An Experimental Study on the Design and Modeling of Security Concepts in Business Processes

  • Maria Leitner
  • Sigrid Schefer-Wenzl
  • Stefanie Rinderle-Ma
  • Mark Strembeck
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 165)


In recent years, business process models are used to define security properties for the corresponding business information systems. In this context, a number of approaches emerged that integrate security properties into standard process modeling languages. Often, these security properties are depicted as text annotations or graphical extensions. However, because the symbols of process-related security properties are not standardized, different issues concerning the comprehensibility and maintenance of the respective models arise. In this paper, we present the initial results of an experimental study on the design and modeling of 11 security concepts in a business process context. In particular, we center on the semantic transparency of the visual symbols that are intended to represent the different concepts (i.e. the one-to-one correspondence between the symbol and its meaning). Our evaluation showed that various symbols exist which are well-perceived. However, further studies are necessary to dissolve a number of remaining issues.


BPMN Business Processes Empirical Evaluation Icons Modeling Security Visualization 


  1. 1.
    Zairi, M.: Business Process Management: A Boundaryless Approach to Modern Competitiveness. Business Process Management Journal 3(1), 64–80 (1997)CrossRefGoogle Scholar
  2. 2.
    zur Muehlen, M., Indulska, M.: Modeling Languages for Business Processes and Business Rules: A Representational Analysis. Information Systems 35(4) (2010)Google Scholar
  3. 3.
    Weske, M.: Business Process Management: Concepts, Languages, Architectures. Springer (2007)Google Scholar
  4. 4.
    OMG: Business process model and notation (BPMN) version 2.0. OMG Document formal/2011-01-03, Object Management Group (January 2011)Google Scholar
  5. 5.
    OMG: Unified Modeling Language (OMG UML): Superstructure version 2.4.1. OMG Document formal/2011-08-06, Object Management Group (August 2011)Google Scholar
  6. 6.
    Mendling, J.: Metrics for Process Models: Empirical Foundations of Verification, Error Prediction and Guidelines for Correctness. LNBIP, vol. 6. Springer, Heidelberg (2008)Google Scholar
  7. 7.
    Scheer, A.W.: ARIS - Business Process Modeling, 3rd edn. Springer (2000)Google Scholar
  8. 8.
    Johnson, M.E., Goetz, E.: Embedding Information Security into the Organization. IEEE Security & Privacy 5(3) (2007)Google Scholar
  9. 9.
    Strembeck, M.: Scenario-Driven Role Engineering. IEEE Security & Privacy 8(1) (2010)Google Scholar
  10. 10.
    Leitner, M.: Security policies in adaptive process-aware information systems: Existing approaches and challenges. In: 2011 Sixth International Conference on Availability, Reliability and Security (ARES), pp. 686–691. IEEE (August 2011)Google Scholar
  11. 11.
    Leitner, M., Mangler, J., Rinderle-Ma, S.: SPRINT-Responsibilities: design and development of security policies in process-aware information systems. Journal of Wireless Mobile Networks, Ubiquitous Computing, and Dependable Applications (JoWUA) 2(4), 4–26 (2011)Google Scholar
  12. 12.
    Wolter, C., Menzel, M., Meinel, C.: Modelling security goals in business processes. In: Modellierung, Berlin, Germany. LNI, vol. 127, pp. 197–212. GI (2008)Google Scholar
  13. 13.
    Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation (2013) (in press)Google Scholar
  14. 14.
    Russell, N., van der Aalst, W.M.P., ter Hofstede, A.H.M., Edmond, D.: Workflow Resource Patterns: Identification, Representation and Tool Support. In: Pastor, Ó., Falcão e Cunha, J. (eds.) CAiSE 2005. LNCS, vol. 3520, pp. 216–232. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  15. 15.
    Mendling, J., Recker, J., Reijers, H.A.: On the usage of labels and icons in business process modeling. International Journal of Information System Modeling and Design 1(2), 40–58 (2010)CrossRefGoogle Scholar
  16. 16.
