Enhancing secure business process design with security process patterns


Business process definition and analysis are an important activity for any organisation. As research has demonstrated, well-defined business processes can reduce cost, improve productivity and provide organisations with competitive advantages. In the last few years, the need to ensure the security of business processes has been identified as a major research challenge. Limited security expertise of business process developers together with a clear lack of appropriate methods and techniques to support the security analysis of business processes is important prohibitors to providing answers to that research challenge. This paper introduces the first attempt in the literature to produce a novel pattern-based approach to support the design and analysis of secure business processes. Our work draws on elements from the security requirements engineering area and the security patterns area, combined with business process modelling, and it produces a set of process-level security patterns which are used to implement security in a given business process model. Such an approach advances the existing literature by providing a structured way of operationalising security at the business process level of abstraction. The applicability of the work is illustrated through an application to a real-life information system, and the effectiveness and usability of the work are evaluated via a workshop-based experiment. The evaluation clearly indicates that non-experts are able to comprehend and utilise the developed patterns to construct secure business process designs.

This is a preview of subscription content, log in to check access.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16


  1. 1.


  2. 2.


  3. 3.

    The questionnaire and a summary of the responses can be accessed in: http://www.sense-brighton.eu/process-patterns-questionnaire/.


  1. 1.

    Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)

    Article  Google Scholar 

  2. 2.

    Alam, M.: Model driven security engineering for the realization of dynamic security requirements in collaborative systems. In: International Conference on Model Driven Engineering Languages and Systems, pp. 278–287. Springer, Berlin (2006)

  3. 3.

    Argyropoulos, N.: Designing secure business processes from organisational goal models. Ph.D. thesis, University of Brighton (2018)

  4. 4.

    Argyropoulos, N., Alcañiz, L.M., Mouratidis, H., Fish, A., Rosado, D.G., de Guzmán, I.G.R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: IFIP Working Conference on The Practice of Enterprise Modeling, pp. 91–107. Springer, Berlin (2015)

  5. 5.

    Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Decision-making in security requirements engineering with constrained goal models. In: 2017 1st International Workshop on SECurity and Privacy Requirements Engineering (SECPRE 2017). IEEE, Washington (2017)

  6. 6.

    Argyropoulos, N., Kalloniatis, C., Mouratidis, H., Fish, A.: Incorporating privacy patterns into semi-automatic business process derivation. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE, Washington (2016)

  7. 7.

    Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: International Conference on Conceptual Modeling, pp. 248–258. Springer, Berlin (2015)

  8. 8.

    Argyropoulos, N., Mouratidis, H., Fish, A.: Attribute-based security verification of business process models. In: 2017 IEEE 19th Conference on Business Informatics (CBI), vol. 1, pp. 43–52. IEEE, Washington (2017)

  9. 9.

    Argyropoulos, N., Mouratidis, H., Fish, A.: Supporting secure business process design via security process patterns. In: Enterprise, Business-Process and Information Systems Modeling—18th International Conference, BPMDS 2017, 22nd International Conference, EMMSAD 2017, Held at CAiSE 2017, Essen, Germany, June 12–13, 2017, Proceedings, pp. 19–33 (2017)

  10. 10.

    Bottoni, P., Fish, A., Parisi-Presicce, F.: Spider graphs: a graph transformation system for spider diagrams. Softw. Syst. Modell. 14(4), 1421–1453 (2015)

    Article  Google Scholar 

  11. 11.

    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: an agent-oriented software development methodology. Auton. Agents Multi-Agent Syst. 8(3), 203–236 (2004)

    Article  Google Scholar 

  12. 12.

    Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: The 8th International Conference on Availability, Reliability and Security (ARES), pp. 546–555. IEEE, Washington (2013)

  13. 13.

    Decreus, K., Poels, G.: A goal-oriented requirements engineering method for business processes. In: Forum at the Conference on Advanced Information Systems Engineering (CAiSE), pp. 29–43. Springer, Berlin (2010)

  14. 14.

    Decreus, K., Poels, G., Kharbili, M.E., Pulvermueller, E.: Policy-enabled goal-oriented requirements engineering for semantic business process management. Int. J. Intell. Syst. 25(8), 784–812 (2010)

    Article  Google Scholar 

  15. 15.

    Dubois, E., Mouratidis, H.: Guest editorial: security requirements engineering: past, present and future. Requir Eng 15(1), 1–5 (2010)

    Article  Google Scholar 

  16. 16.

    Fernandez, E.B., Pan, R.: A pattern language for security models. In: In Proceedings of PLoP, vol. 1 (2001)

  17. 17.

    Greek-Parliament Act 3892: Electronic registration and fulfilment of medical prescriptions and clinical test referrals (2010). [In Greek]

  18. 18.

    Guerra, E., de Lara, J., Kolovos, D., Paige, R.: A visual specification language for model-to-model transformations. In: IEEE Symposium on Visual Languages and Human-Centric Computing (2010)

  19. 19.

    ISO: ISO/IEC 27000 Information technology—Security techniques—Information security management systems—Overview and vocabulary. Technical report (2014)

  20. 20.

    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: 2nd International Conference on Availability, Reliability and Security (ARES’07), pp. 1009–1017. IEEE, Washington (2007)

  21. 21.

