Η συμβολή οργανωσιακών εικόνων ασφαλείας πληροφοριακού συστήματος στην υλοποίηση ασφαλών πληροφοριακών συστημάτων

Abstract

frameworks, methodologies or techniques that consistently integrate security with IS development (ISD). Although researchers have been arguing for a long time that this is the most appropriate way of introducing security in the complex context of an IS (e.g. Baskerville 1993), it seems that there exist significant barriers for such a task; There are issues that lead practitioners first to implement a system and then to secure it. This can happen because a system is not fully known during its development in terms of its final attributes and also prior to its use, its adding value might not be completely clear to its stakeholders. Therefore valuation of its assets might not be feasible (see Figure 1). Most of the researchers who approach this problem propose ways of incorporating security within particular development steps, e.g. requirements collection, data modelling etc. (Siponen 2001). Such approaches however are usually proprietary for specific development methodologies, techniques or tools. However, this can be problematic, as practitioners tend to customise or mix a wide range of ISD methodologies, techniques and tools, of the plethora that are offered today (Fitzgerald 1998). Thus, the existing approaches for embedded IS security restrict the ability of the developers to use the development practices they prefer. This is a significant obstacle in the design of a methodological construct to achieve security integration with development. In addition, it is not easy for an implementer or a user to have expert knowledge of the particulars of available security practices/tools, in order to choose the most appropriates for a system under development. Therefore, there is a need to indicate appropriate security practices and tools per particular organisational context. Through this research we try to produce a framework to assist the security expert (security consultant, risk analyst, auditor, security officer etc.) in the selection of the appropriate security practices and tools, given an organisational context and a case of a system under development. In this thesis, chapter two introduces theoretical aspects concerning or affecting IS security (such as the stakeholders, aspects of development etc.) and constructs the conceptual framework of this study. In chapter three we present our research approach. Chapter four formulates our reasoning based on analysis of first- and second-hand empirical data. Chapter five extends our reasoning by illustrating our proposed approach through a case study.