Security Engineering Methodology Based on Problem Solving Theory

  • Sangkyun Kim
  • Hong Joo Lee
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3983)


This paper answers the difficult problems that organizations face in business environments when they try to solve information security issues by suggesting the integrated methodology for security engineering. Contributions of this paper are summarized as following. The first is the provision of requirements of security engineering methodology based on the model of ill-structured problem solving. The second is the framework which integrates various methods and tools of security engineering. The third is a suggestion of the process model and components which support an entire lifecycle of security management.


Information Security Security Control Security Engineering Security Investment Enterprise Information System 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Jonassen, D.H.: Using Cognitive Tools to Represent Problems. Journal of Research on Technology in Education 35(3) (2003)Google Scholar
  2. 2.
    Simon, H.A.: Identifying Basic Abilities Underlying Intelligent Performance on Complex Tasks. In: Resnick, L.B. (ed.) The Nature of Intelligence. LEA (1976)Google Scholar
  3. 3.
    Chi, M.T.H., Glaser, R.: Problem Solving Ability. In: Sternberg, R.J. (ed.) Human Abilities, An Information Processing Approach, W.H. Freeman & Company, New York (1985)Google Scholar
  4. 4.
    Jonassen, D.H.: Instructional Design Models for Well-structured and Ill-structured Problem Solving Learning Outcomes. Educational Technology, Research and Development 45(1) (1997)Google Scholar
  5. 5.
    Simon, H.A.: Information-Processing Theory of Human Problem Solving. In: Esters, W.K. (eds.): Handbook of Learning and Cognitive Process. LEA (1978) Google Scholar
  6. 6.
    Sinnott, J.D.: A Model for Solution of Ill-Structured Problems: Implications for Everyday and Abstract Problem Solving. In: Sinnott, J.D. (ed.) Everyday Problem Solving: Theory and Application. Praeger Publishers (1989)Google Scholar
  7. 7.
    Voss, J.F., et al.: From Representation to Decision: An Analysis of Problem Solving in International Relations. In: Sternberg, R.J. (ed.) Complex Problem Solving. LEA (1991)Google Scholar
  8. 8.
    Voss, J.F.: Learning and Transfer in Subject-matter Learning: A Problem Solving Model. International Journal of Educational Research 11 (1988)Google Scholar
  9. 9.
    Kitchner, K.S.: Cognition, Metacognition, and Epistemic Cognition: A Three-level Model of Cognitive Processing. Human Development 26 (1983)Google Scholar
  10. 10.
    Spiro, R.J., et al.: Knowledge Acquisition for Application: Cognitive Flexibility and Transfer in Complex Content Domains. In: Britton, B.C. (ed.) Executive Control Processes. LEA (1987)Google Scholar
  11. 11.
    Spiro, R.J., et al.: Cognitive Flexibility Theory: Advanced Knowledge Acquisition in Ill-Structured Domains. Center for the Study of Reading, University of Illinois (1988)Google Scholar
  12. 12.
    Choi, S.: A Study on the Methodology to Establish the Security Systems for E-business, Mater Thesis. Yonsei University (2000)Google Scholar
  13. 13.
    SEI: A Systems Engineering Capability Maturity Model, Version 2.0. Software Engineering Institute, Carnegie Mellon University (1999)Google Scholar
  14. 14.
    NIST: An Introduction to Computer Security: The NIST Handbook. NIST (1995)Google Scholar
  15. 15.
    Kim, S., et al.: An Analytic Perspective of ISO17799 ISMS. In: Fifth International Conference on Operations and Quantitative Management (2004)Google Scholar
  16. 16.
    ISO13335-1: Information Technology - Guidelines for the Management of IT Security - Part 1: Concepts and Models for IT Security, No. ISO/IEC TR 13335-1:1996(E). International Organization for Standardization (1996)Google Scholar
  17. 17.
    Henze, D.: IT Baseline Protection Manual. BSI (2000)Google Scholar
  18. 18.
    Rex, R.K., Charles, S.A., Houston, C.H.: Risk Analysis for Information Technology. Journal of Management Information Systems 8(1) (1991)Google Scholar
  19. 19.
    Ron, W.: EDP Audting: Conceptual Foundations and Practice. McGraw-Hill, New York (1988)Google Scholar
  20. 20.
    Tudor, J.K.: Information Security Architecture: An Integrated Approach to Security in the Organization. Auerbach (2000)Google Scholar
  21. 21.
    NIST: Security Self-Assessment Guide for Information Technology Systems, NIST Special Publication 800-26 NIST (2001)Google Scholar
  22. 22.
    Gilbert, I.E.: Guide for Selecting Automated Risk Analysis Tools (SP 500-174). NIST (1989)Google Scholar
  23. 23.
    Polk, W.T., Bassham, L.E.: A Guide to the Selection of Anti-Virus Tools and Techniques(SP 800-5), NIST Special Publication. NIST (1992)Google Scholar
  24. 24.
    Lynch, G., Stenmark, I.: A Methodology for Rating Security Vendors. Gartner (1996) Google Scholar
