[1]
H. Mouratidis, A. Sunyaev, and J. Ju ̈rjens. Secure information systems
engineering: Experiences and lessons learned from two health care projects. In
P. van Eck, J. Gordijn, and R. Wieringa, editors, CAiSE, volume 5565 of Lecture
Notes in Computer Science, pages 231–245. Springer, 2009.
This
paper used a framework that was developed and published earlier in 2006 that is
called "model based security engineering framework", this paper is
not aimed to explaining the framework, rather, it is about using the framework
in two different health care cases, and discussing the outputs of the case
study.
This
paper started with a brief explanation for the framework for those who did not
read the original paper to be able to understand the rest of the paper, but did
not go in to details. The framework is basically integrating two security-aware
approaches; Secure Tropos and UMLsec.; the framework have 4 stages: Security
Analysis of System Environment, Security Analysis of System, Secure System
Design, and Secure Components Definition. The paper applied the framework using
these 4 stages on 2 health care examples, but due to a space issue it only
explained one of the cases.
The
paper explained the case it self, and then went into showing how did the framework
stages were applied. The next section was about the reflection or what would be
called the results of the study, which was discussed in three subsections: challenges
faced during the framework development, lessons learned, and improvements that
can be done.
The
paper conclude that this framework was helpful, and gave nice results for a
first time real life application; giving how complicated the health cases are;
and also shows that the fretwork was easy to understand, but might require
basic knowledge in security terminology. The paper also showed that there was a
problem faced in translating from the Secure Tropos to the UMLsec. but was
solved by changing the guidelines.
Relation
to the research in hand, this paper shows that a security-aware framework was successfully
used in real life examples. Although it needed some enhancements, and some problems
were faced, but it also showed that people were able to adapt to such framework,
and it helped analyst and designers to take security requirements in consideration
from the beginning all the way till the implementation phase.
No comments:
Post a Comment