E-business Information Systems Security Design Paradigm and Model

Sharon Nachtigal

(2009)

Sharon Nachtigal (2009) E-business Information Systems Security Design Paradigm and Model.

Our Full Text Deposits

Full text access:

Please contact the Repository Manager for a copy of this item

Links to Copies of this Item Held Elsewhere


Abstract

This thesis is concerned with a new approach to Information Systems Security management for an e-business organisation. One of the characteristics of a modern organisation (and especially of an e-business organisation) is the distribution of organisational resources and assets. Management of resources is also distributed between various hierarchical functions. With the move to an e-business mode, the number of users involved in business operations has increased, and these users (both inside and outside the organisation) need access to the organisation's information. Hence, the organisational IT perimeter has necessarily become much more frequently and easily crossed. Thus the modern business environment makes the effectiveness of the perimeter security approach highly questionable. The challenge addressed here is to develop a model for e-business security that provides an alternative approach to both the way security is viewed and the way it is designed and managed. The new paradigm (approach) for e-business organisation security suggested here is a business-process oriented security paradigm. The design of the novel paradigm and the development of the methodology rest on the belief that modern business and technological systems are complex dynamic systems. Security will then be achieved by focusing on a specified set of security requirements, and by securing the business logic and individual information flows of an e-process. Using the new security paradigm, a methodology for its implementation is presented, in the form of an e-Business Process Security Methodology (eBPSM), which identifies and describes the sequence of the phases that should be performed. Each phase is defined in terms of the level of the organisational hierarchy, professionals, tasks, outcomes, and phase specifics. The methodology was tested on a real-life case study of an aviation company. The company and its Information Systems were analysed, and the online ordering process served as the basis for a test implementation of the newly suggested methodology. An evaluation of the methodology and opinions on its feasibility were provided by information security professionals from academia and industry. The research is expected to contribute to both business and academia, both at a practical and a theoretical level. There are four main novel aspects of the work described in this thesis: 1. a new business process-based security paradigm is proposed; 2. modern business and technological systems are approached as complex dynamic systems; 3. an approach to information security design and management is proposed that focuses on business logic and the information flows of an e-process; 4. a new set of information security requirements is suggested.

Information about this Version

This is a Published version
This version's date is: 02/06/2009
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/bf2711d5-4654-40ee-b1c6-4b4f0f83ac97/1/

Item TypeMonograph (Technical Report)
TitleE-business Information Systems Security Design Paradigm and Model
AuthorsNachtigal, Sharon
DepartmentsFaculty of Science\Mathematics

Deposited by () on 24-Jun-2010 in Royal Holloway Research Online.Last modified on 15-Dec-2010

Notes

References

[1] O. Adam, A. Hofer, S. Zang, C. Hammer, M. Jerrentrup, and S. Leinenbach,
A collaboration framework for cross-enterprise business process management,
Preproceedings of the First International Conference on Interoperability of
Enterprise Software and Application (Geneva, Switzerland), 23{25 February
2005.

[2] R. Ahlswede, N. Cai, S. Li, and R. Yeung, Network information °ow, IEEE
Transactions on Information Theory 46 (2000), no. 4.

[3] S. Aissi, P. Malu, and K. Srinivasan, E-business process modeling: The next
big step, Computer 35 (2002), no. 5, 55{62.

[4] E. Albrechtsen, A qualitative study of user's view on information security,
Computers & Security 26 (2007), 276{289.

[5] B. Anderson, J. Hansen, P. Lowry, and S. Summers, Model checking for design
and assurance of e-business processes, Decision Support Systems 39 (2005),
333{344.

[6] R. Anderson, Why cryptosystems fail?, Proceedings of the 1st ACM conference
on Computer and Communications Security, ACM, 1993.

[7] , Why information security is hard|an economic perspective, Proceed-
ings of the 17th Annual Computer Security Applications Conference (New
Orleans, Louisiana), 10{14 December 2001.

[8] A. Andreu, Professional Pen Testing for Web Applications, Wiley Publishing,
Inc., 2006.

[9] S. Androutsellis-Theotokis, D. Spinellis, and V. Karakoidas, Performing peer-
to-peer e-business transactions: A requirements analysis and perliminary de-
sign proposal, IADIS, International e-Commerce 2004 Conference, December
2004, pp. 399{404.

[10] R. Anthony, Planning and Control Systems: A Framework for Analysis, Har-
vard University Press, 1965.

[11] L. M. Applegate, E-business handbook, The St. Lucie Press, 2002.

[12] I. Arce, The weakest link revisited, Security & Privacy, IEEE (2003), 72{76.

[13] F. Armknecht, A. Festag, D. Westho®, and K. Zeng, Cross-layer privacy en-
hancement and non-repudiation in vehicular communication, 4th Workshop
on Mobile Ad-Hoc Networks (WMAN) (Bern, Switzerland), March 2007.

[14] D. Avison and G. Fitzgerald, Information Systems Development|
Methodologies, Techniques and Tools, 3rd ed., McGraw-Hill Education (UK).

[15] D. Avison, F. Lau, M. Myers, and P. Nielsen, Action research, Communica-
tions of the ACM 42 (1999), no. 1, 94{97.

[16] Y. Bar-Yam, Unifying principles in complex systems, New England Complex
Systems Institute, 24 Mt. Auburn St., Cambridge, MA 02138, 2003, can be
found at http://www.necsi.edu/projects/yaneer/ComplexSystems.pdf.

[17] A. Barabasi, Linked: The New Science of Networks, Perseus Books,U.S., 2003.

[18] A. Barrat, M. Barthelemy, R. Pastor-Satorras, and A. Vespignani, The archi-
tecture of complex weighted networks, Proceedings of the National Academy
of Sciences, USA, vol. 101, 2004, pp. 3747{3752.

[19] R. Baskerville, Information systems security design methods: implications for
information systems development, ACM Computing Surveys 25 (1993), no. 4,
375{414.

[20] , Investigating information systems with action research, Communica-
tions of the AIS 2 (1999).

