Eliciting Security Requirements for Business Processes

using Patterns

Naved Ahmed, Raimundas Matulevi

cius and Naiad Hossain Khan

Institute of Computer Science, University of Tartu

J. Liivi 2, 50409 Tartu, Estonia

Abstract. Business process modelling and security engineering are two impor-

tant concerns when developing information system (IS). However current prac-

tices report that security is addressed rather at the later development stages (i.e.,

design and implementation). This raises a question whether the business pro-

cesses are performed securely. In this paper, we propose a method to align busi-

ness process modelling and security engineering. We develop a set of security

risk-oriented patterns. Such patterns help to understand security risks that poten-

tially arise within business processes, and to introduce security solutions. To ease

the applicability the security risk-oriented patterns are deﬁned using BPMN no-

tations. The proposal is tested in an industrial business model and the ﬁndings

indicate a positive usefulness to identify important business assets, their security

risks and countermeasures.

1 Introduction

Business process modelling (BPM) is an activity of representing enterprise processes,

so that the current processes may be analysed and improved. Security engineering is

concerned with lowering the risk of intentional unauthorised harm to valuable assets

to level that is acceptable to the system’s stakeholders by preventing and reacting to

malicious harm, misuse, threats and security risks [10]. Assuming that business ana-

lysts concentrate on improving the business performance, early security analysis could

help discovering and discarding system design alternatives that do not offer sufﬁcient

security levels. Although the importance of addressing security concerns is now ac-

knowledged [7], common practice is to consider security when the system is about to

be implemented or deployed [11]. One of the reasons is that, business analysts are ex-

perts in business domain, they have limited or no expertise in security engineering;

thus they depend on the practices, security standards [2, 3], or security experts. Such a

situation potentially contains several limitations. Thus, here we investigate the follow-

ing research question: how to facilitate elicitation of security concerns during business

process modelling?

According to Schumacher et al. “a security pattern describes a particular recurring

security problem that arises in a speciﬁc security context and presents a well-proven

generic scheme for a security solution”[17]. Following this deﬁnition, in this study we

develop a set of security risk-oriented patterns (i.e., generic scheme). These patterns are

based on understanding security risks (i.e., recurring security problems) that potentially

Ahmed N., Matulevi

cius R. and Hossain Khan N..

Eliciting Security Requirements for Business Processes using Patterns.

DOI: 10.5220/0004100200490058

In Proceedings of the 9th International Workshop on Security in Information Systems (WOSIS-2012), pages 49-58

ISBN: 978-989-8565-15-0

 2012 SCITEPRESS (Science and Technology Publications, Lda.)

arise within business processes (i.e., speciﬁc security context). To mitigate these risks,

the patterns recommend security requirements (i.e., security solution). In other words,

our approach aligns business processes and security requirements elicited using security

risk-oriented patterns. In order to understand usefulness of these patterns we apply them

in business models. Our study, thus, results in the guidelines to elicit security assets,

potential security risks and their countermeasures in the business processes.

The rest of the paper is structured as follows: Section 2 discusses the related work in

the domain of business processes security and compares the security risk management

approaches. Section 3 describes the security risk-oriented patterns, this is the major con-

tribution of our work. Next, Section 4 demonstrates the example of pattern application

in the business model. In Section 5 we discuss and conclude the paper and outline the

future work.

2 Background

2.1 Security in Business Process Modelling

There exists several studies relating business processes and security requirements elic-

itation. R

ohrig and Knorr [16] derive security requirements by assigning the security

level to business process components using a formal descriptive language. However,

security measures are applied after the deﬁnition of the business processes. Rodr

ıguez

et al. [15] extend BPMN using padlocks to annotate business processes with security

requirements. The early security requirements are expressed with a speciﬁc padlock

symbols. Similarly, Christopher and Joe [14] proposed two new artefacts − operating

condition and control case − to express the constraints on business processes. Mod-

elling constraints helps in mitigating risk and facilitate the early discovery of security

requirements. These practices [16, 15, 14] express the security requirements. However,

they are not align with risk analysis and the rationale is absent. Paja et al. [13] specify

commitments by analysing the participant’s objectives and their interactions which are

considered as high-level speciﬁcation of security requirements. They are annotated in

BPMN using conversation and choreography diagrams. Though it gives rationale for

security, but the requirements are limited to the exchange of resources. And a detail

semantic mapping between organisational model and BPMN is also missing.

