Enhancing secure business process design with security process patterns

  • Nikolaos ArgyropoulosEmail author
  • Haralambos Mouratidis
  • Andrew Fish
Special Section Paper


Business process definition and analysis are an important activity for any organisation. As research has demonstrated, well-defined business processes can reduce cost, improve productivity and provide organisations with competitive advantages. In the last few years, the need to ensure the security of business processes has been identified as a major research challenge. Limited security expertise of business process developers together with a clear lack of appropriate methods and techniques to support the security analysis of business processes is important prohibitors to providing answers to that research challenge. This paper introduces the first attempt in the literature to produce a novel pattern-based approach to support the design and analysis of secure business processes. Our work draws on elements from the security requirements engineering area and the security patterns area, combined with business process modelling, and it produces a set of process-level security patterns which are used to implement security in a given business process model. Such an approach advances the existing literature by providing a structured way of operationalising security at the business process level of abstraction. The applicability of the work is illustrated through an application to a real-life information system, and the effectiveness and usability of the work are evaluated via a workshop-based experiment. The evaluation clearly indicates that non-experts are able to comprehend and utilise the developed patterns to construct secure business process designs.


Security requirements engineering Business process modelling Security process patterns Business process security 



  1. 1.
    Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)CrossRefGoogle Scholar
  2. 2.
    Alam, M.: Model driven security engineering for the realization of dynamic security requirements in collaborative systems. In: International Conference on Model Driven Engineering Languages and Systems, pp. 278–287. Springer, Berlin (2006)Google Scholar
  3. 3.
    Argyropoulos, N.: Designing secure business processes from organisational goal models. Ph.D. thesis, University of Brighton (2018)Google Scholar
  4. 4.
    Argyropoulos, N., Alcañiz, L.M., Mouratidis, H., Fish, A., Rosado, D.G., de Guzmán, I.G.R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: IFIP Working Conference on The Practice of Enterprise Modeling, pp. 91–107. Springer, Berlin (2015)Google Scholar
  5. 5.
    Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Decision-making in security requirements engineering with constrained goal models. In: 2017 1st International Workshop on SECurity and Privacy Requirements Engineering (SECPRE 2017). IEEE, Washington (2017)Google Scholar
  6. 6.
    Argyropoulos, N., Kalloniatis, C., Mouratidis, H., Fish, A.: Incorporating privacy patterns into semi-automatic business process derivation. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE, Washington (2016)Google Scholar
  7. 7.
    Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: International Conference on Conceptual Modeling, pp. 248–258. Springer, Berlin (2015)Google Scholar
  8. 8.
    Argyropoulos, N., Mouratidis, H., Fish, A.: Attribute-based security verification of business process models. In: 2017 IEEE 19th Conference on Business Informatics (CBI), vol. 1, pp. 43–52. IEEE, Washington (2017)Google Scholar
  9. 9.
    Argyropoulos, N., Mouratidis, H., Fish, A.: Supporting secure business process design via security process patterns. In: Enterprise, Business-Process and Information Systems Modeling—18th International Conference, BPMDS 2017, 22nd International Conference, EMMSAD 2017, Held at CAiSE 2017, Essen, Germany, June 12–13, 2017, Proceedings, pp. 19–33 (2017)Google Scholar
  10. 10.
    Bottoni, P., Fish, A., Parisi-Presicce, F.: Spider graphs: a graph transformation system for spider diagrams. Softw. Syst. Modell. 14(4), 1421–1453 (2015)CrossRefGoogle Scholar
  11. 11.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)CrossRefzbMATHGoogle Scholar
  12. 12.
    Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: The 8th International Conference on Availability, Reliability and Security (ARES), pp. 546–555. IEEE, Washington (2013)Google Scholar
  13. 13.
    Decreus, K., Poels, G.: A goal-oriented requirements engineering method for business processes. In: Forum at the Conference on Advanced Information Systems Engineering (CAiSE), pp. 29–43. Springer, Berlin (2010)Google Scholar
  14. 14.
    Decreus, K., Poels, G., Kharbili, M.E., Pulvermueller, E.: Policy-enabled goal-oriented requirements engineering for semantic business process management. Int. J. Intell. Syst. 25(8), 784–812 (2010)CrossRefGoogle Scholar
  15. 15.
    Dubois, E., Mouratidis, H.: Guest editorial: security requirements engineering: past, present and future. Requir Eng 15(1), 1–5 (2010)CrossRefGoogle Scholar
  16. 16.
    Fernandez, E.B., Pan, R.: A pattern language for security models. In: In Proceedings of PLoP, vol. 1 (2001)Google Scholar
  17. 17.
    Greek-Parliament Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals (2010). [In Greek]Google Scholar
  18. 18.
