Thursday, 16 December 2010

Annotated Bib.: An Empirical Evaluation of Information Security Awareness Levels in Designing Secure Business Processes



[1] F. D’Aubeterre, L. S. Iyer, and R. Singh. An empirical evaluation of information security awareness levels in designing secure business processes. In V. Vaishanvi and S. Purao, editors, DESRIST. ACM, 2009.


This paper demonstrate that "Secure Activity Resource Coordination (SARC)" is the best way to get analyst and designer of processes to be aware of the security requirements in the processess; SARC is not explained in this paper, another paper was published earlier does explain SARC in details, this paper focuses only on proving that it is the best way to increase the awareness level of security requirements in a process. To show how good is SARC, the paper compare based on a method called situational Awareness (SA); which place awareness on 3 levels: awareness of the existence, comprehension, prediction. SA was used as the measuring criteria to compare SARC to "Enriched-Use Case and UML-Active diagrams".
So the study was about proving if SARC can increase awareness in Security requirements for analysts and designers within these 3 levels. The study was preformed on different groups of students and the results showed that SARC mad the students more aware of the security requirements in the processes more than the "Enriched-Use Case and UML-Active diagrams".
The papers conclude that, considering security requirements from the beginning and treating them as functional requirements will increase the awareness of them for the analyst, and using SARC is the best way to do so.

If this paper would be related to the research on hand in anyway, it would be showing the importance of early consideration of security requirements; from the data collection phase. It might also be related in the form that SARC is worth looking at as a method, and it might be a good method to follow in integrating other security requirements; such as trust; since it is proven to be a good way to increase the awareness of security requirements.

No comments:

Post a Comment