[21] R. Baskerville and M. Myers, Special issue on action research in information
systems: Making IS research relevant to practice (foreword), MIS Quarterly
28 (2004), no. 3, 329{335.

[22] I. Benbasat and R. Zmud, Empirical research in information systems: The
practice of relevance, MIS Quarterly 23 (1999)), no. 1, 3{16.

[23] S. Bennett, S. McRobb, and R. Farmer, Object-Oriented Systems Analysis
and Design, 2nd ed., McGraw-Hill, 2002.

[24] S. Bernard, Information lifecycle security risk assessment: A tool for closing
security gaps, Computers & Security 26 (2007), 26{30.

[25] M. Bishop, Introduction to Computer Security, Addison-Wesley, 2005.

[26] S. Boccaletti, V. Latora, Y. Moreno, M. Chavez, and D.-U. Hwang, Complex
networks: Structure and dynamics, Physics Reports 424 (2006), 175{308.

[27] P. Bocij, D. Cha®ey, A. Greasley, and S. Hickie, Business Information Sys-
tems, 2nd ed., Finanacial Times, Prentice Hall. An imprint of Pearson Edu-
cation, 2003.

[28] L. Bodin, L. Gordon, and M. Loeb, Evaluating information security invest-
ments using the analytic hierarchy process, Communivations of the ACM 48
(2005), no. 2, 78{83.

[29] W. Boni and G. Kovacich, Netspionage - The Global Threat to Information,
Butterworth-Heinemann, 2000.

[30] A. Bossi, R. Focardi, D. Macedonio, C. Piazza, and S. Rossi, Unwinding in
information °ow security, Electronic Notes in Theoretical Computer Science
(2004), 127{154.

[31] D. Bradbury, Saving private Ryan|but losing the war?, Infosecurity Today 1
(2004), no. 2, 36{38.

[32] , Why we love to hate our telcos, Infosecurity Today 1 (2004), no. 6,
18{20.

[33] R. Bragg, M. Phodes-Ousley, and K. Strassberg, Network Security: The Com-
plete Reference, McGraw-Hill/Osborne, 2004.
324

[34] R. Breu, K. Burger, M. Hafner, and G. Popp, Towards a systematic develop-
ment of secure systems, Information Systems Security 13 (2004), 5{13.

[35] BSI British Standard Institute, http://www.bsi-global.com/.

[36] E. Brynjolfsson, The IT productivity gap, Optimize (2003), no. 22.

[37] E. Brynjolfsson and L. Hitt, Productivity, business pro¯tability, and consumer
surplus: Three di®erent measuress of information technology value, MIS Quar-
terly 20 (1996), no. 2.

[38] C. Burney, Information Security Management Handbook, 5th ed., ch. Roles
and Responsibilities of the Information Ssystems Security O±cer, pp. 865{
870, Auerbach, 2004.

[39] K. Buszta, Information Security Management Handbook, 5th ed., ch. Security
Management, pp. 677{684, Auerbach, 2004.

[40] J.A. Byrne, The futurist who fathered the ideas, Business Week (1993).

[41] A. Calaprice, The New Quotable Einstein, Prinston University Press, 2005,
Collected and edited by Alice Calaprice.

[42] N. Carr, IT does not matter, Harvard Business Review, May 2003.

[43] , Does IT Matter? Information Technology and the Corrosion of Com-
petitive Advantage, Harvard Business School Press, 2004.

[44] E. Casey, Case study: Network intrusion investigation|lessons in forensic
preparation, Digital Investigation (2005), no. 4, 254{260.

[45] D. Cecez-Kecmanovic, Doing critical IS research: The question of methodol-
ogy, Qualitative research in IS: issues and trends (2001), 141{162.

[46] D. Cha®ey, E-Business and E-Commerce Management, Prentice Hall, Finan-
cial Times, 2002.

[47] G. Chakrabarti, A. Manimaran, Internet infrastructure security: A taxonomy,
Network, IEEE 16 (2002), no. 6, 13{21.
325

[48] L. Chao, Autonomic computing, Intel Technology Journal 10 (2006), no. 4.

[49] W. Chen and R. Hirschheim, A paradigmatic and methodological examina-
tion of Information Systems research from 1991 to 2001, Information Systems
Journal 14 (2004), no. 3, 197{235.

[50] J. Chirillo and E. Danielyan, SUN certi¯ed security administrator for Solaris
9 & 10 study guide, 1 edition ed., McGraw-Hill Osborne Media, 2005.

[51] M. Christofer, Supply chains: A marketing perspective, Understanding Supply
Chains (S. New and R. Westbrook, eds.), Oxford University Press, 2004.

[52] C. Chua, D. Straub, H. Khoo, S. Kadiyala, and D. Kuechler, The evolution of
e-commerce research: A stakeholder perspective, Journal of Electronic Com-
merce Research 6 (2005), no. 4.

[53] D. Clark, S. Hunt, and P. Malacaria, A static analysis for quantifying infor-
mation °ow in a simple imperative language, Journal of Computer Security
15 (2007), no. 3, 321{371.

[54] I. Cox, M. Miller, J. Bloom, J. Fridrich, and T. Kalker, Digital Waremarking
and Steganography, 2nd ed., Morgan Kau®mann publishers. Elsevier, 2008.

[55] S. Crafa, M. Bugliesi, and G. Castagna, Information °ow security in boxed
ambients, Electronic Notes in Theoretical Computer Science 66 (2004), no. 3.

[56] M. Cronin, Unchained value: The new logic of digital business, HBSWK Pub-
lications (2000).

[57] B. Dahlbom, Postface: From infrastructure to networking, From Control to
Drift|The Dynamics of Corporate Information Infrastructures (C. Ciborra
and associates., eds.), Oxford University Press, 2001.

[58] T. Davenport and M. Markus, Rigor vs. relevance revisited: Response to Ben-
basat and Zmud, MIS Quarterly 23 (1999)), no. 1, 19{23.
326

[59] B. De Win, J. Van den Bergh, F. Matthijs, B. De Decker, and W. Joosen, A
security architecture for electronic commerce applications, SEC, 2000, pp. 491{
500.

