Eliciting Security Requirements for Business Processes using Patterns

Naved Ahmed, Raimundas Matulevičius, Naiad Hossain Khan

Abstract

Business process modelling and security engineering are two important concerns when developing information system (IS). However current practices report that security is addressed rather at the later development stages (i.e., design and implementation). This raises a question whether the business processes are performed securely. In this paper, we propose a method to align business process modelling and security engineering. We develop a set of security risk-oriented patterns. Such patterns help to understand security risks that potentially arise within business processes, and to introduce security solutions. To ease the applicability the security risk-oriented patterns are defined using BPMN notations. The proposal is tested in an industrial business model and the findings indicate a positive usefulness to identify important business assets, their security risks and countermeasures.

References

  1. Common attack pattern enumeration and classification, available at http://capec.mitre.org/ data/definitions/94.html
  2. DCSSL EBIOS expression of needs and identification of security objectives (2004), available at http://www.bsi.de/english/gshb/manual/download/index.html
  3. ENISA -inventory of risk assessment and risk management methods (2004)
  4. Ahmed, N., Matulevic?ius, R.: A template of security risk patterns for business processes. In: Perspectives in Business Informatics Research, Riga, Latvia. pp. 123-130. Riga Technical University (2011)
  5. Altuhhova, O., Matulevic?ius, R., Ahmed, N.: Towards Definition of Secure Business Processes. In: M. Bajec and J. Eder (Eds.): CAiSE 2012 Workshops, LNBIP 112. pp. 1-15. Springer-Verlag (2012)
  6. Braber, F., Hogganvik, I., Lund, M. S., Stølen, K., Vraalsen, F.: Model-based security analysis in seven steps - a guided tour to the coras method. BT Technology Journal 25, 101-117 (2007)
  7. Devanbu, P. T., Stubblebine, S.: Software engineering for security: a roadmap. In: The Future of Software Engineering. pp. 227-239. ACM Press (2000)
  8. Dubois, E., Heymans, P., Mayer, N.and Matuleviv¸ius, R.: A systematic approach to define the domain of information system security risk management. In: Intentional Perspectives on IS Engg., pp. 289-306. Springer (2010)
  9. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs. Security 4801(7), 375-390 (2007)
  10. Firesmith, D.: Engineering safety and security related requirements for software intensive systems. In: Software Engineering - Companion. ICSE 2007 Companion. 29th International Conference on. p. 169. IEEE Computer Society (2007)
  11. Jü rjens, J.: Secure systems development with UML. Springer (2005)
  12. Khan, N. H., Ahmed, N., Matulevic?ius, R.: Security Risk Oriented Patterns. Tech. rep., University of Tartu, Department of Computer Sciences (04 2012), http://www.cs.ut.ee/ naved/Security Risk Oriented Patterns.pdf
  13. Paja, E., Giorgini, P., Paul, S., Meland, P. H.: Security requirements engineering for business processes. In: Perspectives in Business Informatics Research, Riga, Latvia. pp. 163-170. Riga Technical University (2011)
  14. Pavlovski, C. J., Zou, J.: Non-functional requirements in business process modeling. In: Proceedings of the 5th Asia-Pacific conf. on Conceptual Modelling. pp. 103-112. APCCM, Australian Computer Society, Inc. (2008)
  15. Rodríguez, A., Fernández-Medina, E., Piattini, M.: A bpmn extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. 90-D(4), 745-752 (2007)
  16. Rö hrig, S., Knorr, K.: Security analysis of electronic business processes. Electronic Commerce Research 4(1-2), 59-81 (2004)
  17. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering (2006)
  18. Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: A taxonomy of software security errors. IEEE Security & Privacy 3(6), 81-84 (2005)
Download


Paper Citation


in Bibtex Style

@conference{wosis12,
author={Naved Ahmed and Raimundas Matulevičius and Naiad Hossain Khan},
title={Eliciting Security Requirements for Business Processes using Patterns},
booktitle={Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012)},
year={2012},
pages={49-58},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004100200490058},
isbn={978-989-8565-15-0},
}


in Harvard Style

Ahmed N., Matulevičius R. and Hossain Khan N. (2012). Eliciting Security Requirements for Business Processes using Patterns . In Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012) ISBN 978-989-8565-15-0, pages 49-58. DOI: 10.5220/0004100200490058


in EndNote Style

TY - CONF
JO - Proceedings of the 9th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2012)
TI - Eliciting Security Requirements for Business Processes using Patterns
SN - 978-989-8565-15-0
AU - Ahmed N.
AU - Matulevičius R.
AU - Hossain Khan N.
PY - 2012
SP - 49
EP - 58
DO - 10.5220/0004100200490058