Secure Information Systems Engineering: Experiences and Lessons Learned from Two Health Care Projects

  • Haralambos Mouratidis
  • Ali Sunyaev
  • Jan Jurjens
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5565)


In CAiSE 2006, we had presented a framework to support development of secure information systems. The framework was based on the integration of two security-aware approaches, the Secure Tropos methodology, which provides an approach for security requirements elicitation, and the UMLsec approach, which allows one to include the security requirements into design models and offers tools for security analysis. In this paper we reflect on the usage of this framework and we report our experiences of applying it to two different industrial case studies from the health care domain. However, due to lack of space we only describe in this paper one of the case studies. Our findings demonstrate that the support of the framework for the consideration of security issues from the early stages and throughout the development process can result in a substantial improvement in the security of the analysed systems.


Unify Modelling Language Security Requirement Sequence Diagram Goal Model Virtual Private Network 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alam, M., Hafner, M., Breu, R.: Constraint based role based access control in the SECTET-framework A model-driven approach. Journal of Computer Security 16(2), 223–260 (2008)CrossRefGoogle Scholar
  2. 2.
    Basin, D., Doser, J., Lodderstedt, T.: Model Driven Security for Process Oriented Systems. In: Proceedings of the 8th ACM symposium on Access Control Models and Technologies, Como, Italy (2003)Google Scholar
  3. 3.
    Bresciani, P., Giorgini, P., Giunchiglia, F., Mylopoulos, J., Perini, A.: TROPOS: An Agent Oriented Software Development Methodology. Journal of Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefzbMATHGoogle Scholar
  4. 4.
  5. 5.
    Devanbu, P., Stubblebine, S.: Software Engineering for Security: a Roadmap. In: Proceedings of ICSE 2000 (track on The future of Software engineering) (2000)Google Scholar
  6. 6.
    Hermann, G., Pernul, G.: Viewing business-process security from different perspectives. International Journal of electronic Commence 3, 89–103 (1999)CrossRefGoogle Scholar
  7. 7.
    Jennings, N.R.: An agent-based approach for building complex software systems. Communications of the ACM 44(4) (April 2001) Google Scholar
  8. 8.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2004)zbMATHGoogle Scholar
  9. 9.
    Jürjens, J., Shabalin, P.: Tools for Secure Systems Development with UML. In: FASE 2004/05 special issue of the International Journal on Software Tools for Technology Transfer. Springer, Heidelberg (2007)Google Scholar
  10. 10.
    McDermott, J., Fox, C.: Using Abuse Case Models for Security Requirements Analysis. In: Proceedings of the 15th Annual Computer Security Applications Conference (December 1999)Google Scholar
  11. 11.
    Mouratidis, H., Giorgini, P., Manson, G.: Modelling Secure Multiagent Systems. In: The Proceedings of the 2nd International Joint Conference on Autonomous Agents and Multiagent Systems, Melbourne, Australia, pp. 859–866. ACM, New York (2003)CrossRefGoogle Scholar
  12. 12.
    Mouratidis, H., Philp, I., Manson, G.: A Novel Agent-Based System to Support the Single Assessment Process of Older People. Journal of Health Informatics 9(3), 149–162 (2003)CrossRefGoogle Scholar
  13. 13.
    Mouratidis, H., Giorgini, P.: Integrating Security and Software Engineering: Advances and Future Visions. Idea Group Publishing (2006)Google Scholar
  14. 14.
    Mouratidis, H., Jürjens, J., Fox, J.: Towards a Comprehensive Framework for Secure Systems Development. In: Dubois, E., Pohl, K. (eds.) CAiSE 2006. LNCS, vol. 4001, pp. 48–62. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  15. 15.
    Muhanna, W.: An Object-Oriented Framework for Model Management and DSS Development. Decision Support Systems 9(2), 217–229 (1993)CrossRefGoogle Scholar
  16. 16.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  17. 17.
    Sunyaev, A.: Telematik im Gesundheitswesen - Sicherheitsaspekte,tech. rep., TU Munich (2006)Google Scholar
  18. 18.
    Wooldridge, M., Ciancarini, P.: Agent-Oriented Software Engineering: The State of the Art. In: Ciancarini, P., Wooldridge, M. (eds.) AOSE 2000. LNCS, vol. 1957, pp. 1–28. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  19. 19.
    Yu, E.: Modelling Strategic Relationships for Process Reengineering, Ph.D. Thesis. Dept. of Computer Science, University of Toronto (1995)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Haralambos Mouratidis
    • 1
  • Ali Sunyaev
    • 2
  • Jan Jurjens
    • 3
  1. 1.School of Computing and TechnologyUniversity of East LondonEngland
  2. 2.Institut fur InformatikTechnische Universitat MunchenGermany
  3. 3.Computing DepartmentThe Open UniversityGreat Britain

Personalised recommendations