Abstract
In our era of the service industry, information systems play a major place, even a vital position for businesses, organizations and individuals. Information systems are facing new ongoing security threats, more sophisticated and of different natures. In this context, it is important to prevent attackers from achieving their outcomes, manage the inevitable breaches, and minimize their impacts. Security practices must be conducted in an engineering framework; engineering of security has to be improved. For this, it is proposed to develop innovative and broad systemic approaches that operate together on several axes, by improving user experience. We track and solve Resilience, Security and Usability issues jointly in enterprise information systems. In this paper, we position socio-technical systems according to well-known information systems of enterprises and organizations. We treat the paradigms of socio-technical systems and we focus on the interplay between resilience, security and usability. A case study illustrates the proposed approach; it details the elaboration of design patterns for improving user experience.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Larson, R.C.: Service science: at the intersection of management, social, and engineering sciences. IBM Syst. J. 47, 41–51 (2008)
SBIC (Security for Business Innovation Council): The Time is Now: Making Information Security Strategic to Business Innovation. RSA Security, Bedford (2008)
IBM Corporation 2014: Understanding Big Data So You Can Act with Confidence. Doc. Ref. IMM14123USEN June 2014. http://www-01.ibm.com
KPMG International: Managing the Data Challenge in Banking. Why is It So Hard? Document published on June 2014. http://www.kpmg.com
Umhoefer, C., Rofé, J., Lemarchand, S.: Le big data face au défi de la confiance. Document published on June 2014. http://www.bcg.fr
Goudalo, W., Seret, D.: Towards the engineering of security of information systems (ESIS): UML and the IS confidentiality. In: Proceedings at 2nd International Conference on Emerging Security Information, Systems and Technologies, pp. 248–256. IEEE Computer Society Washington, DC (2008)
Ferrary, M.: Management des ressources humaines: Marché du travail et acteurs stratégiques. Ed. Dunod, Paris (2014)
Cranor, L.F., Garfinkel, S.: Security and Usability: Designing Secure Systems that People Can Use. Ed. O’Reilly, Newton (2005)
Clarke, N., Furnell, S.: 8th International Symposium on Human Aspects of Information Security and Assurance (HAISA 2014). Nathan Clarke, Plymouth (2014). (Ed. by S. Furnell)
Trist, E.L., Higgin, G.W., Murray, H., Pollock, A.B.: Organizational Choice: Capabilities of Groups at the Coal Face under Changing Technologies. The Loss, Rediscovery & Transformation of a Work Tradition. Tavistock Publications, London (1963)
Emery, E.: The next thirty years: concepts, methods and anticipation. Hum. Relat. 20, 199–237 (1967)
Sperber, D., Wilson, D.: Relevance: Communication and Cognition, 2nd edn. Wiley, Hoboken (1995)
Singh, M.P.: Norms as a basis for governing sociotechnical systems. ACM Trans. Intell. Syst. Technol. (TIST) – Spec. Sect. Intell. Mob. Knowl. Discov. Manag. Syst. Spec. Issue Soc. Web Min. Arch. 5(1), 21 (2013). (New York, NY, USA)
Lewis, J.R.: Usability: lessons learned… and yet to be learned. Int. J. Hum.-Comput. Interact. 30(9), 663–684 (2014)
Cranor, L.F., Blase, U.: Usable Privacy and Security. Lecturer Materials, Courses, CyLab, Carnegie Mellon University, January 2015
Laprie, J.C.: From dependability to resilience. In: Proceedings of 38th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2008), Supplemental Volume, Anchorage, USA (2008)
ReSIST 2015: Resilience for Survivability in IST. A European Network of Excellence. http://www.resist-noe.org
