{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,10]],"date-time":"2026-06-10T15:35:31Z","timestamp":1781105731514,"version":"3.54.1"},"reference-count":27,"publisher":"IGI Global Scientific Publishing","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2010,10]]},"abstract":"<jats:p>This article establishes a context for secure information systems development as well as a set of models used to develop and apply a secure software production pedagogy. A generic system model is presented to support the system context development, and to provide a framework for discussing security relationships that exist between and among information systems and their applications. An asset protection model is tailored to provide a conceptual ontology for secure information system topics, and a stable logical framework that is independent of specific organizations, technologies, and their associated changes. This asset protection model provides a unique focus for each of the three primary professional communities associated with the development and operation of secure information systems. In this paper, a secure adaptive response model is discussed to provide an analytical tool to assess risk associated with the development and deployment of secure information systems, and to use as a security metric. A pedagogical model for information assurance curriculum development is then established in the context and terms of the developed secure information system models. The relevance of secure coding techniques to the production of secure systems, architectures, and organizational operations is also discussed.<\/jats:p>","DOI":"10.4018\/jsse.2010100103","type":"journal-article","created":{"date-parts":[[2011,2,15]],"date-time":"2011-02-15T15:59:11Z","timestamp":1297785551000},"page":"35-61","source":"Crossref","is-referenced-by-count":2,"title":["Secure Software Education"],"prefix":"10.4018","volume":"1","author":[{"given":"J. J.","family":"Simpson","sequence":"first","affiliation":[{"name":"System Concepts, LLC, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"M. J.","family":"Simpson","sequence":"additional","affiliation":[{"name":"System Concepts, LLC, USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"B.","family":"Endicott-Popovsky","sequence":"additional","affiliation":[{"name":"University of Washington,USA"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"V.","family":"Popovsky","sequence":"additional","affiliation":[{"name":"University of Idaho,USA"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"2432","reference":[{"key":"jsse.2010100103-0","author":"M.Bishop","year":"2005","journal-title":"Introduction to Computer Security"},{"key":"jsse.2010100103-1","unstructured":"Common Weakness Enumeration (CWE) Categories. (2010). Sponsored by the National Cyber Security Division of the U.S. Department of Homeland Security and hosted by The MITRE Corporation. Retrieved August 24, 2010, from http:\/\/cwe.mitre.org\/data\/definitions\/78.html"},{"key":"jsse.2010100103-2","unstructured":"Department of Homeland Security, National Cyber Security Division\/US-CERT and National Institute of Standards and Technology, National Vulnerability Database. (n.d.). Common Configuration Enumeration (CCE) Reference Data. Retrieved August 24, 2010, from http:\/\/nvd.nist.gov\/cce.cfm"},{"key":"jsse.2010100103-3","unstructured":"Department of Homeland Security, National Cyber Security Division\/US-CERT and National Institute of Standards and Technology, National Vulnerability Database. (n.d.). Official Common Platform Enumeration (CPE) Dictionary. Retrieved August 24, 2010, from http:\/\/nvd.nist.gov\/cpe.cfm"},{"key":"jsse.2010100103-4","unstructured":"Department of Homeland Security, National Cyber Security Division\/US-CERT and National Institute of Standards and Technology, National Vulnerability Database. (n.d.). Common Weakness Enumeration (CWE). Retrieved August 24, 2010, from http:\/\/nvd.nist.gov\/cwe.cfm"},{"key":"jsse.2010100103-5","unstructured":"Endicott-Popovsky, B., Popovsky, V., & Frincke, D. (2004, June). Designing a Computer Forensics Course for an Information Assurance Track. Paper presented at the 8th Colloquium for Information Systems Security Education, West Point, NY."},{"key":"jsse.2010100103-6","unstructured":"Endicott-Popovsky, B., Popovsky, V., & Frincke, D. (2005, June). Secure Code: The Capstone Class in an Information Assurance Track. Paper presented at the 2005 Colloquium on Information Systems Security Education (CISSE): Pursuing Quality Solutions\u2014Lessons Learned and Applied."