skip to main content
10.1145/1988630.1988635acmconferencesArticle/Chapter ViewAbstractPublication PagesicseConference Proceedingsconference-collections
research-article

A conceptual meta-model for secured information systems

Published: 22 May 2011 Publication History

Abstract

Over the past years, research on specifying, designing and developing secured information systems (IS) has been very active. Some contributions have focused on integrating security aspects, mainly access control mechanisms, at the implementation phase. Others pay a particular attention to the capture and analysis of security requirements. However, to our knowledge, no method addresses the whole problem of the specification of security requirements and their transformation through all the phases of the IS development life cycle. We argue that better Secured IS can be obtained if security issues are taken into account at an earlier phase of the system life cycle and integrated with functional aspects along the whole life cycle. This paper is a step forward to a comprehensive security conceptual meta-model encompassing the main security properties such as availability, integrity, confidentiality, and accountability. It integrates functional and non-functional requirements. It includes social, organizational as well as informational aspects. This meta-model is the backbone of our approach.

References

[1]
Basin, D., Doser, J., Lodderstedt, T. 2006. Model Driven Security: from UML Models to Access Control Infrastructures. ACM Trans. Softw. Eng. Meth. 15, 1 (Jan., 2006), 39--91. DOI= http://doi.acm.org/10.1145/1125808.1125810.
[2]
Brambilla, M., Cabot, J., Comai, S. 2007. Automatic Generation of Workflow-Extended Domain Models. In Proceeding of 10th Int. Conf. on Model Driven Engineering Languages and Systems (Nashville, USA, September 30- October 5, 2007). MoDELS'07, LNCS 4735, Springer Berlin Heidelberg, 375--389. DOI= http://dx.doi.org/10.1007/978-3-540-75209-7_26.
[3]
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J. 2004. Tropos: An Agent-Oriented Software Development Methodology. Auton. Agent. Multi-Ag. Systems, 8, 3 (May. 2004), 203--236. DOI= http://dx.doi.org/10.1023/B:AGNT.0000018806.20944.ef
[4]
Breton, E., Bézivin, J. 2000. An Overview of Industrial Process Meta-models. In Proceeding of 13th Int. Conf. Softw. Sys. Eng. Applic. (Paris, France, December 5-8, 2000). ICSEA'00
[5]
Breu, R., Popp, G., Alam, M. 2007. Model Based Development of Access Policies. Int. J. Softw. Tools Technol. Trans., 9, 5 (October, 2007), 457--470. DOI= http://dx.doi.org/10.1007/s10009-007-0045-y
[6]
Coma, C., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A. R. 2008. Context Ontology for Secure Interoperability. In Proceeding of the 3rd Int. Conf. on Availability, Reliability and Security (Barcelona, Spain, March 4-7, 2008). ARES'08. IEEE Computer Society, 821--827. DOI= http://dx.doi.org/10.1109/ARES.2008.133
[7]
Crook, R.; Ince, D., Nuseibeh, B. 2005. On Modeling Access Policies: Relating Roles to their Organisational Context. Requirement Engineering. In Proceeding of the 13th IEEE Int. Conf. on Requir. Eng. (Paris, France, August 29 - September 2, 2005). RE'05. IEEE Computer Society, 157--166. DOI= http://doi.ieeecomputersociety.org/10.1109/RE.2005.48
[8]
Cuppens, F., Miège, A. 2003. Modelling Contexts in Or-BAC Model. In Proceeding of the 19th Annual Computer Security Applications Conference (Las Vegas, NV, USA, December 8 - 12, 2003). ACSAC'03, IEEE Computer Society, 416--427.
[9]
Eder, J., Gruber, W. 2002. A Meta-model for Structured Workflows Supporting Workflow Transformations. In Proceeding of the 6th East Euro. Conf. on Advances in Databases and Information Systems (Bratislava, Slovakia, September 8-11, 2002). ADBIS'02, LNCS 2435, Springer Berlin/Heidelberg, 326--339. DOI= http://dx.doi.org/10.1007/3-540-45710-0_26
[10]
Fontaine, P. J. 2001. Goal-Oriented Elaboration of Security Requirement. Ph.D. thesis. University of Louvain. Belgium
[11]
Georg, G., Ray, I., Anastasakis, K., Bordbar, B., Toarcienne,M., Houmb, S., H. 2009. An Aspect-Oriented Methodology for Designing Secure Applications. Inform. Software. Tech., 51, 5, (May, 2009), 846--864. DOI= http://dx.doi.org/10.1016/j.infsof.2008.05.004
[12]
Hafner, M., Memon, M., Alam, M. 2007. Modeling and Enforcing Advanced Access Control Policies in Healthcare Systems with SectetSource. In the Proceeding of the workshop on Model-Based Design of Trustworthy Health Information Systems in conjunction MoDELS'07 (Nashville, TN, USA, September 30, 2007). MOTHIS'07, LNCS 5002, Springer Berlin/Heidelberg, 132--144. DOI= http://dx.doi.org/10.1007/978-3-540-69073-3_15
[13]
He, Q., Antón A. I. 2009. Requirements-based Access Control Analysis and Policy Specification. Inform. Software. Tech., 51, 6 (Jun., 2009), 993--1009. DOI= http://dx.doi.org/10.1016/j.infsof.2008.11.005.
[14]
