Strategies for Developing Policies and Requirements for Secure and Private Electronic Commerce

  • Annie I. Antón
  • Julia B. Earp
Part of the Advances in Information Security book series (ADIS, volume 2)


While the Internet is dramatically changing the way business is conducted, security and privacy issues are of deeper concern than ever before. A primary fault in evolutionary electronic commerce systems is the failure to adequately address security and privacy issues; therefore, security and privacy policies are either developed as an afterthought to the system or not at all. One reason for this failure is the difficulty in applying traditional software requirements engineering techniques to systems in which policy is continually changing due to the need to respond to the rapid introduction of new technologies which compromise those policies. Security and privacy should be major concerns from the onset, but practitioners need new systematic mechanisms for determining and assessing security and privacy. To provide this support, we employ scenario management and goal-driven analysis strategies to facilitate the design and evolution of electronic commerce systems. Risk and impact assessment is critical for ensuring that system requirements are aligned with an enterprise—s security policy and privacy policy. Consequently, we tailor our goal-based approach by including a compliance activity to ensure that all policies are reflected in the actual system requirements. Our integrated strategy thus focuses on the initial specification of security policy and privacy policy and their operationalization into system requirements. The ultimate goal of our work is to demonstrate viable solutions for supporting the early stages of the software lifecycle, specifically addressing the need for novel approaches to ensure security and privacy requirements coverage.