[60] W. Delone and E. McLean, Information systems success: The quest for the
dependent variable, Information Systems Research 3 (1992), no. 1, 60{95.

[61] , The Delone and McLean model of information systems success: A
ten-year update, Journal of Management Information Systems 19 (2003), no. 4,
9{30.

[62] D. Denning, Information Warfare and Security, 12th printing ed., Addison-
Wesley, February 2006.

[63] D. Denning and P. Denning, Data security, ACM Computing Surveys 11
(1979), no. 3, 227{249.

[64] D.E. Denning, A lattice model of secure information °ow, Communications of
the ACM 19 (1976), no. 5, 236 { 243.

[65] A. Dent and C. Mitchell, User's guide to cryptography and standards, Artech
House, 2005.

[66] J. Dhillon and G. Torkzadeh, Value-focused assessment of information system
security in organizations, Information Systems Journal 16 (2006), no. 3, 293{

[67] I. Djordjevic, T. Dimitrakos, N. Romano, D. Mac Randal, and P. Ritrovato,
Dynamic security perimeters for inter-enterprise service integration, Future
Generation Computer Systems 23 (2007), no. 4, 633{657.

[68] N. Doherty and H. Fulford, Aligning the information security policy with the
strategic information systems plan, Computers & Security 25 (2006), no. 1,
55{63.

[69] D. Dzung, M. Naedele, T. von Ho®, and M. Crevatin, Security for indus-
trial communication systems, Proceedings of the IEEE, vol. 93, June 2005,
pp. 1152{1177.

[70] J. Fenton and J. Wolfe, Information Security Management Handbook, 5th ed.,
ch. Organising for Success: Some Human Resources Issues in InformationSe-
curity, pp. 887{898, Auerbach, 2004.

[71] K. Ferraiolo, J. Williams, and D. Landoll, Capability Maturity Model for Se-
curity Engineering, Proceedings of the Sixth Annual Canadian Computer Se-
curity Symposium, 1994.

[72] R. Focardi, R. Gorrieri, and F. Martinelli, Information °ow analysis in
a discrete-time process algebra, 13th IEEE Computer Security Foundations
Workshop (CSFW'00), 2000.

[73] R. Focardi and S. Rossi, Information fow security in dynamic contexts, Journal
of Computer Security 14 (2006), no. 1, 65{110.

[74] K. Forbus, Qualitative process theory, Arti¯cial Intelligence 24 (1984), 85{168.

[75] W. Ford and M. Baum, Secure Electronic Commerce: Building the Infrastruc-
ture for Digital Signatures and Encryption, Prentice-Hall, Inc., Upper Saddle
River, NJ, USA, 1997.

[76] K. Friedman, Theory construction in design research: Criteria, approaches
and methods, Design Studies 24 (2003).

[77] A. Fuchsberger, Intrusion detection systems and intrusion prevention systems,
Information Security Technical Report 10 (2005), no. 3, 134{139.

[78] S. Furnell, Cybercrime: Vandalizing the information society, ICWE 2003,
LNCS 2722 (J.M. Cueva Lovelle et al., ed.), Springer-Verlag Berlin Heidel-
berg, 2003, pp. 8{16.

[79] , Computer Insecurity, Springer-Verlag, London, 2005.
328

[80] , Why users cannot use security, Computers & Security 24 (2005),
274{279.

[81] , Making security usable, Computers & Security 26 (2007), 434{443.

[82] S. Furnell, P. Bryant, and A. Phippen, Assessing the security perceptions of
personal internet users, Computers & Security 26 (2007), 410{417.

[83] S. Furnell, A. Jusoh, and D. Katsabas, The challenges of understanding and
using security: A survey of end-users, Computers & Security 25 (2006), 27{
35.

[84] B. Gehling and D. Stankard, eCommerce security, InfoSecCD '05: Proceedings
of the 2nd annual conference on Information security curriculum development
(New York, NY, USA), ACM Press, September 2005, pp. 32{37.

[85] M. Gerber and R. von Solms, Management of risk in the information age,
Computers & Security 24 (2005), 16{30.

[86] P. Gloor, Making the e-Business Transformation, Springer-Verlag, London,
2000.

[87] S. Goel and V. Chen, Information security risk analysis|a matrix-based ap-
proach, Proceedings of the Information Resource Management Association
(IRMA) International Conference (Hershey, PA), Information Resources Man-
agement Association, May 2005.

[88] D. Gollman, E-commerce security, Computing & Control Engineering Journal
(2000).

[89] , Computer Security, John Wiley & Sons, 2003.

[90] S. Gregor, A theory of theories in Information Systems, Information Systems
Foundations: Building the Theoretical Base (S. Gregor and D. Hart, eds.),
Australian National University, Canberra, 2002.

[91] , The nature of theory in Information Systems, MIS quarterly 3 (2006).

[92] S. Gregor and D. Jones, The formulation of design theories for information
systems, Constructing the infrastructure for the knowledge economy: Methods
and tools, theory and practice (Linger et al., ed.), 2004.

[93] J. Grossman, Seven business logic °aws that put your website at risk,
online WhiteHat Security Whitepaper, October 2007, can be found at

http://www.whitehatsec.com/home/assets/WP bizlogic092407.pdf.
[94] E. Gummesson, Qualitative Methods in Management Research, 2nd ed., Sage
Publications, Inc., 2000.

[95] C. Gutierrez, E. Fernandez-Medina, and M. Piattini, Towards a process for
web services security, Journal of Research and Practicein Information Tech-
nology 38 (2006), no. 1, 57{67.

[96] J. Guttman, A. Herzog, J. Ramsdell, and C. Skorupka, Verifying informa-
tion °ow goals in security-enhanced Linux, Journal of Computer Security 13
(2005), no. 1, 115{134.

