An Experience Report of Eliciting Security Requirements from Business Processes

Väikesed ja keskmise suurusega ettevõtted näevad vaeva, et leida strateegiaid saavutamaks kõrgetasemelist infoturvet. Tihti ei ole need ettevõtted teadlikud infotehnoloogiaga seonduvatest riskidest. Lisaks suurendab haavatavuse riski finants- ja IT osakondade vähesus, kellel ei ole oma teabeturbe ametnikku. Äriprotsesside juhtimise ning joondamine, mis omakorda avaldub turvalisuse vajaduste esiletoomises kasutades äriprotsessidepõhist lähenemist, pakub sellele sektoripõhisele teemale oma lahenduse, võimaldades juurutada turvalisuse riskidele orienteeritud mudeleid ka ärianalüütikute jaoks. Kontekstuaalsetel valdkondadel põhinevad mustrid illustreerivad ettevõttevarasid, haavatavust ja riskikohtlemist turvanõuete kujul. See saavutatakse kasutades äriprotsesside mudelit, Notation 2.0 modelleerimiskeelt ning spetsiaalselt projekteeritud lahendusi, mis lisanduvad IT turvalisuse valdkondkonnale. Selle tulemuseks on kohaldatav lahendus, mis kutsub esile turvanõuded. Selle uurimuse keskmes on mustrite rakendumine, mõõtmaks nende sooritust saksa SME-s. Ärivahendite ja ohutusalaste eesmärkide määramise järel identifitseeriti mitmed mustri esinemised, mis kulmineerusid mitmete ohutusnõuete määramisega. Rakendamise oskuste ja kasutatavusega seoses ettevõttega, tõi esile väga selge mustrite esinemise. Lisaks arendati eelnevaga seoses uus muster kasutades informatsioonisüsteemi turvariski juhtimise domeeni (Information System Security Risk Management Domain) mudelit. Lõpetuseks soovitab autor käesolevas uurimuses prioritiseerimise ja inspektsiooni meetodite kaasamist ohutuskvaliteedi nõuete tehnika metoodikast ning organisatsioonilise koosseisu teoreemi laiendust, mis omakorda võimaldab SREBP-i täiendavat automatiseerimist. Need muudatused toovad kaasa käsitluse, mille alusel suureneb väikese ja keskmise suurusega ettevõtete turvalisus. Märksõnad: väiksed ja keskmise suurusega ettevõtted, äriprotsesside juhtimine, ohutusnõuete esilekutsumine äriprotsesside baasil, ohutusriskialased mustrid, ohutusnõuded, mustri esinemised, informatsioonisüsteemi turvariski juhtimise domeeni mudel.Small and Medium Sized Enterprises struggle to find strategies to achieve a high level of information security or are unaware of the risks posed by information technology. A lack of finance and IT departments that miss an information security officer increase the risk of exploited vulnerabilities. The alignment of Business Process Management and Security engineering manifested in the Security Requirements Elicitation using Business Processes approach provides a solution of this sector wide issue by introducing Security Risk-oriented Patterns applicable also for Business analysts. Patterns that are based on contextual areas illustrate business assets, vulnerabilities and risk treatment in form of security requirements. This is achieved by using the Business Process Model and Notation 2.0 modeling language and specifically engineered extensions which add the IT security domain. Outcome of this bridging is an applicable solution to elicit security requirements. Core of this thesis is the pattern application to measure their performance in a German SME. After business assets and security objectives were set, several pattern occurrences have been identified that resulted in a number of security requirements. Implementation abilities and usefulness with regards to the company underlined strong pattern performance. Moreover, a new pattern has been developed by using the Information System Security Risk Management Domain Model. Finally, the inclusion of prioritization and inspection techniques from the Security Quality Requirements Engineering methodology is suggested and extensions from the theorem of organizational configurations that enable further automation of SREBP. These modifications result in an approach that increases the security of Small and Medium Sized Enterprises. Keywords: Small and Medium Sized Enterprises; Business Process Management; Security Requirements Elicitation using Business Processes; Security Risk-oriented Patterns; security requirements; pattern occurrences; Information System Security Risk Management Domain Mode

Knowledge management: Using a knowledge requirements framework to enhance UK health sector supply chains

