Abstract
Business process definition and analysis are an important activity for any organisation. As research has demonstrated, well-defined business processes can reduce cost, improve productivity and provide organisations with competitive advantages. In the last few years, the need to ensure the security of business processes has been identified as a major research challenge. Limited security expertise of business process developers together with a clear lack of appropriate methods and techniques to support the security analysis of business processes is important prohibitors to providing answers to that research challenge. This paper introduces the first attempt in the literature to produce a novel pattern-based approach to support the design and analysis of secure business processes. Our work draws on elements from the security requirements engineering area and the security patterns area, combined with business process modelling, and it produces a set of process-level security patterns which are used to implement security in a given business process model. Such an approach advances the existing literature by providing a structured way of operationalising security at the business process level of abstraction. The applicability of the work is illustrated through an application to a real-life information system, and the effectiveness and usability of the work are evaluated via a workshop-based experiment. The evaluation clearly indicates that non-experts are able to comprehend and utilise the developed patterns to construct secure business process designs.
Similar content being viewed by others
Notes
The questionnaire and a summary of the responses can be accessed in: http://www.sense-brighton.eu/process-patterns-questionnaire/.
References
Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)
Alam, M.: Model driven security engineering for the realization of dynamic security requirements in collaborative systems. In: International Conference on Model Driven Engineering Languages and Systems, pp. 278–287. Springer, Berlin (2006)
Argyropoulos, N.: Designing secure business processes from organisational goal models. Ph.D. thesis, University of Brighton (2018)
Argyropoulos, N., Alcañiz, L.M., Mouratidis, H., Fish, A., Rosado, D.G., de Guzmán, I.G.R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: IFIP Working Conference on The Practice of Enterprise Modeling, pp. 91–107. Springer, Berlin (2015)
Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Decision-making in security requirements engineering with constrained goal models. In: 2017 1st International Workshop on SECurity and Privacy Requirements Engineering (SECPRE 2017). IEEE, Washington (2017)
Argyropoulos, N., Kalloniatis, C., Mouratidis, H., Fish, A.: Incorporating privacy patterns into semi-automatic business process derivation. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE, Washington (2016)
Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: International Conference on Conceptual Modeling, pp. 248–258. Springer, Berlin (2015)
Argyropoulos, N., Mouratidis, H., Fish, A.: Attribute-based security verification of business process models. In: 2017 IEEE 19th Conference on Business Informatics (CBI), vol. 1, pp. 43–52. IEEE, Washington (2017)
Argyropoulos, N., Mouratidis, H., Fish, A.: Supporting secure business process design via security process patterns. In: Enterprise, Business-Process and Information Systems Modeling—18th International Conference, BPMDS 2017, 22nd International Conference, EMMSAD 2017, Held at CAiSE 2017, Essen, Germany, June 12–13, 2017, Proceedings, pp. 19–33 (2017)
Bottoni, P., Fish, A., Parisi-Presicce, F.: Spider graphs: a graph transformation system for spider diagrams. Softw. Syst. Modell. 14(4), 1421–1453 (2015)
Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)
Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: The 8th International Conference on Availability, Reliability and Security (ARES), pp. 546–555. IEEE, Washington (2013)
Decreus, K., Poels, G.: A goal-oriented requirements engineering method for business processes. In: Forum at the Conference on Advanced Information Systems Engineering (CAiSE), pp. 29–43. Springer, Berlin (2010)
Decreus, K., Poels, G., Kharbili, M.E., Pulvermueller, E.: Policy-enabled goal-oriented requirements engineering for semantic business process management. Int. J. Intell. Syst. 25(8), 784–812 (2010)
Dubois, E., Mouratidis, H.: Guest editorial: security requirements engineering: past, present and future. Requir Eng 15(1), 1–5 (2010)
Fernandez, E.B., Pan, R.: A pattern language for security models. In: In Proceedings of PLoP, vol. 1 (2001)
Greek-Parliament Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals (2010). [In Greek]