He, Q., Antón, A. I. 2003. A framework for Modeling Privacy Requirements in Role Engineering. In Proceeding of the 9th Int. workshop on Requirements Engineering for Software Quality (Klagenfurt, Velden, Austria, June 16 - 17). REFSQ'03, 115--124.
[15]
Jürjens, J., Schreck, J., Bartmann, P. 2008. Model-Based Security Analysis for Mobile Communications. In Proceeding of the 30th int. Conf. Softw. Eng. (Leipzig, Germany, May 10 - 18, 2008). ICSE '08, ACM, 683--692. DOI= http://doi.acm.org/10.1145/1368088.1368186.
[16]
Khwaja, A, Urban, J. 2002. A Synthesis of Evaluation Criteria for Software Specifications and Specification Techniques. Int. J. Softw. Eng. and Know. Eng., 12, 5 (Aug., 2002), 581--599. DOI= http://dx.doi.org/10.1142/S0218194002001062
[17]
Kradolfer, M. 2000. A Workflow Meta-model Supporting Dynamic Reuse-Based Model Evolution. Ph.D Thesis. University of Zurich.
[18]
Lamsweerde, A. V. 2009. Requirements Engineering: From System Goals to UML Models to Software Specifications. Wiley, ISBN 978-0-470-01270-3.
[19]
Lei, Y., Singh, M. P. 1997. A Comparison of Workflow Meta-models. In Proceeding of the ER'97 workshop on Behavioral Models and Design Transformations: Issues and Opportunities in Conceptual Modeling (Los Angeles, California, November 6 - 7, 1997).
[20]
List, B., Korherr, B. 2006. An Evaluation of Conceptual Business Process Modeling Languages. In the Proceeding of the 2006 ACM Symposium on Applied Computing (Dijon, France, April 23-27, 2006). SAC'06, 1532--1539. DOI= http://doi.acm.org/10.1145/1141277.1141633
[21]
Liu, L., Yu, E., Mylopoulos, J. 2003. Security and Privacy Requirements Analysis within a Social Setting. In Proceeding of the 11th IEEE Int. Conf. on Requir. Eng. (Monterey Bay, California, USA, September 8-12, 2003). IEEE Computer Society, 151--161. DOI= http://doi.ieeecomputersociety.org/10.1109/ICRE.2003.1232 746
[22]
Massacci, F., Zannone, N. 2008. A Model-Driven Approach for the Specification and Analysis of Access Control Policies. In the Proceeding of the int. conf. On the Move to Meaningful Internet Systems (Monterrey, Mexico, November 9-14, 2008). OTM'08, 1087--1103. DOI= http://dx.doi.org/10.1007/978-3-540-88873-4_11.
[23]
Mead, N. R., Viswanathan, V., Zhan, J. 2008. Incorporating Security Requirements Engineering into the Rational Unified Process. In Proceeding of the 2008 Int. conf. on Information Security and Assurance (Busan, Korea, April 24 - 26, 2008). ISA'08, IEEE Computer Society, 537--542. DOI= http://dx.doi.org/10.1109/ISA.2008.19
[24]
Mellado, D., Fernández-Medina, M., Piattini, M. 2007. A Common Criteria Based Security Requirements Engineering Process for the Development of Secure Information Systems. Comp. Stand. Inter., 29, 2 (Feb. 2007), 244--253. DOI= http://dx.doi.org/10.1016/j.csi.2006.04.002
[25]
Mouratidis, H. 2009. Secure Tropos: An Agent Oriented Software Engineering Methodology for the Development of Health and Social Care Information Systems. Int. J. Comp. Sci. Secur., 3, 3, 241--271.
[26]
OMG. 2009. Business Process Model and Notation Specification, http://www.omg.org/spec/BPMN/1.2.
[27]
Saidani, O., Nurcan, S. 2006. A Role-Based Approach for Modelling Flexible Business Processes. In Proceeding of the CAISE 2006 workshop on Business Process Modelling, Development, and Support (Luxemburg, June 5 - 9, 2006) BPMDS'06, CEUR-WS.org, 111--120.
[28]
Sindre, G., Firesmith, D. G., Opdahl, A. L. 2003. A Reuse-Based Approach to Determining Security Requirements. In Proceeding of the 9th Int. workshop on Requirements Engineering: Foundation for Software Quality (Klagenfurt, Velden, Austria June 16 - 17,2003). REFSQ'03, 16--17.
[29]
Sindre, G., Opdahl, A. 2005. Eliciting Security Requirements with Misuse Cases. Requir. Eng. 10, 1 (Jan. 2005), 34--44. DOI= http://dx.doi.org/10.1007/s00766-004-0194-4.
[30]
Susi, A., Perini, A., Mylopoulos, J., Giorgini, F. 2005. The Tropos Meta-model and its Use. Informatica, 29, 4, 401--408.
[31]
Villarroel, R., Fernández-Medina, E., Piattini, M. 2005. Secure Information Systems Development - a survey and comparison. Comp. Secur. 24, 4 (Jun. 2005) 308--321. DOI= http://dx.doi.org/10.1016/j.cose.2004.09.011
[32]
Wang, J. He, K., Gong, P., Wang C., Peng, P., Li, B. 2008. RGPS: A Unified Requirements Meta-Modeling Frame for Networked Software. In the Proceeding of the 3rd Int. Workshop on Applications and Advances of Problem Frames (Leipzig, Germany, May 10, 2008). IWAAPF'08 at ICSE'08, ACM, 29--35. DOI= http://doi.acm.org/10.1145/1370811.1370817
[33]
Yu, E., Strohmaier, M., Deng, X. 2006. Exploring Intentional Modeling and Analysis for Enterprise Architecture. In Proceeding of the 10th IEEE on Int. Enterprise Distributed Object Computing Conference Workshops (Hong Kong, China, October 16-20, 2006). EDOCW'06. IEEE Computer Society, 32--32. DOI= http://dx.doi.org/10.1109/EDOCW.2006.36
[34]
Zannone, N. 2009. The Si* Modeling Framework: Metamodel and Applications. Int. J. Softw. Eng. and Know. Eng., 19, 5, (Aug., 2009), 727--746. DOI= http://dx.doi.org/10.1142/S02181940090043