The gaps of mismatch both knowledge and understanding of beneficiaries and solution providers at the initial stage of developing projects have led to the failures of many projects including supply chains (SC) and related information technology systems (ITS) projects (Lyytinen and Hirschheim, 1987) . The aims of this paper are first, to address theoretical framework by bridging the gaps of different types of knowledge. Second, to establishing business requirements and the flow of information in supply chains between beneficiaries and solution providers in the long and complicated supply chains of the UK’s Health Sector. On the basis of brief introduction to knowledge, knowledge management and supply chain, the paper presents a practical framework that has been developed through critical and relevant literatures in the above three subject areas. Techniques and Tools stem from both management science and information systems were used to provide a possible solution for the problem in bridging the gaps of mismatch knowledge and understanding at the initial stage of identifying requirements in projects through knowledge sharing and transfer

Industry-driven innovative system development for the construction industry: The DIVERCITY project

Collaborative working has become possible using the innovative integrated systems in construction as many activities are performed globally with stakeholders situated in various locations. The Integrated VR based information systems can bind the fragmentation and provide communication and collaboration between the distributed stakeholders n various locations. The development of these technologies is vital for the uptake of these systems by the construction industry. This paper starts by emphasising the importance of construction IT research and reviews some future research directions in this area. In particular, the paper explores how virtual prototyping can improve the productivity and effectiveness of construction projects, and presents DIVERCITY, which is th as a case study of the research in virtual prototyping. Besides, the paper explores the requirements engineering of the DIVERCITY project. DIVERCITY has large and evolving requirements, which considered the perspectives of multiple stakeholders, such as clients, architects and contractors. However, practitioners are often unsure of the detail of how virtual environments would support the construction process, and how to overcome some barriers to the introduction of new technologies. This complicates the requirements engineering process

Exact Requirements Engineering for Developing Business Process Models

Process modeling is a suitable tool for improving the business processes. Successful process modeling strongly depends on correct requirements engineering. In this paper, we proposed a combination approach for requirements elicitation for developing business models. To do this, BORE (Business-Oriented Requirements Engineering) method is utilized as the base of our work and it is enriched by the important features of the BDD (Business-driven development) method, in order to make the proposed approach appropriate for modeling the more complex processes. As the main result, our method eventuates in exact requirements elicitation that adapts the customers' needs. Also, it let us avoid any rework in the modeling of process. In this paper, we conduct a case study for the paper submission and publication system of a journal. The results of this study not only give a good experience of real world application of proposed approach on a web-based system, also it approves the proficiency of this approach for modeling the complex systems with many sub-processes and complicated relationships.Comment: (IEEE) 3th International Conference on Web Researc

Alternative project delivery in rural Alaska: experiences, quality and claims

Master's Project (M.S.) University of Alaska Fairbanks, 2015The popularity of alternative project delivery systems has expanded beyond the private sector and into the public sector. Alaska embodies unique challenges that may present obstacles while using alternative project delivery systems. This analysis will provide an understanding of alternative project delivery systems in Alaska and how local experiences, quality and claims are affected. Alaska's unique characteristics present both challenges and opportunities for implementing alternative project delivery systems. This report begins with a discussion of experiences from several rural Alaska projects, and how alternative project delivery systems can be utilized. Some impacts that alternative project delivery systems have on quality are then presented, including a perspective on quality and recommendations for achieving customer satisfaction. A treatment of construction claims is then provided, followed by conclusions and recommendations for stakeholders in selecting an appropriate project delivery system. Alternative project delivery systems were researched by means of scholarly literature reviews, professional interviews and seminars. The report of these findings is intended to provide owners and contractors with a concise presentation of the challenges and advantages for using alternative project delivery systems in Alaska

A requirements engineering framework for integrated systems development for the construction industry

Computer Integrated Construction (CIC) systems are computer environments through which collaborative working can be undertaken. Although many CIC systems have been developed to demonstrate the communication and collaboration within the construction projects, the uptake of CICs by the industry is still inadequate. This is mainly due to the fact that research methodologies of the CIC development projects are incomplete to bridge the technology transfer gap. Therefore, defining comprehensive methodologies for the development of these systems and their effective implementation on real construction projects is vital. Requirements Engineering (RE) can contribute to the effective uptake of these systems because it drives the systems development for the targeted audience. This paper proposes a requirements engineering approach for industry driven CIC systems development. While some CIC systems are investigated to build a broad and deep contextual knowledge in the area, the EU funded research project, DIVERCITY (Distributed Virtual Workspace for Enhancing Communication within the Construction Industry), is analysed as the main case study project because its requirements engineering approach has the potential to determine a framework for the adaptation of requirements engineering in order to contribute towards the uptake of CIC systems