[97] C. Haley, J. Mo®ett, R. Laney, and B. Nuseibeh, A framework for security
requirements engineering, SESS'06, ACM, May 2006, pp. 35{41.

[98] S. Harris, CISSP All-In-One Exam Guide, second ed., McGraw-Hill/Osborne
Media, 2003.

[99] M. Hauswirth, M. Jazayeri, and M. Schneider, A phase model for e-commerce
business models and its application to security assessment, Proceedings of the
34th Hawaii International Conference on System Sciences, 2001.

[100] Z. Hayat, J. Reeve, and C. Boutle, Ubiquitous security for ubiquitous comput-
ing, Information Security Technical Report 12 (2007).

[101] M. Henning, The rise and fall of CORBA, Queue 4 (2006), no. 5, 28{34.

[102] R. Herold, Information Security Management Handbook, 5th ed., ch. Informa-
tion Protection: Organisation, Roles, and Separation of Duties, pp. 871{886,
Auerbach, 2004.

[103] G. Herrmann and G. Pernul, Viewing business-process security from di®erent
perspectives, International Journal of Electronic Commerce 3 (1999), no. 3,
89{103.

[104] A. Hevner, S. March, J. Park, and S. Ram, Design science in information
systems research, MIS Quarterly 28 (2004), no. 1, 75{106.

[105] R. Hirschheim and H. Klein, Four paradigms of information systems develop-
ment, Communications of the ACM 32 (1989), no. 10, 1199 { 1216.

[106] A. Holiday, Doing and Writing Qualitative Research, Sage publications, 2002.

[107] D. Hsiao, S. Madnick, and D. Kerr, Computer Security, Academic Press, Inc.
Orlando, FL, USA, 1979.

[108] V. Igure and R. Williams, Taxonomies of attacks and vulnerabilities in com-
puter systems, IEEE Communications Surveys & Tutorials. The Electronic
Magazine of Original Peer-Reviewed Survey Articles 10 (2008), 6{19.

[109] ISO International Standards Insistute, www.iso.org.

[110] Internet Society (ISOC), A brief history of the Internet, can be found online
at http://research.microsoft.com/users/padmanab/CSE561/papers/internet-
history.htm.

[111] A. Jaquith, The security of applications: Not all are created equal, Research
report, at Stake, 2002, can be found at: www.netsourceasia.net.

[112] N. Jarvis, E-commerce and encryption: Barriers to growth, Computers &
Security 18 (1999), no. 5, 429{431.

[113] X. Jiang, J. Hong, and J. Landay, Approximate information °ows: Socially-
based modeling of privacy in ubiquitous computing, Lecture Notes in Computer
Science, UbiComp 2002: Ubiquitous Computing : 4th International Confer-
ence, Gteborg, Sweden, Springer Berlin / Heidelberg, 2002.

[114] R. Johnson and A. Onwuegbuzie, Mixed methods research: A research para-
digm whose time has come, Educational Researcher 33 (2004), no. 7, 14{26.
331

[115] P. Jones, P. Beynon-Davies, and E. Muir, E-business barriers to growth within
the SME sector, Journal of Systems & Information Technology 7 (2003), no. 1{
2, 1{26.

[116] S. Jones, M. Wilikens, P. Morris, and M. Nasera, Trust requirements in e-
business, Communications of the ACM 43 (2000)), no. 12, 81{87.

[117] J. Joshi, W. Aref, A. Ghafoor, and E. Spa®ord, Security models for web-based
applications, Communications of the ACM 44 (2001), no. 2, 38{44.

[118] P. Jungck and S. Shim, Issues in high speed Internet security, Computer 37
(2004), no. 7, 36{42.

[119] S. Katsikas, J. Lopez, and G. Pernul, Trust, privacy and security in e-business:
Requirements and solutions, Lecture Notes in Computer Science 3746 (2005),
548{558.

[120] R. Kau®man and C. Wood, Revolutionary research strategies for e-business:
A philosophy of science view in the age of the Internet, Economics, Infor-
mation Systems, and Electronic Commerce Research: Advanced Empirical
Methodologies (R. J. Kau®man and P. A. Tallon (Eds.), eds.), Advances in
Management Information Systems Series, M. E. Sharpe, Armonk, NY, 2007.

[121] H. Klein and M. Myers, A set of principles for conducting and evaluating
interpretive ¯eld studies in Information Systems, MIS Quarterly 23 (1999),
no. 1, 67{94.

[122] M. Klein, H. Sayama, P. Faratin, and Y. Bar-Yam, A complex systems perspec-
tive on computer-supported collaborative design technology, Communications
of the ACM 45 (2002), no. 11, 27{31.

[123] K. Knorr and S. Rohrig, Security requirements of e-business processes, To-
wards the E-Society: First IFIP Conference on E-Commerce, E-Business,
and E-Government; Zurich, Switzerland, Oct. 4-5, 2001 (B. Schmid,
K. Stanoevska-Slabeva, and V. Tschammer, eds.), Kluwer Academic Pub-
lishers, Norwell, MA, 2001, pp. 73{86.

[124] N. Komninos, D. Vergados, and C. Douligeris, Authentication in a layered se-
curity approach for mobile ad hoc networks, Computers & Security 26 (2007),
373{380.

[125] I. Koskosas and R. Paul, A socio-organisational approach to Information Sys-
tems security risks, International Journal of Risk Assessment and Management
(IJRAM) 4 (2003), no. 2/3.

[126] B. Ksiezopolski and Z. Kotulski, Adaptable security mechanisms for dynamic
environments, Computers & Security 26 (2007), no. 3, 246{255.

[127] M. Kutter and F. Hartung, Introduction to Watermarking Techniques, In-
formation hiding techniques for steganography and digital watermarking
(S. Katzenbeisser and F. Petitcolas, eds.), 2000.

[128] S. Kwok, C. Yang, and K. Tam, Intellectual property protection for electronic
commerce applications, Journal of Electronic Commerce Research 5 (2004),
no. 1.