Cited By

View all
  • (2021)Theory Driven Modeling as the Core of Software DevelopmentResearch Anthology on Recent Trends, Tools, and Implications of Computer Programming10.4018/978-1-7998-3016-0.ch005(88-107)Online publication date: 2021
  • (2018)Theory Driven Modeling as the Core of Software DevelopmentInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.20180701039:3(60-77)Online publication date: 1-Jul-2018
  • (2015)From Risk Analysis to the Expression of Security Requirements for Systems Information2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec)10.1109/CyberSec.2015.25(84-89)Online publication date: Oct-2015
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
SESS '11: Proceedings of the 7th International Workshop on Software Engineering for Secure Systems
May 2011
62 pages
ISBN:9781450305815
DOI:10.1145/1988630
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 May 2011

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. information system
  2. model driven approach
  3. security

Qualifiers

  • Research-article

Conference

ICSE11
Sponsor:
ICSE11: International Conference on Software Engineering
May 22, 2011
HI, Waikiki, Honolulu, USA

Acceptance Rates

SESS '11 Paper Acceptance Rate 8 of 11 submissions, 73%;
Overall Acceptance Rate 8 of 11 submissions, 73%

Upcoming Conference

ICSE 2025

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)1
  • Downloads (Last 6 weeks)1
Reflects downloads up to 15 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2021)Theory Driven Modeling as the Core of Software DevelopmentResearch Anthology on Recent Trends, Tools, and Implications of Computer Programming10.4018/978-1-7998-3016-0.ch005(88-107)Online publication date: 2021
  • (2018)Theory Driven Modeling as the Core of Software DevelopmentInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.20180701039:3(60-77)Online publication date: 1-Jul-2018
  • (2015)From Risk Analysis to the Expression of Security Requirements for Systems Information2015 Fourth International Conference on Cyber Security, Cyber Warfare, and Digital Forensic (CyberSec)10.1109/CyberSec.2015.25(84-89)Online publication date: Oct-2015
  • (2011)Seventh international workshop on software engineering for secure systems (SESS 2011)Proceedings of the 33rd International Conference on Software Engineering10.1145/1985793.1986045(1200-1201)Online publication date: 21-May-2011

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media