2.2 Security Risk Management

A domain model (see Fig. 1) for Information Systems Security Risk Management (IS-

SRM) [8] expresses the key concepts and their relationships used to deﬁne the security

risk-based template [4]. ISSRM helps identify and specify security risks. It also ad-

dresses the risk management approaches to support the risk management process that

focuses on whole IS, instead of deﬁning security requirements for one or more IS com-

ponents. ISSRM applies security in the IS development while other approaches are

mainly applied on an existing IS, but not applicable in the IS development. Although,

few can be used by implementing additional guidelines, however they still lacks the

Requirement Engineering (RE) activities and wouldn’t able to reason for security re-

quirements.

Fig. 1. ISSRM Domain Model, adapted from [8].

Risk management methods (see details in [8]) produce analysis in natural language,

which hinders to automate their activities for reasoning, evolution, monitoring or trace-

ability, except CORAS [6]. In CORAS, each activity proposed a structured artefact but

it is neither connected to RE activities nor applicable to the IS development and is dis-

connected from the standard terminology.

3 Security Risk-oriented Patterns

3.1 Developing Patterns

We followed the 3-steps pattern-oriented approach to develop our security patterns:

Firstly, we have developed the security risk-oriented template (see [4] for template de-

tails). Secondly, a set of security risk-oriented patterns are deﬁned, by identifying the

security ﬂaws (listed in [18]), followed by the risk analysis and the countermeasures are

developed using available security standards (e.g. [2, 3]) to mitigate these risks. Finally,

we apply our approach in a business model to illustrate its feasibility. We have devel-

oped ten security risk-oriented patterns. These patterns are the major contribution of

our research study and are brieﬂy described below and the respective details are given

in a technical report [12].

SRP 1. Pattern secures the data transmitted between the business entities i.e., stake-

holders involved in the business process. If attacker intercepts the transmission medium

that can lead to the loss of data conﬁdentiality and its integrity. To reduce risk this pat-

tern proposes to make the data unreadable before transmitting, and calculate the check-

sum value. To avoid risk this pattern proposes to change the transmission medium that

cannot be intercepted.

SRP 2. Pattern ensures valid data entry into business processes by rejecting the un-

wanted malicious data. The risk analysis identiﬁes that invalid data can cause the loss

of business process integrity and also attacker can make the business entity unavailable

for their clients. To avoid these risks this pattern proposes to deﬁne a structured format

for incoming data and restrict any other format data.

SRP 3. Pattern verify the origin of the business entity that sends the data and secure the

integrity of business processes. It investigates the legitimacy of sender, and ensures that

sender should not deny the sending of data, i.e., non-repudiation. The identiﬁed risks

are malfunction strategies and incorrect initiation of a business activity (e.g., process

invalid purchase order). To reduce the problem this pattern introduces the requirement

of verifying sender’s identity.

SRP 4. Pattern ensures the availability of business service by protecting the IS from

denial of service (DOS) attack. It addresses the problem of services offered by business

which are exposed to their clients. Therefore, are more vulnerable to external attackers.

The risk is that an attacker can make the service unavailable and prevent the legitimate

users. To reduce the risk of DOS attacks this pattern proposes to restrict the packets

using proper router conﬁguration.

SRP 5. Pattern secures data from misuse by applying multilevel access rights to the

retrieval interface. It addresses the problem of unauthorised access and missing sys-

tem log which has information about who read the data. This raises the risk of leaking

data that can be misused. To reduce the risk this pattern proposes to restrict anony-

mous access at retrieval interface, establish access levels of data and give it to relevant

individuals, and keep track of data retrieval.

SRP 6. Pattern secures data store by storing the conﬁdential data in invisible format.

