: Research rigor
 Construction and evaluation methods are
performed (requirements, modeling,
analysis, experiments)
11
Critique

DSR guidelines
Guideline 6: Design as a search process
 They could cover more concepts in securing BP
 Not sure if it is effective, even though applied to
a real-world BP
√
Guideline 7: Communication of research
 Anonymous reviewers
 Participants’ comments from:
○ DESRIST 2007
○ ICIS
12
General Thoughts

They could incorporate security
experts/specialists in order to assist

They missed important aspect in RBAC (‘Least
Privilege’ or ‘Need to Know’)

Lack of security awareness evaluation
metrics/table

Confidentiality
 Recommendation: (RBAC + Crypto Systems into
SARC)
13
14
Download