    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the pris method. Requir. Eng. 13(3), 241–255 (2008)

    Article  Google Scholar 

  22. 22.

    Kienzle, D.M., Elder, M.C.: Security patterns for web application development. University of Virginia technical report (2002)

  23. 23.

    Lavérdiere, M., Mourad, A., Hanna, A., Debbabi, M.: Security design patterns: survey and evaluation. In: 2006 Canadian Conference on Electrical and Computer Engineering, pp. 1605–1608. IEEE, Washington (2006)

  24. 24.

    Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 8th International Conference on Availability, Reliability and Security (ARES’13), pp. 262–267. IEEE, Washington (2013)

  25. 25.

    Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: 2016 IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13. IEEE, Washington (2016)

  26. 26.

    Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the Secure Tropos approach. In: Karagiannis, D., Mayr, H.C., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, Concepts, Methods and Tools, pp. 357–380. Springer, Berlin (2016)

    Google Scholar 

  27. 27.

    Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)

    Article  Google Scholar 

  28. 28.

    Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. Int. J. Softw. Eng. Knowl. Eng. 16(03), 471–498 (2006)

    Article  Google Scholar 

  29. 29.

    Neubauer, T., Klemen, M., Biffl, S.: Secure business process management: a roadmap. In: 1st International Conference on Availability, Reliability and Security (ARES’06), pp. 457–464. IEEE, Washington (2006)

  30. 30.

    Nhlabatsi, A., Bandara, A., Hayashi, S., Haley, C., Jurjens, J., Kaiya, H., Kubo, A., Laney, R., Mouratidis, H., Nuseibeh, B., Tun, T., Washizaki, H., Yoshioka, N., Yu, Y.: Security patterns: Comparing modeling approaches. In: Software Engineering for Secure Systems: Industrial and Research Perspectives, pp. 75–11. IGI Global (2011). https://doi.org/10.4018/978-1-61520-837-1

  31. 31.

    Object Management Group: Business Process Model Notation (BPMN) Version 2.0. Technical report (2011)

  32. 32.

    Rekik, M., Boukadi, K., Ben-Abdallah, H.: BPMN meta-model extension with deployment and security information. In: 13th International Arab Conference on Information Technology ACIT (2012)

  33. 33.

    Rodriguez, A., Fernández-Medina, E., Piattini, M.: M-bpsec: a method for security requirement elicitation from a UML 2.0 business process specification. In: Advances in Conceptual Modeling—Foundations and Applications, ER 2007 Workshops CMLSA, FP-UML, ONISW, QoIS, RIGiM, SeCoGIS, pp. 106–115. Springer, Auckland, New Zealand (2007)

  34. 34.

    Rosado, D.G., Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)

    Article  Google Scholar 

  35. 35.

    Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model. 16(3), 737–757 (2016)

    Article  Google Scholar 

  36. 36.

    Séguran, M., Hébert, C., Frankova, G.: Secure workflow development from early requirements analysis. In: IEEE Sixth European Conference on Web Services ECOWS’08, pp. 125–134. IEEE, Washington (2008)

  37. 37.

    Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: International Working Conference on Requirements Engineering: Foundation for Software Quality, pp. 355–366. Springer, Berlin (2007)

  38. 38.

    van Solingen (Revision), R., Basili (Original article 1994 ed.), V., Caldiera (Original article 1994 ed.), G., Rombach (Original article 1994 ed.), H.D.: Goal Question Metric (GQM) Approach. American Cancer Society (2002)

  39. 39.

    Souza, A.R., Silva, B.L., Lins, F.A., Damasceno, J.C., Rosa, N.S., Maciel, P.R., Medeiros, R.W., Stephenson, B., Motahari-Nezhad, H.R., Li, J., et al.: Incorporating security requirements into service composition: from modelling to execution. In: Service-Oriented Computing, pp. 373–388. Springer, Berlin (2009)

  40. 40.

    Stonebumer, G., Goguen, A., Fringa, A.: Risk management guide for information technology systems. Recommendations of the National Institute of Standards and Technology (2002)

  41. 41.

    Toval, A., Nicolás, J., Moros, B., Garcia, F.: Requirements reuse for improving information systems security: a practitioner’s approach. Requir. Eng. 6, 205–219 (2001)

    Article  Google Scholar 

  42. 42.

    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer, Berlin (2010)

    Google Scholar 

  43. 43.

    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)

    Article  Google Scholar 

  44. 44.

    Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Progr. Inform. 5(5), 35–47 (2008)

    Article  Google Scholar 

  45. 45.

    Zivkovic, S., Kühn, H., Karagiannis, D.: Facilitate modelling using method integration: an approach using mappings and integration rules. In: European Conference on Information Systems (ECIS) (2007)

Download references

Author information



Corresponding author

Correspondence to Nikolaos Argyropoulos.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Communicated by Dr Selmin Nurcan and Rainer Schmidt.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Argyropoulos, N., Mouratidis, H. & Fish, A. Enhancing secure business process design with security process patterns. Softw Syst Model 19, 555–577 (2020). https://doi.org/10.1007/s10270-019-00743-y

Download citation


  • Security requirements engineering
  • Business process modelling
  • Security process patterns
  • Business process security