Towards an integration of Security Requirements into Business Process Modeling

Alfonso Rodríguez, Eduardo Fernández-Medina, Mario Piattini

2005

Abstract

Business Processes are considered as an essential resource for companies to optimize and assure their quality by obtaining advantages with respect to their competitors. Consequently, Business Process Modeling becomes relevant since it allows us to represent the essence of the business. A notation to model businesses must be able to capture the majority of the requirements of the business. We have had the opportunity to check that security requirements have been scarcely considered in nowadays’ most used notations to model business processes. In this work, we will present the security aspects that can be modelled from the business experts’ dominion and that have been scarcely studied in the business process modeling, a review of the main notations used for modeling and a proposal to represent security requirements considering the knowledge of the experts in the business.

References

  1. 1 Anttila, J., Kajava, J. and Varonen, R.; Balanced Integration of Information Security into Business Management, Proceedings of the 30th EUROMICRO Conference. (2004). p:558- 564.
  2. 2 Atluri, V.; Security for Workflow Systems, Information Security Technical Report Vol. 6 (2) (2001). p:59-68.
  3. 3 Backes, M., Pfitzmann, B. and Waider, M.; Security in Business Process Engineering, International Conference on Business Process Management (BPM 2003) Vol. 2678 of LNCS. (2003). p:168-183.
  4. 4 Bertino, E., Ferrari, E. and Atluri, V.; A Flexible model Supporting the Specification and Enforcement of Role-Based Authorizations in Workflow Management Systems, Proceedings of Second ACM Workshop on Role-Based Access Control, Fairfax (Virginia). (1997). p:1- 12.
  5. 5 Bider, I.; Choosing Approach to Business Process Modeling - Practical Perspective. In http://www.ibissoft.se/english/howto.pdf. (2003).
  6. 6 Botha, R. A. and Eloff, J. H. P.; A framework for access control in workflow systems, Information Management & Computer Security Vol. 9/3. (2001). p:126-133.
  7. 7 BPMN; Business Process Modeling Notation (BPMN), Version 1.0 -May 3, C., BPMI.org. All Rights Reserved. In http://www.bpmi.org/. (2004).
  8. 8 Castela, N., Tribolet, J., Silva, A. and Guerra, A.; Business Process Modeling with UML, Proceedings of the 3st. International Conference on Enterprise Information Systems, ICEIS 2001. Vol. 2. Setubal, Portugal. (2001). p:679-685.
  9. 9 Chaari, S., Ben Amar, C., Biennier, F. and Favrel, J.; An Authorization and Access Control Model for Workflow, 1th International Workshop on COmputer Supported Activity Coordination CSAC 2004. Porto, Portugal. (2004). p:31-40.
  10. 10 Firesmith, D.; Engineering Security Requirements, Journal of Object Technology Vol. 2 Nº 1 January-February 2003. (2003). p:53-68.
  11. 11 Firesmith, D.; Specifying Reusable Security Requirements, Journal of Object Technology Vol. 3, Nº 1,January-February 2004. (2004). p:61-75.
  12. 12 Ghalimi, I.; BPMN vs. UML. In http://www.intalio.com/education/notes/note.xpg?id=BPMN_vs_UML. (2002).
  13. 13 Giaglis, G. M.; A Taxonomy of Business Process Modelling and Information Systems Modelling Techniques, International Journal of Flexible Manufacturing Systems Vol. 13 (2). (2001). p:209-228.
  14. 14 Herrmann, G. and Pernul, G.; Viewing Business Process Security from Different Perspectives, Proceedings of 11th International Bled Electronic Commerce Conference "Electronic Commerce in the Information Society". Slovenia. (1998). p:89-103.
  15. 15 Hung, P. and Karlapalem, K.; A Secure Workflow Model, Australasian Information Security Workshop (AISW2003). Vol. 21. Adelaide, Australia. (2003). p:33-41.
  16. 16 Jürjens, J., Secure Systems Development with UML, Springer Verlag, (2004). 309 p.