  25. 25.
    Schweitzer, J.A.: Protecting Information in the Electronic Workplace: A Guide for Managers. Reston Publishing Company (1983)Google Scholar
  26. 26.
    Hutt, A.E.: Management’s Roles in Computer Security, in Computer Security Handbook. Macmillan Publishing Company, Basingstoke (1988)Google Scholar
  27. 27.
    Fites, P.E., et al.: Controls and Security of Computer Information Systems. Computer Science Press (1989)Google Scholar
  28. 28.
    Vallabhaneni, S.R.: CISSP Examination Textbooks. SRV Professional Publications (2000)Google Scholar
  29. 29.
    Krutz, R.L., Vines, R.D.: The CISSP Prep Guide: Mastering the Ten Domains of Computer Security. John Wiley & Sons, Chichester (2001)Google Scholar
  30. 30.
    Kim, S.: Security Consultant Training Handbook. HIT (2002)Google Scholar
  31. 31.
    Firth, R., et al.: An Approach for Selecting and Specifying Tools for Information Survivability. Software Engineering Institute, Carnegie Mellon University (1998)Google Scholar
  32. 32.
    Kavanaugh, K.: Security Services: Focusing on User Needs. Gartner (2001)Google Scholar
  33. 33.
    Beall, S., Hodges, R.: Protection & Security: Software Comparison Columns. Gartner (2002) Google Scholar
  34. 34.
    Geer, D.E.: Making Choices to Show ROI. Secure Business Quarterly 1(2) (2001)Google Scholar
  35. 35.
    Scott, D.: Security Investment Justification and Success Factors. Gartner (1998)Google Scholar
  36. 36.
    Blakley, B.: Returns on Security Investment: An Imprecise but Necessary Calculation. Secure Business Quarterly 1(2) (2001)Google Scholar
  37. 37.
    Malik, W.: A Security Funding Strategy. Gartner (2001)Google Scholar
  38. 38.
    Power, R.: CSI/FBI Computer Crime and Security Survey. Computer Security Issues & Trends 8(1) (2002)Google Scholar
  39. 39.
    Bates, R.J.: Disaster Recovery Planning. McGraw-Hill, New York (1991)Google Scholar
  40. 40.
    Witty, R., et al.: The Price of Information Security, Strategic Analysis Report. Gartner (2001)Google Scholar
  41. 41.
    Harris, S.: CISSP All-in-One Exam Guide, 2nd edn. McGraw-Hill, New York (2003)Google Scholar
  42. 42.
    Roper, C.A.: Risk Management for Security Professionals. Butterworth Heinemann (1999)Google Scholar
  43. 43.
    Leem, C.S., et al.: Introduction to An Integrated Methodology for Development and Implementation of Enterprise Information Systems. In: Proceeding of INFORMS 1999 (1999)Google Scholar
  44. 44.
    Leem, C.S.: A Research on a Consulting Methodology of Enterprise Information Systems. ITR (1999)Google Scholar
  45. 45.
    Choi, J.: A Framework of the Integrated Methodology for Industrial Information Systems, Mater Thesis. Yonsei University (1998)Google Scholar
  46. 46.
    Fisher, M.A., et al.: IT Support of Single Project, Multi-project and Industry-wide Integration. Computers in Industry 35 (1998)Google Scholar
  47. 47.
    Monheit, M., Tsafrir, A.: Information Systems Architecture: a Consulting Methodology. In: Proceeding of the 1990 IEEE International Conference on Computer Systems and Software Engineering (1990)Google Scholar
  48. 48.
    Kim, S., Choi, S., Leem, C.S.: An Integrated Framework for Secure E-business Models and Their Implementation. In: Proceeding of INFORMS 1999 (1999)Google Scholar
  49. 49.
    Jeon, D.: A Study on Development of TO-BE Enterprise Model for Information Strategy Planning, Master Thesis. Yonsei University (2000)Google Scholar
  50. 50.
    Kim, S., Leem, C.S.: An information engineering methodology for the security strategy planning. In: Laganá, A., Gavrilova, M.L., Kumar, V., Mun, Y., Tan, C.J.K., Gervasi, O. (eds.) ICCSA 2004. LNCS, vol. 3043, pp. 597–607. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  51. 51.
    Leem, C.S., Oh, B.: Evaluation Information Strategic Planning: An Evaluation System and Its Application. Journal of Systems Integration 10(3) (2002)Google Scholar
  52. 52.
    Porter, M.E.: How Competitive Forces Shape Strategy. Harvard Business Review 57(2) (1979)Google Scholar
  53. 53.
    Scott, D.: Best Practices in Business Continuity Planning. Symposium/ITxpo 2002 (2002)Google Scholar
  54. 54.
    CSE: Guide to Risk Assessment and Safeguard Selection for Information Technology Systems. CSE (1996) Google Scholar
  55. 55.
    ISO9126-1: Software Engineering - Product Quality - Part 1: Quality Model, No. ISO/IEC 9126-1:2001. International Organization for Standardization (2001)Google Scholar
  56. 56.
    Leem, C.S., Kim, S.: Introduction to an Integrated Methodology for Development and Implementation of Enterprise Information Systems. Journal of System and Softwares 60 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Sangkyun Kim
    • 1
  • Hong Joo Lee
    • 2
  1. 1.Yonsei UniversitySeoulKorea
  2. 2.Dankook UniversitySeoulKorea

Personalised recommendations