If data store saves data in plain format then attacker able to read it easily. This com-

promises the conﬁdentiality of data and its misused can have negative impacts. Pattern

proposes two solution to this problem: reduce the risk by storing the data in invisible

format (e.g., encrypted), and do not store the data in data store instead ask clients when

the it is needed.

SRP 7. Pattern describes a ﬂow to handle more than one request in parallel to avoid

the deadlock condition. Here, a deadlock situation is addressed when a business activity

holds a resource and request for other resources. An attacker can deliberately create

such scenario and can crash an activity or service, making it unavailable for users. To

reduce the risk this pattern proposes all the resources should be requested in advance or

released before requesting new resource.

SRP 8. Pattern ensures the atomicity of business transaction to protect the data in-

tegrity during its storage in the database. A failure of single activity causes the transac-

tion to abort abnormally resulting in writing conﬂicting data. It risks data integrity and

leads business to malfunction strategies. This pattern proposes to implement an external

mechanism to track transaction and invoke the compensation logic in case of failure to

undo all the changes.

SRP 9. Pattern secures multiple access to a shared data by protecting its integrity in

TimeOfCheck/TimeOfUse (TOCTOU). When several activities from different locations

access the data in a single time, this risks the loss of data integrity that can lead business

to malfunction strategies. To reduce the risk this pattern proposes to implement locking

protocol on data accessibility.

SRP 10. Pattern prevents the leakage of system information when an exception is

thrown. It addresses the problem of system information leakage, when run-time ex-

ception arises. The attacker can intentionally raise the exception to get internal sys-

tem information i.e., application conﬁguration, which help him to launch sophisticated

attacks. To reduce the risk this pattern proposes to handle the errors and exceptions

correctly.

3.2 Security Risk-oriented Pattern Example

This section presents an example of security risk-oriented pattern “Securing data that

ﬂows between the business entities”. Its major structural details are deﬁned textually in

Table 1 and the graphical representation (BPMN using the alignment [5]) is illustrated

in Fig. 2(a), 3(a) and 4(a).

Table 1. Security Risk-oriented Pattern (SRP1).

1. Organisational scenario & Security context identiﬁcation

Pattern name Securing data that ﬂow between the business entities

Pattern description This pattern secures the data transmit between the business entities

Related pattern(s) No related patterns

2. Asset identiﬁcation & Security objective determination

Business Asset Data submitted and employ by business

IS Asset Input interface, Transmission medium that transfers data and business/server

Security criteria –Conﬁdentiality of data

–Integrity of data

3. Risk analysis & assessment

Risk An attacker intercepts the transmission medium and misuses the data leading to loss of

data conﬁdentiality or integrity.

Impact

1. Harm of at least one business asset (i.e., harm of data submitted and stored in the

database)

2. Harm of at least one IS asset (i.e., loss of reliability of the transmission medium)

3. Negation of security criteria (i.e., negation of data conﬁdentiality and integrity)

Event An attacker intercepts the transmission medium due to its characteristics to be intercepted

and misuses the data due to the lack of crypto-functionality at the input interface and

server [18].

Threat An attacker intercepts the transmission medium and misuse the data.

Vulnerability – Characteristics of transmission medium to be intercepted [18]

– Lack of crypto-functionality at input interface and server [18]

Threat agent An attacker with means to intercept transmission medium by acting as a proxy

Attack method

1. Intercept transmission medium by establishing a proxy between input interface and

server [1].

2. Misuse data:

(a) Capture, modify and pass data to the database.

(b) Capture, read and keep data for the later use.

4. Risk treatment & Security requirements

Risk treatment Risk reduction Risk avoidance

Security requirement

– Make data unreadable to attackers. (Mitigates the

risk of data conﬁdentiality)

– Verify the received data with the original. (Miti-

gates the risk of data integrity)

Change the transmission medium that

does not have the ability to be inter-

cepted

Control – Cryptographic algorithm

– Checksum algorithm

– Physically delivery of data.

– Employee enters data.