Guerra, E., de Lara, J., Kolovos, D., Paige, R.: A visual specification language for model-to-model transformations. In: IEEE Symposium on Visual Languages and Human-Centric Computing (2010)
ISO: ISO/IEC 27000 Information technology—Security techniques—Information security management systems—Overview and vocabulary. Technical report (2014)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: 2nd International Conference on Availability, Reliability and Security (ARES’07), pp. 1009–1017. IEEE, Washington (2007)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the pris method. Requir. Eng. 13(3), 241–255 (2008)
Kienzle, D.M., Elder, M.C.: Security patterns for web application development. University of Virginia technical report (2002)
Lavérdiere, M., Mourad, A., Hanna, A., Debbabi, M.: Security design patterns: survey and evaluation. In: 2006 Canadian Conference on Electrical and Computer Engineering, pp. 1605–1608. IEEE, Washington (2006)
Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 8th International Conference on Availability, Reliability and Security (ARES’13), pp. 262–267. IEEE, Washington (2013)
Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13. IEEE, Washington (2016)
Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the Secure Tropos approach. In: Karagiannis, D., Mayr, H.C., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, Concepts, Methods and Tools, pp. 357–380. Springer, Berlin (2016)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. Int. J. Softw. Eng. Knowl. Eng. 16(03), 471–498 (2006)
Neubauer, T., Klemen, M., Biffl, S.: Secure business process management: a roadmap. In: 1st International Conference on Availability, Reliability and Security (ARES’06), pp. 457–464. IEEE, Washington (2006)
Nhlabatsi, A., Bandara, A., Hayashi, S., Haley, C., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nuseibeh, B., Tun, T., Washizaki, H., Yoshioka, N., Yu, Y.: Security patterns: Comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives, pp. 75–11. IGI Global (2011). https://doi.org/10.4018/978-1-61520-837-1
Object Management Group: Business Process Model Notation (BPMN) Version 2.0. Technical report (2011)
Rekik, M., Boukadi, K., Ben-Abdallah, H.: BPMN meta-model extension with deployment and security information. In: 13th International Arab Conference on Information Technology ACIT (2012)
Rodriguez, A., Fernández-Medina, E., Piattini, M.: M-bpsec: a method for security requirement elicitation from a UML 2.0 business process specification. In: Advances in Conceptual Modeling—Foundations and Applications, ER 2007 Workshops CMLSA, FP-UML, ONISW, QoIS, RIGiM, SeCoGIS, pp. 106–115. Springer, Auckland, New Zealand (2007)
Rosado, D.G., Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model. 16(3), 737–757 (2016)
Séguran, M., Hébert, C., Frankova, G.: Secure workflow development from early requirements analysis. In: IEEE Sixth European Conference on Web Services ECOWS’08, pp. 125–134. IEEE, Washington (2008)
Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 355–366. Springer, Berlin (2007)
van Solingen (Revision), R., Basili (Original article 1994 ed.), V., Caldiera (Original article 1994 ed.), G., Rombach (Original article 1994 ed.), H.D.: Goal Question Metric (GQM) Approach. American Cancer Society (2002)
Souza, A.R., Silva, B.L., Lins, F.A., Damasceno, J.C., Rosa, N.S., Maciel, P.R., Medeiros, R.W., Stephenson, B., Motahari-Nezhad, H.R., Li, J., et al.: Incorporating security requirements into service composition: from modelling to execution. In: Service-Oriented Computing, pp. 373–388. Springer, Berlin (2009)
Stonebumer, G., Goguen, A., Fringa, A.: Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology (2002)
Toval, A., Nicolás, J., Moros, B., Garcia, F.: Requirements reuse for improving information systems security: a practitioner’s approach. Requir. Eng. 6, 205–219 (2001)
Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer, Berlin (2010)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)
Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progr. Inform. 5(5), 35–47 (2008)
Zivkovic, S., Kühn, H., Karagiannis, D.: Facilitate modelling using method integration: an approach using mappings and integration rules. In: European Conference on Information Systems (ECIS) (2007)
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by Dr Selmin Nurcan and Rainer Schmidt.
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Argyropoulos, N., Mouratidis, H. & Fish, A. Enhancing secure business process design with security process patterns. Softw Syst Model 19, 555–577 (2020). https://doi.org/10.1007/s10270-019-00743-y
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10270-019-00743-y