},{"key":"jsse.2010100103-7","unstructured":"Gross, A. (June 11, 2010). Language. Retrieved August 24, 2010, from http:\/\/languag2.home.sprynet.com\/f\/evishop.htm"},{"key":"jsse.2010100103-8","author":"M.Howard","year":"2003","journal-title":"Writing Secure Code"},{"key":"jsse.2010100103-9","unstructured":"Howard, M., & Lipner, S. (2006). The Security Development Life Cycle. Redmond, WA: Microsoft Press. IEEE-Std-1471-2000. (2000, October). Recommended Practice for Architectural Description of Software-Intensive Systems. Retrieved August 24, 2010, from http:\/\/standards.ieee.org\/reading\/ieee\/std_public\/description\/se\/1471-2000_desc.html"},{"key":"jsse.2010100103-10","unstructured":"IEEE\/EIA 12207.0. (1998, May). Standard for Information Technology \u2013 Software Life Cycle Processes. Washington, DC: IEEE."},{"key":"jsse.2010100103-11","unstructured":"Mar, B. W., & Morais, B. G. (2002, August). FRAT \u2013 A Basic Framework for Systems Engineering. Paper presented at Twelfth Annual International Symposium of INCOSE, Engineering 21st Century Systems: Problem Solving Through Structured Thinking, Las Vegas, NV."},{"key":"jsse.2010100103-12","author":"J.McCumber","year":"2005","journal-title":"Assessing and Managing Security Risk in IT Systems: A Structured Methodology"},{"issue":"1","key":"jsse.2010100103-13","doi-asserted-by":"crossref","first-page":"74","DOI":"10.4018\/jsse.2010102005","article-title":"Benefits and Challenges in the Use of Case Studies for Security Requirements Engineering Methods.","volume":"1","author":"N. R.Mead","year":"2010","journal-title":"International Journal of Secure Software Engineering"},{"key":"jsse.2010100103-14","unstructured":"National Institute of Standards and Technology. (2008, January). Publication, The eXtensible Configuration Checklist Description Format, Release 1.1.4. Retrieved August 24, 2010, from http:\/\/scap.nist.gov\/specifications\/xccdf\/"},{"key":"jsse.2010100103-15","unstructured":"National Institute of Standards and Technology. (2009, November). Publication # NIST SP 800-126, 2009, The Technical Specification for the Security Content Automation Protocol. National Institute of Standards and Technology."},{"key":"jsse.2010100103-16","unstructured":"Popovsky, V., & Popovsky, B. (2008, June). Integrating Academics, the Community and Industry. ISBN 978-5-903247-15-8"},{"key":"jsse.2010100103-17","author":"C.Schou","year":"2007","journal-title":"Information Assurance for the Enterprise: A Roadmap to Information Security"},{"key":"jsse.2010100103-18","unstructured":"Simpson, J. J. (2002, August). Innovation and Technology Management. Paper presented at the Twelfth Annual International Symposium of INCOSE, Engineering 21st Century Systems: Problem Solving Through Structured Thinking, Las Vegas, NV."},{"key":"jsse.2010100103-19","unstructured":"Simpson, J. J. (2004, April). System Frameworks. Paper presented at the Second Annual Conference on Systems Engineering Research, Los Angeles."},{"key":"jsse.2010100103-20","unstructured":"Simpson, J. J., & Endicott-Popovsky, B. (2010, June 7). A Systematic Approach to Information Systems Security Education. Paper presented at the 14th Colloquium for Information Systems Security Education, Baltimore, MD."},{"key":"jsse.2010100103-21","unstructured":"Simpson, J. J., Miller, A., & Dagli, C. (2008, June). Secure Adaptive Response Potential (SARP): A System Security Metric. Paper presented at the Eighteenth Annual International Symposium of INCOSE, Systems Engineering for the Planet, Utrecht, The Nederlands."},{"key":"jsse.2010100103-22","unstructured":"Simpson, J. J., & Simpson, M. J. (2003, July). Systems and Objects. Paper presented at the Thirteenth Annual International Symposium of INCOSE, Engineering Tomorrow's World Today, Crystal City, VA."},{"key":"jsse.2010100103-23","doi-asserted-by":"crossref","unstructured":"Simpson, J. J., & Simpson, M. J. (2006, July). Foundational Systems Engineering (SE) Patterns for a SE Pattern Language. Paper presented at the Sixteenth Annual International Symposium of INCOSE, Systems Engineering: Shining List on the Tough Issues, Orlando, FL.","DOI":"10.1002\/j.2334-5837.2006.tb02842.x"},{"key":"jsse.2010100103-24","doi-asserted-by":"crossref","unstructured":"Simpson, J. J., & Simpson, M. J. (2010, June 3). Complexity Reduction: A Pragmatic Approach. Systems Engineering Journal. DOI:10.1002\/sys.20170","DOI":"10.1002\/sys.20170"},{"key":"jsse.2010100103-25","unstructured":"Simpson, J. J., Votipka, S., Wang, T., Baklanoff, T., & Sweers, N. (2010, June 2). Final Project Report, Threat Incident Modeling Team. Paper presented to IMT 553 \u2013 Establishing and Managing Information Assurance Strategies, University of Washington, Seattle, WA."},{"key":"jsse.2010100103-26","author":"J. N.Warfield","year":"1990","journal-title":"A Science of Generic Design"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=48216","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,6,8]],"date-time":"2019-06-08T11:23:15Z","timestamp":1559992995000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2010100103"}},"subtitle":["A Contextual Model-Based Approach"],"short-title":[],"issued":{"date-parts":[[2010,10]]},"references-count":27,"journal-issue":{"issue":"4"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2010100103","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2010,10]]}}}