Security Engineering Methodology for Developing Secure Enterprise Information Systems: An Overview

Conference paper
Part of the Lecture Notes in Electrical Engineering book series (LNEE, volume 181)


The software engineering discipline has provided principles, methodologies, and tools for the development of information systems. Software engineering have also become a fundamental component to produce information systems and related software components which are cheaper, better and faster. Recently, many forms of security attacks against information systems have emerged that attempt to compromise the security of information systems and organizations. However, traditional software engineering is not adequate and effective for developing secure information systems. In this paper, we propose holistic, consistent, and integrated security engineering procedures for analyzing, designing, developing, testing, and maintaining secure enterprise information systems. The proposed security engineering methodology combines security risk control, enterprise security architecture, and security management as an integrated framework.


security engineering enterprise security architecture secure information system security risk analysis security management 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Cheng, J.C., Goto, Y., Horie, D., Kasahara, T., Iqbal, A.: Development of ISEE: An Information Security Engineering Environment. In: Proc. of IEEE International Symposium on Parallel and Distributed Processing with Applications, pp. 505–510 (2009)Google Scholar
  2. 2.
    Mead, N.R., Hough, E.D.: Security Requirements Engineering for Software Systems: Case Studies in Support of Software Engineering Education. In: Proc. of the 19th Conference on Software Engineering Educations & Training, CSEET 2006 (2006)Google Scholar
  3. 3.
    Pavlovic, D.: The Unreasonable Ineffectiveness of Security Engineering: An Overview. In: Proc. of 2010 Software Engineering and Formal Methods, pp. 12–18 (2010)Google Scholar
  4. 4.
    Kim, Y.-G., Cha, S.: Threat Scenario-based Security Risk Analysis using Use Case Modeling in Information Systems. Security and Communication Networks 5(3), 293–300 (2012)CrossRefGoogle Scholar
  5. 5.
    Stevens, J.L.B.: Systems Security Engineering. IEEE Security & Privacy, 72–74 (2011)Google Scholar
  6. 6.
    Evans, S., Heinbuch, D., Kyle, E., Piorkowski, J., Wallner, J.: Risk-Based Systems Security Engineering: Stopping Attacks with Intention. IEEE Security & Privacy (2004)Google Scholar
  7. 7.
    Wang, H., Jia, Z., Shen, Z.: Research on Security Requirements Engineering Process. In: Proc. of 16th International Conference on Industrial Engineering and Engineering Management (IE&EM 2009), Jiaozuo, China, pp. 1285–1288 (2009)Google Scholar
  8. 8.
    Anderson, R.: Security Engineering – A Guide to Building Dependable Distributed Systems, 2nd edn. Wiley Publishing, Inc. (2008)Google Scholar
  9. 9.
    International Organization for Standardization (ISO), Information Technology-Systems Security Engineering-Capability maturity Model (SSE-CMM), ISO/IEC 21827 (2008)Google Scholar
  10. 10.
    Carnegie Mellon University (CMU),
  11. 11.
    International Organization for Standardization (ISO), Information Technology-Security Techniques-Evaluation Criteria for IT Security – Part 1: Introduction and General Model, ISO/IEC 15408-1 (2008)Google Scholar
  12. 12.
    International Organization for Standardization (ISO), Information Technology-Security Techniques-Evaluation Criteria for IT Security – Part 2: Security Functional Requirements, ISO/IEC 15408-2 (2008)Google Scholar
  13. 13.
    International Organization for Standardization (ISO), Information Technology-Security Techniques-Evaluation Criteria for IT Security – Part 3: Security Assurance Requirements, ISO/IEC 15408-3 (2008)Google Scholar
  14. 14.
    International Organization for Standardization (ISO), Information Technology, Security Technical – Code of Practice for Information Security Managements, ISO/IEC 27002 (2005)Google Scholar
  15. 15.
    Secure Software, The CLASP Application Security Process. Secure Software Inc. (2005)Google Scholar
  16. 16.
  17. 17.
    Nunes, F.J.B., Belchior, A.D., Albuquerque, A.B.: Security Engineering Approach to Support Software Security. In: Proc. of 2010 IEEE 5th World Congress on Services, pp. 48–55 (2010)Google Scholar
  18. 18.
    Alberts, C., Dorofee, A.: Octave- The Operationally Critical Threat, Asset, and Vulnerability Evaluation, Canegie Mellon University – Software Engineering InstituteGoogle Scholar
  19. 19.
    Alberts, C., Dorofee, A.: Managing Information Security Risks: The OCTAVE Approach. Addison-Wesley Professional (2003)Google Scholar
  20. 20.
    Cheng, J., Goto, Y., Morimoto, S., Horie, D.: A Security Engineering Environment Based on ISO/IEC Standards: Providing Standard, Formal, and Consistent Supports for Design, Development, Operation, and Maintenance of Secure Information Systems. In: Proc. of 2008 International Conference on Information Security and Assurance, pp. 350–354 (2008)Google Scholar
  21. 21.
    Horie, D., Goto, Y., Cheng, J.: Development of ISEE: An Information Security Engineering Environment. In: Proc. of 2009 Second International Symposium on Electronic Commerce and Security, pp. 338–342 (2009)Google Scholar
  22. 22.
    Mead, N.R., Hough, E.D., Stehney II, T.R.: Security Quality Requirements (SQUARE) Methodology., Technical Report (CMU/SEI-2005-TR-009), Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2005)Google Scholar
  23. 23.
    Mead, N.R., Stehney II, T.R.: Security Quality Requirements Engineering (SQUARE) Methodology. In: Proc. of Software Engineering for Secure Systems (SESS 2005), St. Louis, MO (2005)Google Scholar
  24. 24.
    Jurjens, J.: Sound Methods and Effective Tools for Model-based Security Engineering with UML. In: Proc. of the 27th International Conference on Software Engineering, ICSE 2005, pp. 322–331 (2005)Google Scholar
  25. 25.
    Schmidt, H.: Threat- and Risk-Analysis during Early Security Requirements Engineering. In: Proc. of 2010 International Conference on Availability, Reliability and Security (ARES 2010), pp. 188–195 (2010)Google Scholar
  26. 26.
    Hatebur, D., Heisel, M., Schmidt, H.: A Security Engineering Process based on Patterns. In: Proc. of the International Workshop on Secure Systems Methodologies using Patterns (SPatterns), pp. 734–738 (2007)Google Scholar
  27. 27.
    Sherwood, J., Clark, A., Lynas, D.: Enterprise Security Architecture-A Business-Driven Approach. CMP Books (2005)Google Scholar

Copyright information

© Springer Science+Business Media Dordrecht 2012

Authors and Affiliations

  1. 1.College of Information and CommunicationKorea UniversitySeoulKorea

Personalised recommendations