[129] D. Lacey, Inventing the future|the vision of the Jericho Forum, Information
Security Technical Report 10 (2005), 186{188.

[130] Y. Lai, A. Motter, T. Nishikawa, K. Park, and L. Zhao, Complex networks:
Dynamics and security, Pramana 64 (2005), no. 4, 483{502.

[131] C. Landwehr, Formal methods for computer security, Computing Surveys 13
(1981), no. 3.

[132] , Computer security, IJIS, Springer-Verlag (2001), Published online 27
July 2001.

[133] K. Laudon and J. Laudon, Information Systems and the Internet, 4th ed.,
Dryden Press, 1998.

[134] B. Leiner, V. Cerf, D. Clark, R. Kahn, L. Kleinrock, D. Lynch, J. Postel,
L. Roberts, and S. Wol®, The past and future history of the Internet, Com-
munications of the ACM 40 (1997), no. 2, 102{108.

[135] M. Lejk and D. Deeks, Systems Analysis Techniques, 2nd ed., Addisson-
Wesley,Pearson Education Limited, 2002.

[136] F. Leymann, D. Roller, and M.-T. Schmidt, Web services and business process
management, IBM Systems Journal 41 (2002), no. 2, 1015{1019.

[137] I. Lim and I. Carastan, Information Security Management Handbook, 5th
ed., ch. System DevelopmentSecurity Methodology, pp. 1221{1234, Auerbach,
2004.

[138] A. Lindsay, D. Downs, and K. Lunn, Business processes|attempts to ¯nd a
de¯nition, Information and Software Technology (45) (2003), 1015{1019.

[139] A. Liska, The Practice of Network Security|Deployment Strategies for Pro-
duction Environment, Prentice Hall PTR, Pearson Education Inc., 2003.

[140] M. Lissack, Complexity: The science, its vocabulary and its relation to organ-
isations, Emergence - A Journal of Complexity Issues in Organisations and
Management 1 (1999), no. 1, 110{126.

[141] R. Lister, Mixed methods: Positivists are from Mars, constructuvusts are from
Venus, Inroads|The SIGCSE Bulletin 37 (2005), no. 4, 18{19.

[142] Q. Liu, R. Safavi-Naini, and N. Sheppard, Digital rights management for con-
tent distribution, ACSW Frontiers '03: Proceedings of the Australasian infor-
mation security workshop conference on ACSW frontiers 2003 (Darlinghurst,
Australia, Australia), Australian Computer Society, Inc., 2003, pp. 49{58.

[143] J. Lockwood, D. Moscola, J. Reddick, M. Kulig, and T. Brooks, Application
of hardware accelerated extensible network nodes for Internet worm and virus
protection, Active Networks, Lecture Notes in Computer Science, Springer
(2004), 44{57.

[144] H. Lucas, Information Systems Concepts for Management, 2nd, international
students edition ed., McGraw-Hill, 1984.

[145] V. Luoma, Computer forensics and electronic discovery: The new management
challenge, Computers & Security 25 (2006), 91{96.

[146] K. Lyytinen, Empirical research in Information Systems: On the relevance of
practice in thinkingof is research, MIS Quarterly 23 (1999)), no. 1, 25{28.

[147] J. Mahoney and J. Pandian, The resource-based view within the conversation
of strategic management, Strategic Management Journal 13 (1992), 363{380.

[148] L. May and T. Lane, A model for improving e-security in Australian univer-
sities, Journal of Theoretical and Applied Electronic Commerce Research 1
(2006), no. 2, 90{96.

[149] C. Mayers, Access infrastructure|Perimeter Security rethought, Information
Security Bulletin 9 (2004), 371{378.

[150] J. McCumber, Assessing and Managing Security Risk in IT Systems, Auer-
bach Publications, 2005.

[151] P. McDaniel and A. Rubin, Web security (editorial), Computer Networks 48
(2005), no. 5, 697{699.

[152] J. McLean, Security models and information °ow, Research in Security and
Privacy. IEEE, 1990.

[153] N. Mead and T. Stehney, Security Quality Requirements Engineering
(SQUARE) methodology, SESS '05: Proceedings of the 2005 workshop on Soft-
ware engineering for secure systems-building trustworthy applications (New
York, NY, USA), ACM Press, 2005, pp. 1{7.

[154] N. Melville, K. Kraemer, and V. Gurbaxani, Information technology and
organisational performance: An integrative model of it business value, MIS
Quarterly 28 (2004)), no. 2.

[155] N. Memon and P. Wong, Protecting digital media content, Communications
of the ACM 41 (1998), no. 7, 35{43.

[156] S. Mercado, R. Welford, and K. Prescot, European Business, 4th ed., Prentice
Hall, Financial Times, 2001.

[157] M. Mitchell, Complex systems: Network thinking, Arti¯cial Intelligence. Spe-
cial Review Issue 170 (2006), 1194{1212.

[158] J. Mo®ett, C. Halley, and B. Nuseibeh, Core security requirements artefacts,
ISSN 1744-1986 2004/23, Departmenet of Computing, Faculty of Mathematics
and Computing, The Open University, Walton Hall, Milton Keynes, MK7
6AA, UK, 2004.

[159] A. Moser, C. Kruegel, and E. Kirda, Exploring multiple execution paths for
malware analysis, IEEE Symposium on IEEE Symposium on Security and
Privacy (SP '07) (2007), 231{245.

[160] H. Mouratidis, Secure Information Systems engineering: A manifesto, Inter-
national Journal on Electronic Security and DIgital Forensics 1 (2007), no. 1,
27{41.

[161] H. Mouratidis, P. Giorgini, and G. Manson, Integrating security and systems
engineering: Towards the modelling of secure Information Systems, CAiSE,
LNCS 2681, 2003, pp. 63{78.

[162] T. Mowbray and R. Zahavi, The essential CORBA: System integration using
distributed objects, John Wiley and Object Management Group., 1995.