Hollnagel, E., Woods, D.D., Leveson, N.: Resilience Engineering. Concepts and Precepts. Ashgate, Aldershot (2006)
Luzeaux, D.: Engineering large-scale complex systems. In: Luzeaux, D., Ruault, J.-R., Wippler, J.-L. (eds.) Complex Systems and Systems of Systems Engineering, pp. 3–84. ISTE-Wiley, London (2011)
Palin, P.J.: Resilience: Cultivating the Virtue. http://www.hlswatch.com/2013/08/29/resilience-cultivating-the-virtue/. Accessed 22 July 2016
ANSSI: Résilience de lʼInternet français. http://www.ssi.gouv.fr/
Hertzum, M., Clemmensen, T., Hornbæk, K., Kumar, J., Shi, Q., Yammiyavar, P.: Usability constructs: a cross-cultural study of how users and developers experience their use of information systems. In: Aykin, N. (ed.) UI-HCII 2007. LNCS, vol. 4559, pp. 317–326. Springer, Heidelberg (2007). doi:10.1007/978-3-540-73287-7_39
Bevan, N.: Extending quality in use to provide a framework for usability measurement. In: Kurosu, M. (ed.) HCD 2009. LNCS, vol. 5619, pp. 13–22. Springer, Heidelberg (2009). doi:10.1007/978-3-642-02806-9_2
Seffah, A., Donyaee, M., Kline, R.B., Padda, H.K.: Usability measurement and metrics: a consolidated model. Softw. Qual. J. 14, 159–178 (2006)
Braz, C., Seffah, A., M’Raihi, D.: Designing a trade-off between usability and security: a metrics based-model. In: Baranauskas, C., Palanque, P., Abascal, J., Barbosa, S.D.J. (eds.) INTERACT 2007. LNCS, vol. 4663, pp. 114–126. Springer, Heidelberg (2007). doi:10.1007/978-3-540-74800-7_9
Winter, S., Wagner, S., Deissenboeck, F.: A comprehensive model of usability. In: Gulliksen, J., Harning, M.B., Palanque, P., Veer, Gerrit C., Wesson, J. (eds.) DSV-IS/EHCI/HCSE -2007. LNCS, vol. 4940, pp. 106–122. Springer, Heidelberg (2008). doi:10.1007/978-3-540-92698-6_7
ISO 9241-12: Ergonomic requirements for office work with visual display terminals (VDTs). Part 12 Presentation of Information (1998)
ISO 9241-110: Ergonomics of human-system interaction. Part 110 Dialogue Principles (2006)
Shackel, B.: Usability - context, framework, definition, design, and evaluation. In: Shackel, B., Richardson, S. (eds.) Human Factors for Informatics Usability, pp. 21–37. Cambridge University Press, Cambridge (2009)
ISO/IEC 2700x: Information technology Security techniques (2010)
Goudalo, W., Seret, D.: The process of engineering of security of information systems (ESIS): the formalism of business processes. In: ECURWARE 2009, 3rd International Conference on Emerging Security Information, Systems and Technologies, pp. 105–113. IARIA (2009)
Westin, A.F.: Privacy and freedom. Wash. Lee L. Rev. 25: 166 (1968) http://scholarlycommons.law.wlu.edu/wlulr/vol25/iss1/20
French Penal Code: De l’atteinte à la vie privée, article 226-1 (2015)
Cranor, L.: Usable Privacy and Security. Lorrie Cranor’s Courses (2006). http://cups.cs.cmu.edu/courses/ups-sp06/
Rousseau, D.M., Sitkin, S.B., Burt, R.S., Camerer, C.: Not so different after all: a cross-discipline view of trust. Acad. Manag. Rev. 23(3), 393–404 (1998)
Schneider, F.B.: Trust in Cyberspace. Committee on Information Systems Trustworthiness. National Research Council, Washington, D.C. (1998)
Sasse, M.A.: Red-eye blink, bendy shuffle, and the yuck factor: a user experience of biometric airport systems. IEEE Secur. Privacy 5(3), 78–81 (2007)
Birge, C.: Enhancing research into usable privacy and security. In: SIGDOC 2009: Proceedings of 27th ACM International Conference on Design of Communication (2009)
Goudalo, W., Kolski, C.: Towards advanced enterprise information systems engineering - solving resilience, security and usability issues within the paradigms of socio-technical systems. In: Proceedings of 18th International Conference on Enterprise Information Systems (ICEIS 2016) – vol. 2, pp. 400–411 (2016)
Alexander, C., Ishikawa, S., Silverstein, M.: A Pattern Language: Towns, Buildings, Construction. Oxford University Press, New York (1977)
