Supporting Secure Business Process Design via Security Process Patterns

  • Nikolaos ArgyropoulosEmail author
  • Haralambos Mouratidis
  • Andrew Fish
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 287)


Security is an important non-functional characteristic of the business processes used by organisations for the coordination of their activities. Nevertheless, the implementation of security at the operational level can be challenging due to the limited security expertise of process designers and the delayed consideration of security during process development. To overcome such issues, expert knowledge and proven security solutions can be captured in the form of process patterns, which can easily be reused and integrated to business processes with minimal security-related knowledge required. In this work we introduce process-level security patterns, each of which contains the main activities required for the operationalisation of different security requirements. The introduced patterns are then used as a component of an existing framework for the creation of secure business process designs, the application of which, is illustrated through a working example. A preliminary evaluation of the proposed patterns is conducted via a workshop session.


Security requirements Business process modelling Security process patterns Business process security 



This research received funding from the Visual Privacy Management in User Centric Open Environments (VisiOn) project, supported by the EU Horizon 2020 programme, Grant agreement No 653642.


  1. 1.
    Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)CrossRefGoogle Scholar
  2. 2.
    Argyropoulos, N., Márquez Alcañiz, L., Mouratidis, H., Fish, A., Rosado, D.G., Guzmán, I.G.-R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: Ralyté, J., España, S., Pastor, Ó. (eds.) PoEM 2015. LNBIP, vol. 235, pp. 91–107. Springer, Cham (2015). doi: 10.1007/978-3-319-25897-3_7 CrossRefGoogle Scholar
  3. 3.
    Argyropoulos, N., Kalloniatis, C., Mouratidis, H., Fish, A.: Incorporating privacy patterns into semi-automatic business process derivation. In: IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE (2016)Google Scholar
  4. 4.
    Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: Jeusfeld, M.A., Karlapalem, K. (eds.) ER 2015. LNCS, vol. 9382, pp. 248–258. Springer, Cham (2015). doi: 10.1007/978-3-319-25747-1_25 CrossRefGoogle Scholar
  5. 5.
    Decreus, K., Poels, G.: A goal-oriented requirements engineering method for business processes. In: Soffer, P., Proper, E. (eds.) CAiSE Forum 2010. LNBIP, vol. 72, pp. 29–43. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-17722-4_3 CrossRefGoogle Scholar
  6. 6.
    Decreus, K., Poels, G., Kharbili, M.E., Pulvermueller, E.: Policy-enabled goal-oriented requirements engineering for semantic business process management. Int. J. Intell. Syst. 25(8), 784–812 (2010)CrossRefGoogle Scholar
  7. 7.
    Fernandez, E.B., Pan, R.: A pattern language for security models. In: Proceedings of PLoP. vol. 1 (2001)Google Scholar
  8. 8.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), pp. 1009–1017. IEEE (2007)Google Scholar
  9. 9.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requirements Eng. 13(3), 241–255 (2008)CrossRefGoogle Scholar
  10. 10.
    Kienzle, D.M., Elder, M.C.: Security patterns for web application development. University of Virginia Technical report (2002)Google Scholar
  11. 11.
    Lavérdiere, M., Mourad, A., Hanna, A., Debbabi, M.: Security design patterns: Survey and evaluation. In: 2006 Canadian Conference on Electrical and Computer Engineering, pp. 1605–1608. IEEE (2006)Google Scholar
  12. 12.
    Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 8th International Conference on Availability, Reliability and Security (ARES 2013), pp. 262–267. IEEE (2013)Google Scholar
  13. 13.
    Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13. IEEE (2016)Google Scholar
  14. 14.
    Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the Secure Tropos approach. In: Karagiannis, D., Mayr, H.C., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, Concepts, Methods and Tools, pp. 357–380. Springer, Cham (2016)CrossRefGoogle Scholar
  15. 15.
    Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)CrossRefGoogle Scholar
  16. 16.
    Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. Int. J. Softw. Eng. Knowl. Eng. 16(03), 471–498 (2006)CrossRefGoogle Scholar
  17. 17.
    Neubauer, T., Klemen, M., Biffl, S.: Secure business process management: a roadmap. In: 1st International Conference on Availability, Reliability and Security (ARES 2006), p. 8. IEEE (2006)Google Scholar
  18. 18.
    Object Management Group: Business Process Model Notation (BPMN) Version 2.0. Technical report (2011)Google Scholar
  19. 19.
    Rosado, D.G., Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)CrossRefGoogle Scholar
  20. 20.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model., 1–21 (2016)Google Scholar
  21. 21.
    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer, Heidelberg (2010)Google Scholar
  22. 22.
    Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Prog. Inform. 5(5), 35–47 (2008)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Nikolaos Argyropoulos
    • 1
    Email author
  • Haralambos Mouratidis
    • 1
  • Andrew Fish
    • 1
  1. 1.School of Computing, Engineering and MathematicsUniversity of BrightonBrightonUK

Personalised recommendations