[163] M. zur Muehlen and M. Rosemann, Multi-paradigm process management, Pro-
ceedings of CAiSE'04 Workshops - 5th Workshop on Business Process Mod-
eling, Development and Support (BPMDS 2004) (Riga, Latvia), 2004.

[164] M. Myers, Qualitative research in Information Systems, MIS Quarterly 21
(1997 (updated 2002)), no. 2, 241{242.

[165] , Investigating Information Systems with ethnographic research, Com-
munications of the Association for Information Systems 2 (1999).

[166] F. Nabi, Secure business application logic for e-commerce systems, Computers
& Security 24 (2005), no. 3, 208{217.

[167] A. Narayanan and V. Shmatikov, How to break anonymity of the Net°ix
prize dataset, The University of Texas at Austin (2007), can be found at
http://www.cs.utexas.edu/~shmat/shmat net°ix-prelim.pdf.

[168] NCSL, National Conference of State Legislatures
can be found at http://www.ncsl.org/programs/lis/cip/cyberterrorism.htm.

[169] S. New, Supply chains: Construction and legitimation, Understanding Supply
Chains (S. New and R. Westbrook, eds.), Oxford University Press, 2004.

[170] E. Ngai and F. Wat, A literature review and classi¯cation of electronic com-
merce research, Information & Management 39 (2002), 415{429.

[171] NSTISSI, No. 4009, Tech. report, National Information Systems Security (IN-
FOSEC) Glossary, 1999.

[172] J. O'Connor and I. McDermot, The Art of Systems Thinking| essential skills
for creativity and problem solving, Thorsons, 1997.

[173] W. Orlikowski, The duality of technology: Rethinking the concept of technology
in organisations, Organisation Science 3 (1992), no. 3, 398{427, Focused Issue:
Management of Technology.

[174] W. Orlikowski and J. Baroudi, Studying information technology in organiza-
tions: Research approaches and assumptions, Information Systems Research
2 (1991), 1{28.

[175] M. Osborne, How to cheat at Managing Information Security, Syngress Pub-
lishing, Inc., 2006.

[176] A. Osterwalder and Y. Pigneur, An e-business model ontology for modeling e-
business, 15th Bled Electronic Commerce Conference e-Reality: Constructing
the e-Economy, June 2002, pp. 73{86.

[177] S. Pahnila, M. Siponen, and A. Mahmood, Employees' behavior towards IS
security policy compliance, Proceedings of the 40th Hawaii International Con-
ference on System Sciences (2007).

[178] G. Palmer, De-perimeterisation: Bene¯ts and limitations, Information Secu-
rity Technical Report 10 (2005), 189{203.

[179] P. Palvia, E. Mao, A. Salam, and K. Soliman, Management Information Sys-
tems research: Whats there in a methodology?, Communications of the AIS
11 (2003), no. 16.

[180] T. Parker, A Secure European System for Applications in a Multi-vendor En-
vironment (the SESAME project), (1993), 139{156.

[181] A. Pateli and G. Giaglis, A framework for undestanding and analysing
e-business models, 16th Bled Electronic Commerce Conference|
eTransformation (CD-ROM Proceedings), 2003.

[182] R. Paula, X. Ding, P. Dourish, K. Nies, B. Pillet, D. Redmiles, J. Ren, J. Rode,
and R. Filho, In the eye of the beholder: A visualization-based approach to In-
formation System security, International Journal of Human-Computer Studies
63 (2005), no. 2, 5{24.

[183] T. Peltier, Information Security Policies and Procedures. A Practitioner's Ref-
erence, 2nd edition ed., Auerbach publications, 2004.

[184] T. Peltier, J. Peltier, and J. Blackley, Information Security Fundamentals,
Auerbach Publications, CRC Press LLC, 2005.

[185] E. Penrose, Limits to the growth and size of ¯rms, The American Economic
Review. Papers and Proceedings of the Sixty-seventh Annual Meeting of the
American Economic Association 45 (1955), 531543.

[186] S. Petter and M. Gallivan, Toward a framework for classifying and guiding
mixed method research in Information Systems, Proceedings of the 37th In-
ternational Conference on System Sciences - IEEE, 2004.

[187] C. Poirier and M. Bauer, E-Supply Chain, Berrett-Koehler Publishers, Inc.,
2001.

[188] A. Pons and H. Aljifri, An active watermarking system, IACIS, Issues in In-
formation Systems (2002).

[189] , Data protection using watermarking in e-business, Journal of Data-
base Management 14 (2005), no. 4.

[190] M. Porter, Competitive advantage. creating and sustaining superior perfor-
mance, Free Press, 1998.

[191] , Strategy and the Internet, Harvard Business Review (2001).

[192] M. Porter and V. Millar, How information gives you a competitive advantage,
Harvard Business Review 63 (1985), 149{161.

[193] F. Pottier and V. Simonet, Information °ow inference for ML, ACM Trans-
actions on Programming Languages and Systems 25 (2003), no. 1, 117{158.

[194] M. Preda, M. Christodorescu, S. Jha, and S. Debray, A semantics-based ap-
proach to malware detection, POPL '07: Proceedings of the 34th annual
ACM SIGPLAN-SIGACT symposium on Principles of programming lan-
guages (New York, NY, USA), ACM, 2007, pp. 377{388.

[195] J. Rees, S. Bandyopadhyay, and E. Spa®ord, PFIRES: A Policy Framework
for Information Security, Communications of the ACM 46 (2003), no. 7, 101{
106.

[196] M. Reith, C. Carr, and G. Gunsch, An examination of digital forensic models,
International Journal of Digital Evidence 1 (Fall 2002), no. 3.

[197] A. Rudolf and R. Pirker, E-business testing: User perceptions and performance
issues, APAQS '00: Proceedings of the The First Asia-Paci¯c Conference
on Quality Software (APAQS'00) (Washington, DC, USA), IEEE Computer
Society, 2000, p. 315.

[198] J. Rust, Corporate management of computer forensic evidence, InfoSecCD '06:
Proceedings of the 3rd annual conference on Information security curriculum
development, 22{23 September 2006, pp. 175{178.