In Table 1, the ﬁrst part describes the pattern’s name (see the entry pattern name

and description). The related patterns entry could be used to link other related security

patterns. The second part, called as asset identiﬁcation and security objective determi-

nation, is used to deﬁne business and IS assets. Following the ISSRM domain model [8]

we identify business assets (i.e., data) and the IS assets deﬁned in the pattern (i.e., in-

put interface, transmission medium and business/server) which support business assets.

Security criteria (i.e., conﬁdentiality and integrity of data) are constraints on business

assets and is presented in Fig. 2(a) using padlocks (adapted from [15]).

In ISSRM domain model [8], risk is a composition of impact, vulnerability, threat

agent and attack method. In the SRP1 (see Table 1) we deﬁne that there might exist a

threat agent (i.e., attacker) who has motivation and means (i.e., intercept transmission

medium by acting as a proxy) to threatens the system. He is able to target the IS as-

sets by exploiting the vulnerabilities (i.e., Characteristics of transmission medium to

be intercepted and Lack of crypto-functionality at input interface and server). As the

risk event happened it potentially leads to impact (listed in Table 1). The situation is

illustrated graphically in Fig. 3(a) where vulnerability in an IS asset is represented by

asterisk (

) (adapted from [9]). Such a model provide rationale for the security require-

ments deﬁned later in Section 4 under reasoning about security requirements.

According to the ISSRM domain model [8], there exists 4 potential risk treatment

decision (e.g., avoidance, reduction, retention, or transfer) choosing one or another de-

cision inﬂuences the actual design of security countermeasures. In SRP1 (see Table 1),

we introduce two alternative decisions i.e., risk reduction and risk avoidance, which are

reﬁned to different security requirements. In case of risk reduction, security require-

ments could be potentially implemented by cryptography or checksum algorithms. In

the second case (i.e., risk reduction) security requirement (i.e., Change the transmission

medium that does not have the ability to be intercepted) is implemented by introducing

the physical data delivery. As analysed in [5], BPMN does not model ISSRM con-

trols, however, the security requirements are potentially introduced using combination

of tasks, gateways and events [5] or business model is annotated (adapted from [13]).

We have used later approach to keep the business models simple for business analyst

(see Fig. 3(a)).

4 Pattern Usability

To test the usability and performance of our approach we have applied the patterns

to the business models of land management organisation. Major objectives to choose

this example are: the complex execution of activities, large IT dependency and the data

exchange between the stakeholders, and business model (see overall size description in

Table 2) is expressed in BPMN. The research goal of this application is twofolds. Firstly,

develop application guidelines for our patterns. Secondly, investigate the usefulness of

our approach to discover potential security ﬂaws and implements the countermeasures.

We continue the application with the example pattern, SRP1 (see Table 1).

Table 2. Size of Land management organisation business models.

Processes Sub-process Events Gateways Pools Tasks

Message ﬂows

Sequence ﬂows

9 73 109 83 68 186 129 492

In Section 4.2 we consider their sum to estimate the size of the business model.

4.1 Application Guidelines

Identifying Pattern. The ﬁrst step is to identify the occurrences of security pattern

in business model. This is a manual activity, that potentially requires a good compre-

hension of the modelled domain and problem. For example in Fig. 2(b) we illustrate

an occurrence of SRP1. Here we could see the correspondence between the processes

log on to portal (Fig. 2(b)) and submit data (Fig. 2(a)), since both these activities are

about entering the data (i.e., user log on details in Fig. 2(b) and data in Fig. 2(a)) us-

ing their input devices (i.e., lodging party in Fig. 2(b) and input interface in Fig. 2(a)).

Similarly there is a correspondence between processes validate user (in Fig. 2(b)) and

employ data (in Fig. 2(a)). Since they both concern with the operations which employ

the received data.

Fig. 2. (a) Organisational scenario (b) Pattern occurrence in business model.

Fig. 3. Annotated Security criteria & Security requirements in (a) Security pattern, (b) Pattern’s

occurrence in business model.

Annotating Model with Security Criteria. After ﬁnding the pattern in the business

model we potentially annotate assets that require security consideration. For example in

Fig. 3(b) user log on to details is annotated with padlocks (that correspond to the ISSRM

security criterion [5]) to highlight that it needs to be considered for conﬁdentiality (C)

and integrity (I).