    Guerra, E., de Lara, J., Kolovos, D., Paige, R.: A visual specification language for model-to-model transformations. In: IEEE Symposium on Visual Languages and Human-Centric Computing (2010)Google Scholar
  19. 19.
    ISO: ISO/IEC 27000 Information technology—Security techniques—Information security management systems—Overview and vocabulary. Technical report (2014)Google Scholar
  20. 20.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: 2nd International Conference on Availability, Reliability and Security (ARES’07), pp. 1009–1017. IEEE, Washington (2007)Google Scholar
  21. 21.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the pris method. Requir. Eng. 13(3), 241–255 (2008)CrossRefGoogle Scholar
  22. 22.
    Kienzle, D.M., Elder, M.C.: Security patterns for web application development. University of Virginia technical report (2002)Google Scholar
  23. 23.
    Lavérdiere, M., Mourad, A., Hanna, A., Debbabi, M.: Security design patterns: survey and evaluation. In: 2006 Canadian Conference on Electrical and Computer Engineering, pp. 1605–1608. IEEE, Washington (2006)Google Scholar
  24. 24.
    Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 8th International Conference on Availability, Reliability and Security (ARES’13), pp. 262–267. IEEE, Washington (2013)Google Scholar
  25. 25.
    Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13. IEEE, Washington (2016)Google Scholar
  26. 26.
    Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the Secure Tropos approach. In: Karagiannis, D., Mayr, H.C., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, Concepts, Methods and Tools, pp. 357–380. Springer, Berlin (2016)CrossRefGoogle Scholar
  27. 27.
    Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)CrossRefGoogle Scholar
  28. 28.
    Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. Int. J. Softw. Eng. Knowl. Eng. 16(03), 471–498 (2006)CrossRefGoogle Scholar
  29. 29.
    Neubauer, T., Klemen, M., Biffl, S.: Secure business process management: a roadmap. In: 1st International Conference on Availability, Reliability and Security (ARES’06), pp. 457–464. IEEE, Washington (2006)Google Scholar
  30. 30.
    Nhlabatsi, A., Bandara, A., Hayashi, S., Haley, C., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nuseibeh, B., Tun, T., Washizaki, H., Yoshioka, N., Yu, Y.: Security patterns: Comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives, pp. 75–11. IGI Global (2011).
  31. 31.
    Object Management Group: Business Process Model Notation (BPMN) Version 2.0. Technical report (2011)Google Scholar
  32. 32.
    Rekik, M., Boukadi, K., Ben-Abdallah, H.: BPMN meta-model extension with deployment and security information. In: 13th International Arab Conference on Information Technology ACIT (2012)Google Scholar
  33. 33.
    Rodriguez, A., Fernández-Medina, E., Piattini, M.: M-bpsec: a method for security requirement elicitation from a UML 2.0 business process specification. In: Advances in Conceptual Modeling—Foundations and Applications, ER 2007 Workshops CMLSA, FP-UML, ONISW, QoIS, RIGiM, SeCoGIS, pp. 106–115. Springer, Auckland, New Zealand (2007) Google Scholar
  34. 34.
    Rosado, D.G., Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)CrossRefGoogle Scholar
  35. 35.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model. 16(3), 737–757 (2016)CrossRefGoogle Scholar
  36. 36.
    Séguran, M., Hébert, C., Frankova, G.: Secure workflow development from early requirements analysis. In: IEEE Sixth European Conference on Web Services ECOWS’08, pp. 125–134. IEEE, Washington (2008)Google Scholar
  37. 37.
    Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 355–366. Springer, Berlin (2007)Google Scholar
  38. 38.
    van Solingen (Revision), R., Basili (Original article 1994 ed.), V., Caldiera (Original article 1994 ed.), G., Rombach (Original article 1994 ed.), H.D.: Goal Question Metric (GQM) Approach. American Cancer Society (2002)Google Scholar
  39. 39.
    Souza, A.R., Silva, B.L., Lins, F.A., Damasceno, J.C., Rosa, N.S., Maciel, P.R., Medeiros, R.W., Stephenson, B., Motahari-Nezhad, H.R., Li, J., et al.: Incorporating security requirements into service composition: from modelling to execution. In: Service-Oriented Computing, pp. 373–388. Springer, Berlin (2009)Google Scholar
  40. 40.
    Stonebumer, G., Goguen, A., Fringa, A.: Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology (2002)Google Scholar
  41. 41.
    Toval, A., Nicolás, J., Moros, B., Garcia, F.: Requirements reuse for improving information systems security: a practitioner’s approach. Requir. Eng. 6, 205–219 (2001)CrossRefzbMATHGoogle Scholar
  42. 42.
    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer, Berlin (2010)Google Scholar
  43. 43.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)CrossRefGoogle Scholar
  44. 44.
    Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progr. Inform. 5(5), 35–47 (2008)CrossRefGoogle Scholar
  45. 45.
    Zivkovic, S., Kühn, H., Karagiannis, D.: Facilitate modelling using method integration: an approach using mappings and integration rules. In: European Conference on Information Systems (ECIS) (2007)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2019

Authors and Affiliations

  • Nikolaos Argyropoulos
    • 1
    Email author
  • Haralambos Mouratidis
    • 1
  • Andrew Fish
    • 1
  1. 1.Centre for Secure, Intelligent and Usable Systems, School of Computing, Engineering and MathematicsUniversity of BrightonBrightonUK

Personalised recommendations