Salloway, A., Trott, J.R.: Design patterns par la pratique. Eyrolles, Paris (2002)
Schumacher, M.: Security Engineering with Patterns: Origins, Theoretical Models, and New Applications. LNCS, vol. 2754. Springer, Heidelberg (2003)
Blakley, B., Heath, C., and members of The Open Group Security Forum 2004: Security design patterns. Technical report G031, The Open Group, April 2004. http://www.opengroup.org/publications/catalog/g031.htm
Piètre-Cambacèdés, L.: Des relations entre sûreté et sécurité. Ph.D in Software and Network, Paris (2010)
Wharton, C., Rieman, J., Lewis, C., Polson, P.: The cognitive walkthrough method: a practitioner’s guide. In: Nielsen, J., Mack, R.L. (eds.) Usability Inspection Methods, pp. 105–140. Wiley, New York (1994)
Mahatody, T., Sagar, M., Kolski, C.: State of the art on the cognitive walkthrough method, its variants and evolutions. Int. J. Hum.-Comput. Interact. 26(8), 41–785 (2010)
DCSSI: ‘Fiche d’expression rationnelle des objectifs de sécurité (2009). http://circulaire.legifrance.gouv.fr/pdf/2009/04/cir_1982.pdf
Goudalo, W.: Toward engineering of security of information systems: the security acts. In: Proceedings of 5th International Conference on Emerging Security Information, Systems and Technologies, pp. 44–50. IARIA (2011)
Yee, K.-P.: User interaction design for secure systems. In: Deng, R., Bao, F., Zhou, J., Qing, S. (eds.) ICICS 2002. LNCS, vol. 2513, pp. 278–290. Springer, Heidelberg (2002). doi:10.1007/3-540-36159-6_24
Ruault, J.R, Kolski, C., Vanderhaegen, F., Luzeaux, D.: Sûreté et sécurité: différences et complémentarités. In: Conférence C&ESAR, Résilience des systèmes numériques, Rennes, France (2015)
Niknafs, A., Ramsin, R.: Computer-aided method engineering: an analysis of existing environments. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 525–540. Springer, Heidelberg (2008). doi:10.1007/978-3-540-69534-9_39
Jacobs, S.: Engineering Information Security: The Application of Systems Engineering Concepts to Achieve Information Assurance. Wiley, Hoboken (2011)
ISO/IEC 27032: Information Technology – Security Techniques – Guidelines for Security (2012)
Ponemon Institute LLC: 2015 Cost of Data Breach Study: Global Analysis. Benchmark Research Sponsored by IBM, Independently Conducted by Ponemon Institute LLC (2016)
Romanosky, S.: Examining the Costs and Causes of Cyber Incidents. Working document (2016). https://www.ftc.gov/system/files/documents/public_comments/2015/10/00027-97671.pdf. Accessed 22 July 2016
Behnia, A., Rashid, R., Chaudhry, J.: A survey of information security risk analysis methods. Smart Comput. Rev. 2(1), 79–94 (2012)
Stanford Encyclopedia of Philosophy: Seneca, chapter the Vertue. http://plato.stanford.edu/entries/seneca/#Vir. Accessed 22 July 2016
Acknowledgments
The authors thank Prof. Ahmed Seffah (Lappeenranta University of Technology) for his numerous relevant remarks and suggestions on preliminary versions of this paper. They thank also warmly Dr. Jean-René Ruault for his strong contribution to the previous versions.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Goudalo, W., Kolski, C., Vanderhaegen, F. (2017). Towards Advanced Security Engineering for Enterprise Information Systems: Solving Security, Resilience and Usability Issues Together Within Improvement of User Experience. In: Hammoudi, S., Maciaszek, L., Missikoff, M., Camp, O., Cordeiro, J. (eds) Enterprise Information Systems. ICEIS 2016. Lecture Notes in Business Information Processing, vol 291. Springer, Cham. https://doi.org/10.1007/978-3-319-62386-3_20
Download citation
DOI: https://doi.org/10.1007/978-3-319-62386-3_20
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-62385-6
Online ISBN: 978-3-319-62386-3
eBook Packages: Computer ScienceComputer Science (R0)