Abstract
Security is an important non-functional characteristic of the business processes used by organisations for the coordination of their activities. Nevertheless, the implementation of security at the operational level can be challenging due to the limited security expertise of process designers and the delayed consideration of security during process development. To overcome such issues, expert knowledge and proven security solutions can be captured in the form of process patterns, which can easily be reused and integrated to business processes with minimal security-related knowledge required. In this work we introduce process-level security patterns, each of which contains the main activities required for the operationalisation of different security requirements. The introduced patterns are then used as a component of an existing framework for the creation of secure business process designs, the application of which, is illustrated through a working example. A preliminary evaluation of the proposed patterns is conducted via a workshop session.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The questionnaire and a summary of the responses can be accessed in: http://www.sense-brighton.eu/process-patterns-questionnaire/.
References
Ahmed, N., Matulevičius, R.: Securing business processes using security risk-oriented patterns. Comput. Stand. Interfaces 36(4), 723–733 (2014)
Argyropoulos, N., Márquez Alcañiz, L., Mouratidis, H., Fish, A., Rosado, D.G., Guzmán, I.G.-R., Fernández-Medina, E.: Eliciting security requirements for business processes of legacy systems. In: Ralyté, J., España, S., Pastor, Ó. (eds.) PoEM 2015. LNBIP, vol. 235, pp. 91–107. Springer, Cham (2015). doi:10.1007/978-3-319-25897-3_7
Argyropoulos, N., Kalloniatis, C., Mouratidis, H., Fish, A.: Incorporating privacy patterns into semi-automatic business process derivation. In: IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–12. IEEE (2016)
Argyropoulos, N., Mouratidis, H., Fish, A.: Towards the derivation of secure business process designs. In: Jeusfeld, M.A., Karlapalem, K. (eds.) ER 2015. LNCS, vol. 9382, pp. 248–258. Springer, Cham (2015). doi:10.1007/978-3-319-25747-1_25
Decreus, K., Poels, G.: A goal-oriented requirements engineering method for business processes. In: Soffer, P., Proper, E. (eds.) CAiSE Forum 2010. LNBIP, vol. 72, pp. 29–43. Springer, Heidelberg (2011). doi:10.1007/978-3-642-17722-4_3
Decreus, K., Poels, G., Kharbili, M.E., Pulvermueller, E.: Policy-enabled goal-oriented requirements engineering for semantic business process management. Int. J. Intell. Syst. 25(8), 784–812 (2010)
Fernandez, E.B., Pan, R.: A pattern language for security models. In: Proceedings of PLoP. vol. 1 (2001)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Using privacy process patterns for incorporating privacy requirements into the system design process. In: 2nd International Conference on Availability, Reliability and Security (ARES 2007), pp. 1009–1017. IEEE (2007)
Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: the PriS method. Requirements Eng. 13(3), 241–255 (2008)
Kienzle, D.M., Elder, M.C.: Security patterns for web application development. University of Virginia Technical report (2002)
Lavérdiere, M., Mourad, A., Hanna, A., Debbabi, M.: Security design patterns: Survey and evaluation. In: 2006 Canadian Conference on Electrical and Computer Engineering, pp. 1605–1608. IEEE (2006)
Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: 8th International Conference on Availability, Reliability and Security (ARES 2013), pp. 262–267. IEEE (2013)
Li, T., Paja, E., Mylopoulos, J., Horkoff, J., Beckers, K.: Security attack analysis using attack patterns. In: IEEE 10th International Conference on Research Challenges in Information Science (RCIS), pp. 1–13. IEEE (2016)
Mouratidis, H., Argyropoulos, N., Shei, S.: Security requirements engineering for cloud computing: the Secure Tropos approach. In: Karagiannis, D., Mayr, H.C., Mylopoulos, J. (eds.) Domain-Specific Conceptual Modeling, Concepts, Methods and Tools, pp. 357–380. Springer, Cham (2016)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. Int. J. Softw. Eng. Knowl. Eng. 17(2), 285–309 (2007)
Mouratidis, H., Weiss, M., Giorgini, P.: Modeling secure systems using an agent-oriented approach and security patterns. Int. J. Softw. Eng. Knowl. Eng. 16(03), 471–498 (2006)
Neubauer, T., Klemen, M., Biffl, S.: Secure business process management: a roadmap. In: 1st International Conference on Availability, Reliability and Security (ARES 2006), p. 8. IEEE (2006)
Object Management Group: Business Process Model Notation (BPMN) Version 2.0. Technical report (2011)
Rosado, D.G., Gutiérrez, C., Fernández-Medina, E., Piattini, M.: Security patterns and requirements for internet-based applications. Internet Res. 16(5), 519–536 (2006)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Designing secure business processes with SecBPMN. Softw. Syst. Model., 1–21 (2016)
Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer, Heidelberg (2010)
Yoshioka, N., Washizaki, H., Maruyama, K.: A survey on security patterns. Prog. Inform. 5(5), 35–47 (2008)
Acknowledgement
This research received funding from the Visual Privacy Management in User Centric Open Environments (VisiOn) project, supported by the EU Horizon 2020 programme, Grant agreement No 653642.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Argyropoulos, N., Mouratidis, H., Fish, A. (2017). Supporting Secure Business Process Design via Security Process Patterns. In: Reinhartz-Berger, I., Gulden, J., Nurcan, S., Guédria, W., Bera, P. (eds) Enterprise, Business-Process and Information Systems Modeling. BPMDS EMMSAD 2017 2017. Lecture Notes in Business Information Processing, vol 287. Springer, Cham. https://doi.org/10.1007/978-3-319-59466-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-59466-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59465-1
Online ISBN: 978-3-319-59466-8
eBook Packages: Business and ManagementBusiness and Management (R0)