• PDF / 59,578 Bytes
• 2 Pages / 430 x 660 pts Page_size
• 112 Downloads / 197 Views

DOWNLOAD

REPORT

Abstract. Information systems are frequently built with inadequate requirements for security and performance, which often results in unjustified business risks or losses. This paper proposes novel expert system application for modeling high level business requirements for information security and their implication on the development of the system, e.g. cost, maintainability, etc. By using such a system decision makers, especially at the early stages of development could better understand trade-offs between development costs, security requirements, and business risks, thus enabling more informed and conscious decisions on major security requirements. Keywords: Information Security, Security Requirements, Expert System, Business Risk.

Software engineering is a process that depends on decisions that have to be made by stakeholders [1]. Business representatives [2] have to make decisions on tradeoffs between benefits provided by information systems, business risks created, and implementation and operational cost of these systems. Conventional requirements engineering methodologies do not provide good framework for defining security requirements [3]. Methodologies and standards that are focused on security requirements (e.g. Common Criteria) require significant level of competence to be used effectively; therefore such standards to their full extent are used only in most requiring and sensitive cases. To improve effectiveness of the security requirements engineering process and ultimately decrease related business risks, this paper proposes developing expert system (SRExpert) for modeling information security requirements at the early stages of information system development. System takes an input in a form of business criteria, and based on internal rules propose alternatives for security requirements and evaluate the results according to criteria. Such a system would provide immediate feedback for business representative on effect of various criteria, e.g. impact on cost from raising security level. Reasonable baseline requirements in case security professional has not been involved can be ensured. Overall, this will result in decreasing risk of building information systems with inherently insufficient technical architecture from information security standpoint. Possible need for changes in information security policies and procedures (not only technology related ones) following implementing information system my also be indicated. R. Meersman, Z. Tari, P. Herrero et al. (Eds.): OTM 2007 Ws, Part I, LNCS 4805, pp. 46–47, 2007. c Springer-Verlag Berlin Heidelberg 2007 

Expert System for Business Decisions on Security Requirements

47

System should accept input from the user in the form of evaluation criteria. User should be able to enter specific values, possible range of values, or optimization criteria, e.g. minimum or maximum possible value. Sample of possible evaluation criteria - confidentiality level, integrity level, overall security level, availability level, number of concurrent sessions, response time, implementation

Recommend Documents

Expert System for On-Line Quality Control

176 98 92MB

Expert System

171 78 52MB

Belief Functions in Business Decisions

178 4 29MB

Strategic Decisions in International Business

427 91 2MB

Expert Diagnostic System for Gas Turbines

157 94 32MB

System Requirements for Intraoral Ultrasonic Scanning

169 103 10MB

Strategic Business Decisions A Quantitative Approach

157 86 12MB

Expert Aided Control System Design

173 38 11MB

Preliminary Experiences in Requirements-Based Security Testing

181 71 35MB

A Fuzzy Expert System for Malaria Disease Detection

187 2 10MB

Advances in Metal Forming Expert System for Metal Forming

188 29 5MB

Knowledge-Based Expert System for Diagnosis of Agricultural Crops

175 52 36MB