Requirements engineering Internet security and privacy policies electronic commerce 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [AAB99]
    T. Alspaugh, A.I. Antón, T. Barnes and B. Mott. An Integrated Scenario Management Strategy,IEEE 4th International Symposium on Requirements Engineering (RE—99), University of Limerick, Ireland, pp. 142–149, 7–11 June 1999.Google Scholar
  2. [AB95]
    M.D. Abrams and D. Bailey. Abstraction and Refinement of Layered Security Policy,Information Security - an Integrated Collection of Essays(Abrams, Jajodia and Podell, eds.), IEEE Computer Society Press, Los Alamitos, CA, 1995.Google Scholar
  3. [ACD01]
    A.I. Antón, R.A. Carter, A. Dagnino, J.H. Dempster and D.F. Siege. Deriving Goals from a Use-Case Based Requirements Specification, To appear in Requirements Engineering Journal, Springer-Verlag, May 2001.Google Scholar
  4. [Ale98]
    R. Alexander. Ecommerce Security: An Alternative Business Model,Journal of Retail Banking Services, (20)4, pp. 45–50, 1998.Google Scholar
  5. [AMP94]
    A.I. Antón, W.M. McCracken and C. Potts. Goal Decomposition and Scenario Analysis in Business Process Reengineering,Advanced Information System Engineering: Proceedings 6th International Conference (CAiSE —94), pp. 94–104, 6–10 June 1994.Google Scholar
  6. [And96]
    R. Anderson. A Security Policy for Clinical Information Sys-tems,Proceedings of the 15th IEEE Symposium on Security and Privacy, 1996.Google Scholar
  7. [Ant96]
    A.I. Antón. Goal-Based Requirements Analysis,Second IEEE International Conference on Requirements Engineering (ICRE —96),pp. 136–144, 15–18 April 1996.Google Scholar
  8. [Ant97]
    A.I. Antón.Goal Identification and Refinement in the Specification of Software-Based Information Systems, Ph.D. Dissertation, Georgia Institute of Technology, Atlanta, GA, 1997.Google Scholar
  9. [AP98]
    A.I. Antón and C. Potts. The Use of Goals to Surface Requirements for Evolving Systems, International Conference on Software Engineering (ICSE —98), pp. 157–166, 19–25 April 1998.Google Scholar
  10. [ATW98]
    R.J. Alberts, A.M. Townsend and M.E. Whitman. The Threat of Long-arm Jurisdiction to Electronic Commerce,Communications of the ACM, 41(12), pp. 15–20, December 1998.CrossRefGoogle Scholar
  11. [BB95]
    V.M. Brannigan and B.R. Beier. Patient Privacy in the Era of Medical Computer Networks: A New Paradigm for a New Technology,Medinfo, 8 Pt 1, pp. 640–643, 1995.Google Scholar
  12. [BEPOO]
    D. Baumer, J.B. Earp and F.C. Payton. Privacy of Medical Records: IT Implications of HIPAA,ACM Compute and Society, 30(4), pp.40–47, December 2000.Google Scholar
  13. [Ben99]
    P. Benessi. TRUSTe: An Online Privacy Seal Program,Communications of the ACM, 42(2), pp. 56–59, February 1999.CrossRefGoogle Scholar
  14. [Bor96]
    N.S. Borenstein. Perils and Pitfalls of Practical Cybercommerce,Communications of the ACM, 39(6), pp. 36–44, June 1996.CrossRefGoogle Scholar
  15. [BS96]
    B. Schneier.Applied Cryptography: Protocols,Algorithms and Source Code in C, 2nd ed., New York: Wiley, 1996.Google Scholar
  16. [C1a99]
    R. Clarke. Internet Privacy Concerns Confirm the Case for Intervention,Communications of the ACM, 42(2), pp. 60–67, February 1999.CrossRefGoogle Scholar
  17. [CRA99]
    L.F. Cranor, J. Reagle and M.S. Ackerman. Beyond Concern: Understanding Net Users— Attitudes About Online Privacy,AT&T Labs-Research Technical Report TR 99.4.3,April 1999. Scholar
  18. [Cra99]
    L.F. Cranor. Internet privacy,Communications of the ACM, 42(2), pp. 28–38, February 1999.CrossRefGoogle Scholar
  19. [Dea00]
    T. Dean.Network+: Guide to Networks, Course Technology, 2000.Google Scholar
  20. [Dem00]
    J.H. Dempster.Inconsistency Identification and Resolution in Goal-Driven Requirements Analysis, M.S. Thesis, NC State University, Raleigh, NC, May 2000.Google Scholar
  21. [DP98]
    R. Dömges and K. Pohl, Adapting Traceability Environments to Project-Specific Needs,Communications of the ACM, 41(12), pp. 54–62, December 1998.CrossRefGoogle Scholar
  22. [EPOO]
    J.B. Earp and F. C. Payton.Information Privacy Concerns Facing Health Care Organizations in the New Millennium, NCSU Working Paper, April 2000.Google Scholar
  23. [EP99]
    J.B. Earp and F.C. Payton. Dirty Laundry: Privacy Issues for IT Professionals,IT Professional, March/April 2000.Google Scholar
  24. [FB91]
    W.J. Fabrycky and B.S. Blanchard.Life Cycle Cost and Economic Analysis, Prentice-Hall, 1991.Google Scholar
  25. [FTC98]
    Privacy Online: A Report to Congress, Federal Trade Commission, 1998.
  26. [Ger97]
    C. Germain. Summary of the City University Security Survey 1997,,1997Google Scholar
