Abstract
Business process modelling is one of the major aspects in the modern system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Although BPMN is a good approach to understand business processes, there is a limited work to understand how it could deal with business security and security risk management. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In this paper we analyse BPMN with respect to the domain model of the IS security risk management (ISSRM). We apply a structured approach to understand key aspects of BPMN and how modeller could express secure assets, risks and risk treatment using BPMN. We align the main BPMN constructs with the key concepts of the ISSRM domain model. We show applicability of our approach on a running example related to the Internet store. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. In addition we open a possibility for the business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).
Chapter PDF
Similar content being viewed by others
Keywords
References
Alberts, C.J., Dorofee, A.J.: OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University - Software Engineering Institute, Pennsylvania (2001)
Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From Trust to Dependability through Risk Analysis. In: Proceedings of ARES 2007, pp. 19–26. IEEE Computer Society (2007)
AS/NZS 4360, Risk management. SAI Global (2004)
Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based Security Analysis in Seven Steps—a Guided Tour to the CORAS Method. BT Technology Journal 25(1), 101–117 (2007)
Chowdhury, M.J.M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 132–139. Springer, Heidelberg (2012)
Common Criteria version 2.3, Common Criteria for Information Technology Security Evaluation, CCMB-2005-08-002 (2005), http://www.tse.org.tr/turkish/belgelendirme/ortakkriter/ccpart2v2.3.pdf
Dubois, E., Heymans, P., Mayer, N., Matulevičius, R.: A Systematic Approach to Define the Domain of Information System Security Risk Management. In: Intentional Perspectives on Information Systems Engineering, pp. 289-306. Springer (2010)
Firesmith, D.G.: Engineering Safety and Security Related Requirements for Software Intensive Systems. In: Companion to the Proceedings of the 29th International Conference on Software Engineering (COMPANION 2007), p. 169. IEEE Computer Society (2007)
Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Security Requirements Engineering: A Framework for Representation and Analysis. IEEE Transactions on Software Engineering 34, 133–153 (2008)
Herrmann, A., Morali, A., Etalle, S., Wieringa, R.: Risk and Business Goal Based Security Requirement and Countermeasure Prioritization. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR Workshops 2011. LNBIP, vol. 106, pp. 64–76. Springer, Heidelberg (2012)
ISO/IEC Guide 73, Risk management - Vocabulary - Guidelines for use in standards. International Organization for Standardization, Geneva (2002)
Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)
Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: Proceedings of ARES 2008, pp. 1397–1404. IEEE (2008)
Matulevičius, R., Mayer, N., Mouratidis, H., Martinez, F.H., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)
Mayer, N.: Model-based Management of Information System Security Risk. Doctoral Thesis, University of Namur (2009)
Menzel, M., Thomas, I., Meinel, C.: Security Requirements Specification in Service-oriented Business Process Management. In: ARES 2009, pp. 41–49 (2009)
Paja, E., Giorgini, P., Paul, S., Meland, P.H.: Security Requirements Engineering for Secure Business Processes. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR Workshops 2011. LNBIP, vol. 106, pp. 77–89. Springer, Heidelberg (2012)
Remco, M., Dijkman, R.M., Dumas, M., Ouyang, C.: Formal Semantics and Analysis of BPMN Process Models using Petri Nets. Queensland University of Technology, TR (2007)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE – Transactions on Information and Systems E90-D(4), 745–752 (2007)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: UbiComp 2007. LNCS, vol. 4717, pp. 408–415 (2007)
Silver, B.: BPMN Method and Style: A Levels-based Methodology for BPMN Process Modeling and Improvement using BPMN 2.0. Cody-Cassidy Press (2009)
Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg (2002)
Trendowicz, A.: Tutorial: CoBRA - Cost Estimation, Benchmarking and Risk Analysis Method (2005), http://www.dasma.org/metrikon2005/tutorial_cobra.pdf
White, S.A.: Introduction to BPMN, IBM (2004), http://www.bpmn.org/Documents/Introduction_to_BPMN.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Altuhhova, O., Matulevičius, R., Ahmed, N. (2012). Towards Definition of Secure Business Processes. In: Bajec, M., Eder, J. (eds) Advanced Information Systems Engineering Workshops. CAiSE 2012. Lecture Notes in Business Information Processing, vol 112. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-31069-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-31069-0_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-31068-3
Online ISBN: 978-3-642-31069-0
eBook Packages: Computer ScienceComputer Science (R0)