Embedding security practices in contemporary
information systems development approaches
T. Tryfonas
Department of Informatics, Athens University of Economics and Business,
Athens, Greece
E. Kiountouzis
Department of Informatics, Athens University of Economics and Business,
Athens, Greece
A. Poulymenakou
Department of Informatics, Athens University of Economics and Business,
Athens, Greece
Introduction
As our society progresses based on
advancing technology, important aspects
emerge concerning the use of the
technological infrastructure and information
technology (IT) and especially the
importance of information security, the
privacy of the individual etc. which
characterise the potential of the information
era. Throughout related references we find as
a key concept the term information security;
but in the context of an information system
(IS), combining people, information,
software, hardware and procedures,
information security alone cannot ensure the
security of the entire system. ISsecurity is
indeed a broader term, containing the set of
principles, regulations, methodologies,
techniques and tools we establish to protect
an IS, or any of its parts, from potential
threats.
Recent surveys indicate the need of the
global market for secure systems but note
that there are not many out there that have
understood how to achieve it. In a worldwide
survey, Duncan (1995) reports that 40 percent
of the sample either does not have a security
plan at all and there are no concerns about it,
or there is a plan for it in the future, because
at that time it was not considered of high
priority. Most of them, though, begin to
realise the importance of information
security for the contemporary business
world; many problems that concern business
life have emerged related to information and
infrastructure security, like the hacking of
the DVD encoding scheme, or personal
privacy, as in the case of RealNetworks that
distributed a special free software that could
monitor an individual's listening habits
(Hancock, 1999). In the same reference is
stated that ISmanagers are under more
stress than ever about security. Henderson
and Snyder (1999) sustain the same point in
an essay that indicates the emerging
importance of privacy and its implications to
ISmanagers and their duties. Most of the
researchers agree that many of the security-
related problems of ISs reside on the fact that
their development practices could not foresee
them and, furthermore, resolve them.
Existent methodologies for ISdevelopment
do not meet the needs for resolving the
security-related ISproblems, as most of them
neither include specialised handling of the
security requirements nor can create a
control environment early in the
development process, i.e. a set of procedures
and technical measures with which an IScan
be secured against potential risks. In
addition there are not many adequate studies
for the application and use of existing
techniques and tools that could contribute to
the formal and convenient integration of the
security requirements within the IS
development requirements (Hitchings, 1995).
Moreover, there is in fact a twofold change
in the field of ISdevelopment practices.
Development of (successful or unsuccessful)
systems could be achieved by a combination
of conventional approaches or by entirely
innovative techniques. Changes have been
introduced to development scenarios (who is
carrying out the development and how) and
to development practices as well, e.g.
modular, component-based system
implementation rather that from-scratch
monolithic systems construction.
Wood and Snow (1995) note that the market
trend for quality certification through
compliance with ISO 9000 series, or other
The research register for this journal is available at
http://www.mcbup.com/research_registers
The current issue and full text archive of this journal is available at
http://www.emerald-library.com/ft
[ 183 ]
Information Management &
Computer Security
9/4 [
2001
] 183±197
# MCB University Press
[
ISSN 0968-5227
]
Keywords
Information systems,
Development, Security
Abstract
As information and communication
technologies become a critical
component of firms' infrastructures
and information establishes itself
as a key business resource as well
as driver, people start to realise that
there is more than the functionality
of the new information systems that
is significant. Business or
organisational transactions over
new media require stability, one
factor of which is information
security. Information systems
development practices have
changed in line with the evolution of
technology offerings as well as the
nature of systems developed.
Nevertheless, as this paper
establishes, most contemporary
development practices do not
accommodate sufficiently security
concerns. Beyond the literature
evidence, reports on empirical
study results indicating that
practitioners deal with security
issues byapplyingconventionalrisk
analysis practices after the system
is developed. Addresses the lack of
a defined discipline for security
concerns integration in systems
development by using field study
results recording development
practices that are currently in use to
illustrate their deficiencies, to point
to required enhancements of
practice and to propose a list of
desired features that contemporary
development practices should
incorporate to address security
concerns.
This work has been
supported in part by the
Ministry of Development,
Hellenic Secretariat for
Research and Development,
through programme
YPER97.