Information security research consistently finds a lack of secure information systems (SIS) design theory (Backerville, 1994; Cannoy, Palvia, & Schilhavy, 2006). The lack of design theory research is unfortunate, as security practitioners face growing threats that must be mitigated. Good research in SIS design theory would aid security practitioners designing information systems solutions to mitigate and defend against threats. One SIS design theory that provides a model for practitioners to evaluate information systems designs is provided by Siponen, Baskerville, and Heikka (2006) in the article, “A Design Theory for Secure Information Systems Design Methods” (Siponen, Baskerville, & Heikka, 2006).
Siponen et al. expand an SIS design theory developed by Walls, Wildmeyer, and El Sawy with the addition of an “[elaboration of] the design method into process and notation and the design hypotheses into two areas: (a) validity of the meta-method requirements; (b) the design method fidelity to method meta-design principles” (Siponen et al., 2006; Walls, Widmeyer, & Sawy, 2004). Figure 1 Siponen et al. Modifications of Walls et al. illustrates the model:
Figure 1 Siponen et al. Modification to Walls et al. (Siponen et al., 2006)
Siponen et al. provide a full description of the key stages of the design model. Central to the discussion and the development of the model are six meta-requirements shown in Figure 2 Siponen et al Meta-requirements:
Figure 2 Siponen et al. Meta-requirements (Siponen et al., 2006)
The authors utilize the modified Walls et al. model with the six meta-requirements and the action research methodology to develop a meta-notation that extends uniform markup language (UML) use cases to include security concerns. (Siponen et al., 2006) Overall, the meta-notation provides a means for integrating SIS design theory into existing methodologies. The authors demonstrate the integration of the meta-notation in two cases. (Siponen et al., 2006)
Raytheon Missile Systems utilizes a variety of architectural and software development processes to ensure that information systems meet business requirements, including The Open Group Architectural Framework (TOGAF), Business Process Modeling Notation (BPMN), UML use cases, and the SCRUM agile software development methodology. As a defense contractor, security is a key concern and an aspect of business requirements. The Siponen et al. meta-notation’s UML-based approach means that Raytheon Missile Systems has a straightforward means for including the SIS design theory into current methods. The architectural overview templates used, as part of TOGAF, would need to be expanded to include security sections relevant to the business, logical, and physical components of proposed information systems. By incorporating the Siponen et al. approach into the development of business models and the construction of UML use cases, Raytheon Missile Systems should be able to incorporate SIS design theory into existing information systems design methods without undue strain on or alteration of processes and procedures.
Secure information systems design theory is an area of information security that continues to need additional research. Models such as Siponen et al. provide a theoretical framework for SIS design that organizations and security practitioners can implement and utilize. However, further research and development is needed to continue to meet modern threats.
Backerville, R. (1994). Research directions in information systems security. International Journal of Information Management, 14(5), 385-2.
Cannoy, S., Palvia, P. C., & Schilhavy, R. (2006). A research framework for information systems security. Journal of Information Privacy & Security, 2(2), 3. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1130378811&Fmt=7&clientId=62763&RQT=309&VName=PQD
Siponen, M., Baskerville, R., & Heikka, J. (2006). A design theory for secure information systems design Methods1. Journal of the Association for Information Systems, 7(11), 725. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=1233257051&Fmt=7&clientId=62763&RQT=309&VName=PQD
Walls, J. G., Widmeyer, G. R., & Sawy, O. A. E. (2004). Assessing information system design theory in perspective: How useful was our 1992 initial rendition? JITTA : Journal of Information Technology Theory and Application, 6(2), 43. Retrieved from http://proquest.umi.com.library.capella.edu/pqdweb?did=793970201&Fmt=7&clientId=62763&RQT=309&VName=PQD