    Genon, N., Caire, P., Toussaint, H., Heymans, P., Moody, D.: Towards a more semantically transparent i* visual syntax. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 140–146. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  17. 17.
    Moody, D.: The physics of notations: Toward a scientific basis for constructing visual notations in software engineering. IEEE Transactions on Software Engineering 35(6), 756–779 (2009)CrossRefGoogle Scholar
  18. 18.
    Moody, D.L.: Theoretical and practical issues in evaluating the quality of conceptual models: current state and future directions. Data & Knowledge Engineering 55(3), 243–276 (2005)CrossRefGoogle Scholar
  19. 19.
    Blackwell, A.F., et al.: Cognitive dimensions of notations: Design tools for cognitive technology. In: Beynon, M., Nehaniv, C.L., Dautenhahn, K. (eds.) CT 2001. LNCS (LNAI), vol. 2117, pp. 325–341. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  20. 20.
    Green, T., Blandford, A., Church, L., Roast, C., Clarke, S.: Cognitive dimensions: Achievements, new directions, and open questions. Journal of Visual Languages & Computing 17(4), 328–365 (2006)CrossRefGoogle Scholar
  21. 21.
    Krogstie, J., Sindre, G., Jørgensen, H.: Process models representing knowledge for action: a revised quality framework. European Journal of Information Systems 15(1), 91–102 (2006)CrossRefGoogle Scholar
  22. 22.
    Genon, N., Heymans, P., Amyot, D.: Analysing the cognitive effectiveness of the BPMN 2.0 visual notation. In: Malloy, B., Staab, S., van den Brand, M. (eds.) SLE 2010. LNCS, vol. 6563, pp. 377–396. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  23. 23.
    Figl, K., Mendling, J., Strembeck, M., Recker, J.: On the cognitive effectiveness of routing symbols in process modeling languages. In: Abramowicz, W., Tolksdorf, R. (eds.) BIS 2010. LNBIP, vol. 47, pp. 230–241. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Lodderstedt, T., Basin, D., Doser, J.: SecureUML: A UML-based modeling language for model-driven security. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 426–441. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  25. 25.
    Hoisl, B., Strembeck, M.: Modeling support for confidentiality and integrity of object flows in activity models. In: Abramowicz, W. (ed.) BIS 2011. LNBIP, vol. 87, pp. 278–289. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  26. 26.
    Sindre, G.: Mal-Activity Diagrams for Capturing Attacks on Business Processes. In: Sawyer, P., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  27. 27.
    Shirey, R.: Internet Security Glossary. Request for Comments, vol. 2828. IETF (May 2000)Google Scholar
  28. 28.
    Information technology Industry Council: Information technology - role based access control. Technical Report ANSI INCITS 359-2004, American National Standards Institute, Inc (2004)Google Scholar
  29. 29.
    Petre, M.: Why looking isn’t always seeing: Readership skills and graphical programming. Communications of the ACM 38(6) (1995)Google Scholar
  30. 30.
    Boren, T., Ramey, J.: Thinking aloud: reconciling theory and practice. IEEE Transactions on Professional Communication 43(3), 261–278 (2000)CrossRefGoogle Scholar
  31. 31.
    Strembeck, M., Mendling, J.: Modeling Process-related RBAC Models with Extended UML Activity Models. Information and Software Technology 53(5) (2011)Google Scholar
  32. 32.
    Schefer-Wenzl, S., Strembeck, M.: A UML Extension for Modeling Break-Glass Policies. In: Rinderle-Ma, S., Weske, M. (eds.) EMISA 2012. LNI, vol. 206, pp. 25–38. GI (2012)Google Scholar
  33. 33.
    Schefer, S., Strembeck, M.: Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context. In: Salinesi, C., Pastor, O. (eds.) CAiSE Workshops 2011. LNBIP, vol. 83, pp. 660–667. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Maria Leitner
    • 1
  • Sigrid Schefer-Wenzl
    • 2
    • 3
  • Stefanie Rinderle-Ma
    • 1
  • Mark Strembeck
    • 3
  1. 1.Austria Faculty of Computer ScienceUniversity of ViennaAustria
  2. 2.Austria Competence Center for IT-SecurityUniversity of Applied Sciences Campus ViennaAustria
  3. 3.Austria Institute for Information Systems, New Media LabVienna University of Economics and Business (WU Vienna)Austria

Personalised recommendations