[199] A. Sabelfeld and A. Myers, Language-based information-°ow security, IEEE
Journal on Selected Areas in Communications 21 (2003), no. 1, 5{19.

[200] R. Sandhu, Good enough security|toward a pragmatic business-driven disci-
pline, IEEE Internet Computing (2003).

[201] SANS Institute, http://www.sans.org/.

[202] M. Saunders, P. Lewis, and A. Thornhill, Research methods for business stu-
dents, 2nd ed., Prentice Hall, 2000.

[203] R. Schifreen, Defeating the Hacker, John Wiley & Sons Ltd, 2006.

[204] B. Schneier, Applied Cryptography, John Wiley & Sons, 1996.

[205] , Secrets and Lies, Wiley Publishing, Inc., 2004.

[206] G. Schryen, The impact that placing email addresses on the Internet has on
the receipt of spam: An empirical analysis, Computers & Security 26 (2007),
361{372.

[207] M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and
P. Sommerlad, Security Patterns - Integrating Security and Systems Engi-
neering, John Willey & Sons, 2006.

[208] SearchSecurity.com, De¯nitions.
http://searchsecurity.techtarget.com/sDe¯nition/0,,sid14 gci771061,00.html.

[209] J. Sherwood, A. Clark, and D. Lynas, Enterprise Security Architecture: A
Business-Driven Approach, CMP Books, 2005.

[210] P. Simmonds, Users ¯ght back by breaking the boundaries, Network Security
(2005), no. 6, 4{6.

[211] J. Sinclaire, Current research in information security and privacy, Proceedings
of the 2005 Southern Association of Information Systems Conference, 2005.

[212] M. Siponen, An analysis of the traditional IS security approaches: implications
for research and practice, European Journal of Information Systems 14 (2005),
303{315.

[213] , Information security standards focus on the existence of process, not
its content, Communications of the ACM 49 (2006), no. 8, 97{100.

[214] , Secure-System design methods: Evolution and future directions, IT
Professional, IEEE 8 (2006), no. 3, 40{44.

[215] M. Siponen and H. Oinas-Kukkonen, A review of information security issues
and respective research contributions, ACM SIGMIS 38 (2007), no. 1, 60{80.

[216] R. Slade, Dictionary of Information Security, Syngress, 2006.

[217] J. Sluiter, Services Oriented Architecture security and deperimeterisation, In-
formation Security Bulletin 11 (2006), no. 1, 65{72.

[218] H. Smith and P. Fingar, Business Process Management: The Third Wave,
Meghen-Ki®er Press, 2003.

[219] S. Smith, R. Jamieson, and D. Winchester, An action research program to
improve Information Systems security compliance across government agencies,
Proceedings of the 40th Hawaii International Conference on System Sciences,
IEEE, 2007.

[220] B. von Solms and R. von Solms, The 10 deadly sins of information security
management, Computers & Security 23 (2004), 371{376.

[221] R. von Solms and S.(Basie) von Solms, Information security governance: Due
care, Computers & Security 25 (2006), 494{497.

[222] R. Stanton, Inside out security: De-perimeterisation, Network Security 2005
(2005), no. 4, 4{6.

[223] P. Stephenson, Ensuring consistent security implementation within a distrib-
uted and federated environment, Computer Fraud & Security 2006 (2006),
12{14.

[224] J. Sterman, Learning in and about complex systems, System Dynamics Review
10 (1994), no. 2{3, 291{330.

[225] G. Stoneburner, A. Goguen, and A. Feringa, Risk management guide for In-
formation Technology systems, NIST|National Institute of Standards and
Technology, October 2001.

[226] D. Straub and Welke R., Coping with systems risk: Security planning models
for management decision making, MIS Quarterly 22 (1998), no. 4, 441{469.

[227] S. Strogatz, Exploring complex networks, Nature 410 (2001), 268{276.

[228] X. Su, D. Bolzoni, and P. van Eck, Understanding and specifying information
security needs to support the delivery of high quality security services, Emerg-
ing Security Information, Systems, and Technologies, 2007. SecureWare 2007,
2007, pp. 107{114.

[229] F. Swiderski and W. Snyder, Threat Modeling, Microsoft Press, 2004.

[230] D. Tapscott D.and Ticoll, The Naked Corporation: How the Age of Trans-
parency Will Revolutionise Business, Dow Jones & Company, Inc., 2003.

[231] TechEncyclopedia, http://www.techweb.com/encyclopedia/de¯neterm.jhtml?term=cracker.

[232] O. Tettero, Intrinsic Information Security. Embedding Security Issues in the
Design Process of Telematics Systems, Telematics Institute Fundamental Re-
search Series, No. 006(TI/FRS/006), 2000.

[233] M. Theoharidou, S. Kokolakis, and E. Kiountouzis, The insider threat to In-
formation Systems and the e®ectiveness of ISO 17799, Computers & Security
24 (2005), 472{484.

[234] B. Thuraisingham, Directions for security and privacy for semantic e-business
applications, Communications of the ACM 48 (2005)), no. 12, 71{73.

[235] A. Toval, J. Nicols, B. Moros, and F. Garca, Requirements reuse for improv-
ing Information Systems security: A practitioner's approach, Requirements
Engineering 6 (2002), no. 4, 205{219.

[236] J. Tregear, Risk assessment, Information Security Technical Report 6 (2001),
no. 3, 19{27.

[237] T. Tsiakis and G. Stephanides, The concept of security and trust in electronic
payments, Computers & Security 24 (2005), no. 1, 10{15.

[238] , The economic approach of information security, Computers & Secu-
rity 24 (2005), 105{108.

[239] D. Verdon and G. McGraw, Risk analysis in software design, IEEE Security
& Privacy (2004), 79{84.

[240] P. Vogt, F. Nentwich, N. Jovanovic, E. Kirda, C. Kruegel, and G. Vigna,
Cross-Site Scripting prevention with dynamic data tainting and static analysis,
In Proceedings of the Network and Distributed System Security Symposium
(NDSS), San Diego, CA, 2007.

