Abstract
This paper introduces a security design method for information exchange in organisations. The method supports security authorities in the design of individual security models. An individual security model is a fully customised specification of access control information for information exchange within a particular business environment. We introduce transaction based business process models (BPMs) and utilise these models to specify need-to-know authorisations. Therefore, we allocate information from BPMs which can be transformed to access control information and derive a specification of an organisation’s individual security model. Our method provides transparency of security design because a security model is directly related to the business. Moreover, security effort and costs will be reduced because BPMs must not be specified for security reasons. BPMs are a result of management activities and therefore, existing resources from a security point of view.
Chapter PDF
Similar content being viewed by others
Keywords
References
Abdallah T. S., Holbein R., Scheidegger P., Schmidt S. (1993): Offene Bürokommunikation - Inner- und zwischenbetrieblicher Informationsaustausch, Institut für Informatik, Universität Zürich, Technical Report, no. 93. 33.
Auramaki E., Hirschheim R., Lyytinen K. (1992): “Modelling offices through discourse analysis: the SAMPO approach”, Computer Journal, vol. 35, no. 4, pp. 342–352.
Bever M., Ruland D. (1988): “Aggregation and Generalisation Hierarchies in Office Automation”, in: Allen R. B. (Eds.): Conference on Office Information Systems, Palo Alto, California, ACM Press, pp. 250–264.
Bhaskar K. (1993): Computer Security - Threats and Countermeasures, NCC Blackwell, Oxford.
Curtis B., Kellner M. I., Over J. (1992): “Process Modeling”, Communications of the ACM, vol. 35, no. 9, pp. 75–90.
Davenport T. H. (1993): Process Innovation - Reengineering Work through Information Technology, Harvard Business School Press, Boston.
Davis G. B., Olson M. H. (1985): Management Information Systems. Conceptual Foundations, Structure and Development, McGraw-Hill, New York, USA.
Dobson J. (1990): “A Methodology for Analysing Human and Computer-Related Issues in Secure Systems”, in: Dittrich K., Rautakivi S., Saari J. (Eds.): IFIP Sixth International Conference on Computer Security and Information Integrity, IFIP SEC’90, Espoo (Helsinki), Finland, North-Holland Amsterdam, pp. 151–170.
Ferstl O. K., Sinz E. J. (1993): “Geschäftsprozessmodellierung”, Wirtschaftsinformatik, vol. 35, no. 6, pp. 589–592.
Holbein R., Teufel S. (1995a): “A Security Service for Role Based Access Controls in Distributed Systems”, in: Eloff J. H. P., von Solms S. H. (Eds.): IFIP TC11 Eleventh International Conference on Computer Security IFIP/SEC95, Cape Town, South Africa, Chapman & Hall, pp. 270–285.
Holbein R., Teufel S., Bauknecht K. (1995b): “A Formal Security Design Approach for Information Exchange in Organisations”, in: IFIP WG11.3 Ninth Annual Working Conference on Database Security, Aug. 1995, Rensselearville, N.Y., USA.
ISO (1991): ISO 10181–3: Information technology–Open Systems Interconnection–Security frameworks in open systems–Part 3: Access Control, International Organisation for Standardization ISO, DIS, no. ISO/IEC DIS 10181–3.
Jonscher D., Dittrich K. R. (1993): A Formal Security Model Based on an Object-Oriented Data Model, Department of Computer Science, University of Zurich, Technical Report, no. 93. 41.
Leymann F., Altenhuber W. (1994): “Managing business processes as an information resource”, IBM Systems Journal, vol. 33, no. 2, pp. 326–348.
Martin M., Dobson J. (1990): “Enterprise Modeling and Security Policies”, in: Jajodia S., Landwehr C. E. (Eds.): IFIP WG11. 3 Workshop on Database Security, Halifax, U.K., Elsevier Science Publishers B.V., pp. 117–149.
Medina-Mora R., Winograd T., Flores R., Flores F. (1992): “The Action Workflow Approach to Workflow Management Technology”, in: Turner J., Kraut R. (Eds.): Proceeding of the ACM Conference on Computer Supported Cooperative Work, Toronto, ACM, New York, pp. 281–288.
Neumann P. (1992): “Trusted Systems”, in: Jackson K. M., Hruska J., Parker D. B. (Eds.): Computer Security Reference Book, Butterworth-Heinemann Ltd, Oxford, pp. 837–862.
Picot A. (1994): “Restrukturierung von Unternehmen und Beschäftigungsperspektiven”, Office Management, vol. 1994, no. 11, pp. 10–14.
Pohl H., Weck G. (1993): “Stand und Zukunft der Informationssicherheit”, Datenschutz und Datensicherung, vol. 17, no. 1;2, pp. 18–22; 78–86.
Pottas D., Solms S. H. (1992): “MAPS - Model for Automated Profile Specification”, in: Gable G. G., Caelli W. J. (Eds.): IFIP TC 11 Eighth International Conference on Information Security, IFIP/SEC’92, Singapore, Elsevier Science Publishers B.V., pp. 113–126.
Scherr A. L. (1993): “A New Approach To Business Processes”, IBM Systems Journal, vol. 32, no. 1, pp. 80–98.
Steinke G., Jarke M. (1992): “Support for Security Modeling in Information Systems Design”, in: Thuraisingham B. M., Landwehr C. E. (Eds.): IFIP WG 11. 3 Sixth Working Conference on Database Security, Vancouver, Canada, Elsevier Science Publishers B.V., pp. 125–141.
Ting T. C., Demurjian S. A., Hu M.-Y. (1992): “A Specification Methodolgy for User-Role Based Security in an Object-Oriented Design Model”, in: Thuraisingham B. M., Landwehr C. E. (Eds.): IFIP WG 11. 3 Sixth Working Conference on Database Security, Simon Fraser University Burnaby, Vancouver, British Columbia, Elsevier Science Publishers B.V., pp. 351–378.
Winograd T. (1988): “A Language/Action Perspective on the Design of Cooperative Work”, in: Greif R. (Eds.): Computer Supported Cooperative Work: A Book of Readings, Morgan Kaufmann Publishers, pp. 623–653.
Winograd T., Flores F. (1986): Understanding Computers and Cognition, Ablex Publishing Corp., Norwood, New Jersey.
Woo C. C., Lochovsky F. H., Lee A. (1985): “Document Management Systems”, in: Tsichritzis D. (Eds.): Office Automation, Springer, Berlin, pp. 21–40.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 1996 IFIP International Federation for Information Processing
About this chapter
Cite this chapter
Holbein, R., Teufel, S., Bauknecht, K. (1996). The Use of Business Process Models for Security Design in Organisations. In: Katsikas, S.K., Gritzalis, D. (eds) Information Systems Security. SEC 1996. IFIP Advances in Information and Communication Technology. Springer, Boston, MA. https://doi.org/10.1007/978-1-5041-2919-0_2
Download citation
DOI: https://doi.org/10.1007/978-1-5041-2919-0_2
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-5041-2921-3
Online ISBN: 978-1-5041-2919-0
eBook Packages: Springer Book Archive