  27. [GIP99]
    Georgetown Internet Privacy Policy Survey: Report to the Federal Trade Commission.Study Director M.J. Culnan. 1999.
  28. [HC88]
    J.R. Hauser and D. Clausing, The House of Quality,Harvard Business Review, 32(5), pp. 63–73, 1988.Google Scholar
  29. [IS098]
    Common Criteria for Information Technology Security Evaluation, ver 2.0, parts 1–3. ISO/IEC 15408, Geneva, May 1998.Google Scholar
  30. [JBC98]
    M. Jarke, X.T. Bui and J.M. Carroll. Scenario Management: An Interdisciplinary Approach,Requirements Engineering Journal, Springer-Verlag, 3(3–4), pp. 154–173, 1998.Google Scholar
  31. [Lic97]
    S. Lichtenstein. Developing Internet Security Policy for Organizations,Proceedings of the 30th Hawaii International Conference on System Sciences,. Vol4, p. 350–357, 1997.Google Scholar
  32. [Mak99]
    J. Makris. Firewall Services: More Bark than Bite, Data Communications International, 28(3), pp.36–50, March 1999.Google Scholar
  33. [McG99]
    H. McGraw III. Online Privacy: Self-Regulate or Be Regulated,IT Professional,IEEE Computer Society, 1(2), pp. 18–19, 1999.Google Scholar
  34. [MW98]
    N. Memon and P.W. Wong. Protecting Digital Media Content,Communications of the ACM, 41(7), pp. 35–43, July 1999.CrossRefGoogle Scholar
  35. [NI94]
    Computer Security Policy,Computer Systems Laboratory Bulletin, 1994.Google Scholar
  36. [OA95]
    I.M. Olson and M.D. Abrams. Information Security Policy,In-formation Security — an Integrated Collection of Essays(Abrams, Ja-jodia and Podell, eds.), IEEE Computer Society Press, Los Alamitos,CA, 1995.Google Scholar
  37. [01i97]
    R.W. Oliver. Corporate Policies for Electronic Commerce, Pro-ceedings of the Thirtieth Hawaii International Conference on Systems Sciences, pp. 254–264, 1997.Google Scholar
  38. [O1n94]
    J. Olnes.Development of Security Policies,Computers and Security, 13(8), 1994.Google Scholar
  39. [PFI99]
    Policy Framework for Interpreting Risk in CCommerce Security.CERIAS Technical Report, Purdue University,
  40. [Pot99]
    C. Potts .ScenIC: A Strategy for Inquiry-Driven Requirements Determination,Proceedings IEEE 4th International Symposium on Requirements Engineering (RE`99), Limerick, Ireland, 7–11 June 1999.Google Scholar
  41. [Ram98]
    B. Ramesh. Factors Influencing Requirements Traceability Practice,Communications of the ACM, 41(12), pp. 37–44, December 1998.CrossRefGoogle Scholar
  42. [RC97]
    J. Reagle and L. F. Cranor. The Platform for Privacy Preferences,Communications of the ACM, 42(2), pp.48–55, February 1997.CrossRefGoogle Scholar
  43. [Rob97]
    W.N. Robinson. Electronic Brokering for Assisted Contracting of Software Applets,Proceedings of the 30th Hawaii International Conference on System Sciences, Vol. 4, pp. 449–458, 1997.Google Scholar
  44. [RSB98]
    C. Rolland, C. Souveyet and C.B. Achour. Guiding Goal Modeling Using Scenarios,IEEE Transactions on Software Engineering, 24(12), pp. 1055–1071, December 1998.CrossRefGoogle Scholar
  45. [SKR99]
    D. Seinauer, S. Katzke and S. Radack. Basic Intrusion Protection: The First Line of Defense,IT Professional(IEEE Computer Society), 1(1), pp. 43–48, 1999.CrossRefGoogle Scholar
  46. [SM99]
    T.J. Shimeall and J.J. McDermott. Software Security in An Internet World: An Executive Summary,IEEE Software, 16(4), pp. 58–61, July/August 1999.Google Scholar
  47. [SP00]
    G.P. Schneider and J.T.Perry.Electronic Commerce, Course Technology, 2000.Google Scholar
  48. [Sun99]
    Sun Microsystems.Protecting From Within:A Look at Intranet Security Policy and Management.
  49. [SW98]
    D.W. Straub and R.J. Welke. Coping With Systems Risk: Security Planning Models for Management Decision Making,MIS Quarterly, 2(4), pp. 441–469, 1998.CrossRefGoogle Scholar
  50. [Tav99]
    H.T. Tavini. Informational Privacy, Data Mining and the Internet,Ethics and Information Technology, 1(2), pp. 137–45, 1999.CrossRefGoogle Scholar
  51. [Trc00]
    D. Trcek. Security Policy Management for Networked Information Systems,Proceedings of the Network Operations and Management Symposium, pp. 817–830, 2000.Google Scholar
  52. [Woo95]
    C.C. Wood. Writing InfoSec Policies,Computers and Society. Vol. 14, 1995.Google Scholar

Copyright information

© Springer Science+Business Media New York 2001

Authors and Affiliations

  • Annie I. Antón
    • 1
  • Julia B. Earp
    • 2
  1. 1.Dept. of Computer Science, College of EngineeringNorth Carolina State UniversityRaleighUSA
  2. 2.Dept. of Business Management, College of ManagementNorth Carolina State UniversityRaleighUSA

Personalised recommendations