Information technology (IT) security design and management are a major concern and substantial challenge for IT management. Today’s highly complex business and technological environments and the need to effectively communicate and justify IT security requirements and controls demand methodical support. The modeling method presented in this paper addresses this demand. The method is based on the assumption that enriched enterprise models integrating technological, business, organizational and strategic aspects provide an effective foundation for developing and managing IT security systems and facilitating communication and understanding between stakeholders. The proposed modeling method for designing and managing IT security in organizations accounts for different perspectives and is based on multi-perspective enterprise modeling. The core components of the method, based on analysis of requirements at different levels of abstraction, are: modeling language concepts specifically designed to address security issues, process models that guide the use of the resulting language, and a modeling environment. The method facilitates elaborate representations of the various aspects of IT security at different levels of abstraction and covers the entire lifecycle of IT security systems. It not only supports multi-perspective requirement analysis and design but also enables monitoring and analysis of IT security at runtime. The presented artifact is evaluated with recourse to a research method that enables the configuration of multi-criteria justification procedures.
- Domain-specific modeling language
- Enterprise modeling
- IT security
- Information security modeling
- Multi-perspective security management