Reviewed by Fahad Al Ruwaili Copyright © 2009, Fahad F. AlRuwaili. This work may be copied under conditions set forth in the Creative Commons Attribution-NonCommercial License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-nd/3.0/us/ or send a letter to Creative Commons, 559 Nathan Abbott Way, Stanford, California 94305, USA. Oct 12th, 2010 About the Paper Authors: D'Aubeterre F* Singh R* Iyer L* *Information Systems and Operations Management – Bryan School of Business and Economics – The University of North Carolina a Greensboro Published: Oct 2008 ISSN: 0960-085X Citation: Zero – according to ISI web of knowledge℠ Source: European Journal of Information Systems (2008) 17, 528–542.doi:10.1057/ejis.2008.42 2 Distinct Points Sharing information and knowledge resources is surrounded with risks loss of valuable asset Security requirements have been always an afterthought in system development phases No conceptualization of secure business process no integration of security requirements in the design of BP 3 The Goal A DR model based on defined set of security constraints in order to develop secure exchange of information resources that is insync to business processes Ultimately: increase the security awareness Role Based Access Control (RBAC)* next slide *NIST Standard 2004 4 Design Phase “the best approach to development of security analysis and design methodology, would essentially be to nest it as a component part of an existing, established, successful overall information systems analysis and design methodology” Baskerville (1988)* * BASKERVILLE R (1988) Designing Information Systems Security. John Wiley & Sons, New York. 5 RBAC & SARC Secure Activity Resource Coordination (SARC) Role-Based Access Control (RBAC) RBAC SARC Activity resource coordination 6 Secure BP Modeling concepts for SARC secure business processes via defined rules 7 Hypotheses H1: A business process model developed using SARC artifacts is informationally equivalent to a business process model developed using Enriched-Use Case and standard UML Activity Diagrams. H2: A business process model developed using SARC artifacts creates a higher level of security awareness than a business process model developed using Enriched-Use Cases and standard UML-Activity Diagrams. H3: A business process model developed using SARC artifacts creates a higher level of security awareness than a business process model developed using Enriched-Use Cases and standard UML-Activity Diagrams for users with experience in business process analysis. 8 Design Cycle - Evaluation Extension of Security Awareness Situational Awareness(SA) 3 levels of SA (Endsley)* ○ Ability to perceive the statue ○ Ability to comprehend the current statue ○ Ability to predict the future *ENDSLEY MR (1995) Toward a theory of situational awareness in dynamic systems. Human Factors 37(1), 32–64. 9 Critique DSR guidelines Guideline 1: Design as an artifact The authors provide a conceptual model which represents the artifact Guideline 2: Problem relevance The DSR is relevant because ○ The proposed the methodology is technologybased and supports securing BP 10 Critique √ DSR guidelines Guideline 3: Design evaluation Analysis based on empirical design in evaluating √ Guideline 4: Research contributions Model of concepts to increase the level of awareness in securing BP √ Guideline 5: Research rigor Construction and evaluation methods are performed (requirements, modeling, analysis, experiments) 11 Critique DSR guidelines Guideline 6: Design as a search process They could cover more concepts in securing BP Not sure if it is effective, even though applied to a real-world BP √ Guideline 7: Communication of research Anonymous reviewers Participants’ comments from: ○ DESRIST 2007 ○ ICIS 12 General Thoughts They could incorporate security experts/specialists in order to assist They missed important aspect in RBAC (‘Least Privilege’ or ‘Need to Know’) Lack of security awareness evaluation metrics/table Confidentiality Recommendation: (RBAC + Crypto Systems into SARC) 13 14