Introducing Security Requirements. Next, the business model is annotated with se-

curity requirements (see Fig. 3(b)), derived when deﬁning the security risk-oriented

pattern. Alternatively, security requirements could be deﬁned using combination of the

task, gateway, event constructs as discussed in [5].

Reasoning about Security Requirements. Some security risk-oriented patterns have

alternate risk-treatment decisions; for instance applying SRP1, different security re-

quirements could be derived when selecting risk reduction or risk avoidance. Different

requirements, result in different security controls (and thus, different system implemen-

tation). Selecting one or another risk-treatment is security trade-off that analyst should

make. To support the decision on risk-treatment and to reason why security require-

ments are introduced, the risk analysis and assessment (for SRP1, see Table 1) could

provide reasoning why one or another risk-treatment should be taken, or why security

requirements should be considered when implementing the system. For example, taking

into account SRP1, analyst could potentially comprehend (see Fig. 4(b)) how user log

on details can be intercepted by an attacker.

Fig. 4. (a) Pattern threat analysis (b) applied in the business model.

4.2 Pattern Occurrences

We have conducted analysis using all the ten patterns. The ﬁndings are illustrated in

Table 3. In this table we report on an extend, at which the patterns inﬂuences the busi-

ness process model. This extend is deﬁned as a correspondence between the number of

model elements considered by pattern (e.g., multiplication of total number of pattern

constructs an number of model pattern occurrences in the model; in case of SRP1, 4

x 33 = 132) and size of the business model (which equals to a sum of Tasks, Message

ﬂows, and Sequence ﬂows, 807, as deﬁned in Table 3). Number of the pattern occur-

rences could suggest the amount of decisions, which analyst needs to make about the

trade-offs of the security requirements (and their corresponding controls) in the busi-

ness model. Furthermore, each pattern, as deﬁned in [12] contributes to the mitigation

of at least 1 or 2 security risks. Thus, having the number of pattern occurrences we

potentially identify the number of risks that are possible to mitigate using our approach.

5 Discussion & Conclusions

5.1 Discussion

Currently business process models are mainly analyzed manually but the patterns pro-

vide a way to structure information (for SRP1, see Table 1). This creates the possibility

Table 3. Patterns’ Occurences in Land management business model.

Pattern ID

No# of language constructs used to deﬁne

pattern

No# of pattern

occurrence in

business model

An extend, at which

pattern inﬂuences the

business process modelTask Message

ﬂow

Sequence

ﬂow

Total

SRP1 2 2 0 4 33 16%

SRP2 2 2 0 4 33 16%

SRP3 3 2 0 4 33 16%

SRP4 2 1 0 3 35 13%

SRP5 1 1 1 3 39 14%

SRP6 2 1 3 5 6 4%

SRP7 3 2 0 5 12 7%

SRP8 8 0 10 18 0 0%

SRP9 2 1 3 6 4 3%

SRP10 2 2 3 7 8 7%

to automate the process of searching patterns in business models. The patterns identiﬁ-

cation also depends on how the business processes have been modelled. If the business

models include detail information then the patterns can be easily automated without

requiring any manual efforts from the domain expert. The scope of our patterns are

software errors described in taxonomy [18] therefore, the paper focuses on the IT secu-

rity risks. There is no list of risks to compare the completeness of our patterns (e.g., how

many risks are covered?). Although there are several surveys conducted to categorise

the risks but usually they are subjective and focuses on system domain. Therefore, we

calculate the completeness of patterns by comparing the 85 security errors described in

the taxonomy [18] with the vulnerabilities identiﬁed in the security patterns. We keep

in mind that there exists several other ﬂaws but they are not currently analysed. The

analysis of pattern’ occurrences shows the patterns covered 68 vulnerabilities from 85

listed in taxonomy [18]. The remaining 17 vulnerabilities are tool dependent, therefore,

it is not possible to address them. These occurrences are subjective, so it can vary from

analysis to analysis.

5.2 Conclusions

In this paper we introduce security risk-oriented patterns to address security concerns.