  17. 17 Lodderstedt, T., Basin, D. and Doser, J.; SecureUML: A UML-Based Modeling Language for Model-Driven Security, UML 2002 - The Unified Modeling Language, 5th International Conference. Vol. 2460. Dresden, Germany. (2002). p:426-441.
  18. 18 Maña, A., Montenegro, J. A., Rudolph, C. and Vivas, J. L.; A business process-driven approach to security engineering, 14th. International Workshop on Database and Expert Systems Applications (DEXA). Prague, Czech Republic. (2003). p:477-481.
  19. 19 Mega; Business process Modeling and Standardization. In http://www.bpmg.org/downloads/Articles/Article-MEGABusinessProcessModeling&StandardizationEN.pdf. (2004).
  20. 20 Nuseibeh, B. and Easterbrook, S. M.; Requirements Engineering: A Roadmap, ICSE 2000, 22nd International Conference on on Software Engineering, Future of Software Engineering Track. Limerick Ireland. ACM. (2000). p:35-46.
  21. 21 OMG; Object Management Group. In http://www.omg.org/. (2004).
  22. 22 Owen, M. and Raj, J.; BPMN and Business Process Management; Introduction to the New Business Process Modeling Standard, A Popkin Software, W. P. In http://www.bpmn.org/Documents/6AD5D16960.BPMN_and_BPM.pdf. (2003).
  23. 23 Palkovits, S., Rössler, T. and Wimmer, M.; Process Modelling - Burden or Relief? Living Process Modelling within a Public Organisation, ICEIS 2004, Proceedings of the 6th International Conference on Enterprise Information Systems. Porto, Portugal. (2004). p:94- 102.
  24. 24 Reijers, H. A.; Business Process Management Attempted Concepticide?, IRMA International Conference (2004). p:128-131.
  25. 25 Röhm, A. W., Herrmann, G. and Pernul, G.; A Language for Modelling Secure Business Transactions, Proceedings 15th. Annual Computer Security Applications Conference. Computer Society Press., Phoenix, Arizona. (1999). p:22-31.
  26. 26 Sandhu, R. and Samarati, P.; Authentication, Access Control, and Audit, ACM Computing Surveys Vol. 28 Nº1 March 1996. (1996). p:241-243.
  27. 27 Sparks, G.; An Introduction to UML, The Business Process Model. In http://www.sparxsystems.com.au/WhitePapers/The_Business_Process_Model.pdf. (2000).
  28. 28 Tryfonas, T. and Kiountouzis, E. A.; Perceptions of Security Contributing to the Implementation of Secure IS, Security and Privacy in the Age of Uncertainty, IFIP TC11 18th International Conference on Information Security (SEC2003) Vol. 250. Athens, Greece. (2003). p:313-324.
  29. 29 W.M.P. van der Aalst, Hofstede, A. H. M. t. and Weske, M.; Business Process Management: A Survey, International Conference on Business Process Management (BPM 2003) Volume 2678 (LNCS). Eindhoven, The Netherlands. (2003). p:1-12.
  30. 30 WfMC, Workflow Management Coalition: Terminology & Glossary., Document Number WFMC-TC-1011, Document Number WFMC-TC-1011, (1999). 65 p.
  31. 31 White, S. A.; Introduction to BPMN. In http://www.ebpml.org/bpmn.htm. (2004).
Download


Paper Citation


in Harvard Style

Rodríguez A., Fernández-Medina E. and Piattini M. (2005). Towards an integration of Security Requirements into Business Process Modeling . In Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005) ISBN 972-8865-25-2, pages 287-297. DOI: 10.5220/0002579402870297


in Bibtex Style

@conference{wosis05,
author={Alfonso Rodríguez and Eduardo Fernández-Medina and Mario Piattini},
title={Towards an integration of Security Requirements into Business Process Modeling},
booktitle={Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)},
year={2005},
pages={287-297},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002579402870297},
isbn={972-8865-25-2},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2005)
TI - Towards an integration of Security Requirements into Business Process Modeling
SN - 972-8865-25-2
AU - Rodríguez A.
AU - Fernández-Medina E.
AU - Piattini M.
PY - 2005
SP - 287
EP - 297
DO - 10.5220/0002579402870297