[241] M. Wade and J. Hulland, Review:the resource-based view and Information
Systems research:review, extension, and suggestions for future research, MIS
Quarterly 28 (2004)), no. 1, 107{142.

[242] A. Wagner and C. Brooke, Wasting time: The mission impossible with respect
to technology-oriented security approaches, Electronic Journal of Business Re-
search Methods 5 (2007)), 117{124.

[243] J. Wainer, P. Barthelmess, and A. Kumar, W-RBAC|A worklfow security
model incorporating controlled overriding of constraints, International Journal
of Cooperative Information Systems 12 (2003), no. 4, 455{485.

[244] G. Walsham, Globalisation and IT: Agenda for research, Proceedings of the
International Conference on Home Oriented Informatics and Telematics, vol.
173, Kluwer, B.V. Deventer, The Netherlands, 2000, pp. 195 { 212.

[245] Z. Walter and G. Scott, Management issues of Internet/Web systems, Com-
munications of the ACM 49 (2006), no. 3, 87{91.

[246] C. Wang, A. Carzaniga, D. Evans, and A. Wolf, Security issues and require-
ments for Internet-scale publish-subscribe systems, Proceedings of the Thirty
Fifth Hawaii International Conference on System Sciences. (HICSS-35), Big
Island, Hawaii, 2002.

[247] H. Wang and C. Wang, Taxonomy of security considerations and software
quality, Communications of the ACM 46 (2003), no. 6, 75{78.

[248] L. Wang and Y. Zeng, The risk identi¯cation and assessment in e-buisness,
FSKD 2005, LNAI 3614 (L. Wang and Y. Jin, eds.), Springer-Verlag Berlin
Heidelberg, 2005, pp. 1142{1149.

[249] M. Wang and H. Wang, From process logic to business logic|A cognitive
approach to business process management, Information & Management 43
(2006), 179{193.

[250] W. Wang, A. Bailey, Z. Hidvegi, and A. Whinston, A framework for proac-
tive, automated and continuous e-commerce control and assurance, Goizueta
Business School Papers Series, GBS-DIA-2001-006 (2001).

[251] W. Wang, Z. Hidvegi, A. Bailey, and A. Whinston, E-process design and
assurance using model checking, Computer 33 (2000), no. 10, 48{53.

[252] , Model checking|a rigorous and e±cient tool for e-commerce internal
control and assurance, Knowledge Emory, Goizueta Business Library, GBS-
DIA-2001-007 (2001).

[253] W. Wang, Y. Yuan, and N. Archer, A contextual framework for combating
identity theft, IEEE Security and Privacy 4 (2006), no. 2, 30{38.

[254] X. Wang and D. Chen, Research on e-business management thought, Proceed-
ings of the ICEC'05, Xi'an, China (New York, NY, USA), ACM Press, August
2005, pp. 804{806.

[255] J. Wareham, J Zheng, and D. Straub, Critical themes in electronic commerce
research: a meta-analysis, Journal of Information Technology 20 (2005), 1{19.

[256] J. Warner and V. Atluri, Inter-instance authorisation constrsints for secure
work°ow management, SACMAT'06, ACM, 2006.

[257] G. Wasserman and Z. Su, Sound and precise analysis of web applications for
injection vulnerabilities, Proceedings of the PLDI'07, ACM, 11-13 June 2007.

[258] D. Watts and S. Strogatz, Collective dynamics of `small-world' networks, Na-
ture 393 (1998), 440{442.

[259] Webopedia, http://www.webopedia.com/TERM/C/crack.html.

[260] Webster, Merriam Webster dictionary, online, 2006, http://www.merriam-
webster.com/.

[261] B. Wernerfelt, The resource-based view of the ¯rm: Ten years after, Strategic
Management Journal 16 (1995), 171174.

[262] M. Whitman, Enemy at the gate: threats to information security, Communi-
cations of the ACM 46 (2003), no. 8, 91{95.

[263] , In defense of the realm: understanding the threats to information
security, International Journal of Information Management 24 (2004), no. 1,
43{57.

[264] J. Whitmore, A method for designing secure solutions, IBM Systems Journal
40 (2001), no. 3, 747{768.

[265] Wikipedia, The free encyclopedia.
http://en.wikipedia.org/wiki/Business process.

[266] N. Williams, E-business security issues for SMEs in a virtual hosting en-
vironment, ISICT '03: Proceedings of the 1st international symposium on
Information and communication technologies, Trinity College Dublin, 2003,
pp. 357{364.

[267] I. Woon and A. Kankanhalli, Investigation of IS professionals intention to
practise secure development of applications, International Journal of Human-
Computer Studies 65 (2007), no. 1, 29{41.

[268] R. K. Yin, Case Study Research, Design and Methods, 2nd ed., Sage Publica-
tions, 1994.

[269] L. Yu and X. He, An information °ow based security model for Linux clus-
ters, Proceedings of the 2005 High Availability and Performance Computing
Workshop, Santa Fe, New Mexico, October 2005, CD format.

[270] S. Zdancewic, Challenges for information-°ow security, Proceedings of the
First InternationalWorkshop on Programming Language Interference and De-
pendence (PLID), Verona, Italy, August 2004.

[271] K. Zhu, Information transparency of business-to-business electronic markets:
A game-theoretic analysis, Management Science 50 (2004), no. 5, 670{685.

[272] K. Zhu and K. Kraemer, Post-adoption variations in usage and value of e-
business by organizations: Cross-country evidence from the retail industry,
Information Systems Research 16 (2005), no. 1, 61{84.

[273] C. Zirpins, H. Weinreich, A. Bartelt, and W. Lamersdorf, Advanced concepts
for next generation portals, Proceedings of the 12th International Confer-
ence on Database and Expert Systems Applications, Munich, Germany, 2001,
pp. 501{506.

[274] A. Zuccato, Holistic security management framework applied in electronic
commerce, Computers & Security 26 (2007), 256{265.


Details