The patterns are developed taking into account the well-known taxonomy of security

errors [18]. The pattern application results in a set of guidelines that business analysts

can apply our method to understand the security risks and to envision costs and rationale

for implementing these security decisions without asking for help from the security de-

signer. Although the graphical pattern is deﬁned using BPMN, this is not speciﬁc to any

modelling language and other modelling languages could be used to create graphical

pattern expressions, if these languages are understood in terms of the ISSRM domain

model [8].

Our future work includes developing an approach for semi-automatic identiﬁcation

of these patterns in the business models. In addition we plan to equip the security pat-

terns with the metrics for asset value, risk level and risk-treatment cost measurement to

support the security trade-off analysis.

References

1. Common attack pattern enumeration and classiﬁcation, available at http://capec.mitre.org/

data/deﬁnitions/94.html

2. DCSSL EBIOS expression of needs and identiﬁcation of security objectives (2004), avail-

able at http://www.bsi.de/english/gshb/manual/download/index.html

3. ENISA -inventory of risk assessment and risk management methods (2004)

4. Ahmed, N., Matulevi

cius, R.: A template of security risk patterns for business processes. In:

Perspectives in Business Informatics Research, Riga, Latvia. pp. 123–130. Riga Technical

University (2011)

5. Altuhhova, O., Matulevi

cius, R., Ahmed, N.: Towards Deﬁnition of Secure Business Pro-

cesses. In: M. Bajec and J. Eder (Eds.): CAiSE 2012 Workshops, LNBIP 112. pp. 1–15.

Springer-Verlag (2012)

6. Braber, F., Hogganvik, I., Lund, M. S., Stølen, K., Vraalsen, F.: Model-based security analy-

sis in seven steps — a guided tour to the coras method. BT Technology Journal 25, 101–117

(2007)

7. Devanbu, P. T., Stubblebine, S.: Software engineering for security: a roadmap. In: The Future

of Software Engineering. pp. 227–239. ACM Press (2000)

8. Dubois, E., Heymans, P., Mayer, N.and Matuleviv¸ius, R.: A systematic approach to deﬁne

the domain of information system security risk management. In: Intentional Perspectives on

IS Engg., pp. 289–306. Springer (2010)

9. Elahi, G., Yu, E.: A goal oriented approach for modeling and analyzing security trade-offs.

Security 4801(7), 375–390 (2007)

10. Firesmith, D.: Engineering safety and security related requirements for software intensive

systems. In: Software Engineering - Companion. ICSE 2007 Companion. 29th International

Conference on. p. 169. IEEE Computer Society (2007)

11. J

urjens, J.: Secure systems development with UML. Springer (2005)

12. Khan, N. H., Ahmed, N., Matulevi

cius, R.: Security Risk Oriented Patterns. Tech. rep.,

University of Tartu, Department of Computer Sciences (04 2012), http://www.cs.ut.ee/

∼naved/Security Risk Oriented Patterns.pdf

13. Paja, E., Giorgini, P., Paul, S., Meland, P. H.: Security requirements engineering for business

processes. In: Perspectives in Business Informatics Research, Riga, Latvia. pp. 163–170.

Riga Technical University (2011)

14. Pavlovski, C. J., Zou, J.: Non-functional requirements in business process modeling. In: Pro-

ceedings of the 5th Asia-Paciﬁc conf. on Conceptual Modelling. pp. 103–112. APCCM,

Australian Computer Society, Inc. (2008)

15. Rodr

ıguez, A., Fern

andez-Medina, E., Piattini, M.: A bpmn extension for the modeling of se-

curity requirements in business processes. IEICE - Trans. Inf. Syst. 90-D(4), 745–752 (2007)

16. R

ohrig, S., Knorr, K.: Security analysis of electronic business processes. Electronic Com-

merce Research 4(1-2), 59–81 (2004)

17. Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.:

Security Patterns: Integrating Security and Systems Engineering (2006)

18. Tsipenyuk, K., Chess, B., McGraw, G.: Seven pernicious kingdoms: A taxonomy of software

security errors. IEEE Security & Privacy 3(6), 81–84 (2005)