Abstract: This teaching case introduces students to a relatively simple approach to identifying and documenting security requirements within conceptual models that are commonly taught in systems analysis and design courses. An introduction to information security is provided, followed by a classroom example of a fictitious company, Fun & Fitness, in the process of updating its e-Commerce site for class registrations. The case illustrates how UML class diagrams can be used for information classification, data input validation, and regulatory compliance considerations; how a UML use case diagram can be transformed into a “misuse case” diagram to identify threats and countermeasures to functional use cases; and how a data flow diagram may be used to analyze and document threats and countermeasures to data stores, data flows, processes, and external entities using the STRIDE approach developed by Microsoft. The case is geared toward a systems analyst who does not have former training in IS security, and is suitable for upper-division undergraduate and graduate courses.

Keywords: Information assurance & security, Requirements analysis & specification, Business modeling, Modeling, Systems analysis & design, Unified modeling language (UML)

Download this article: JISE - Volume 24 Number 1, Page 17.pdf

Recommended Citation: Spears, J. L. & Parrish, J. L., Jr. (2013). IS Security Requirements Identification from Conceptual Models in Systems Analysis and Design: The Fun & Fitness, Inc., Case. Journal of Information Systems Education, 24(1), 17-30.