A taxonomy for assessing security in business process modelling

The idea of business processes as a key concept to underpin organisational activities are increasingly recognised. Business processes must be able to accommodate security engineering from the early stages rather at the later stages of process development (i.e., design and implementation). This raises a question whether the business processes are performed securely. In this paper, we take a deeper look into the various taxonomies in which the business process models and security have been classified. We find that existing taxonomies do not support security across all the business modelling perspectives. The main contribution of this paper is that we propose a comprehensive three dimensional taxonomy of business process security which identifies the manner to facilitates business processes and security. This taxonomy is subsequently used to classify a set of security risk-oriented patterns and identify their potential occurrences to deploy these security patterns in business processes. The application of the taxonomy is illustrated using a running example.

[1]  Ralph Johnson,et al.  Security Patterns and their Classification Schemes , 2006 .

[2]  Selmin Nurcan,et al.  Towards Adaptability and Control for Knowledge-Intensive Business Processes: Declarative Configurable Process Specifications , 2011, 2011 44th Hawaii International Conference on System Sciences.

[3]  Betty H. C. Cheng,et al.  Using Security Patterns to Model and Analyze Security Requirements , 2012 .

[4]  Raimundas Matulevicius,et al.  Securing business processes using security risk-oriented patterns , 2014, Comput. Stand. Interfaces.

[5]  Peter Sommerlad,et al.  Security Patterns: Integrating Security and Systems Engineering , 2006 .

[6]  Ruth Sara Aguilar-Savén,et al.  Business process modelling: Review and framework , 2004 .

[7]  Ralph Johnson,et al.  design patterns elements of reusable object oriented software , 2019 .

[8]  John Krogstie,et al.  Model-Based Development and Evolution of Information Systems , 2012, Springer London.

[9]  Remco M. Dijkman,et al.  Similarity of business process models: Metrics and evaluation , 2011, Inf. Syst..

[10]  Bill Curtis,et al.  Process modeling , 1992, CACM.

[11]  Gernot Starke Business models and their description , 1995 .

[12]  Marlon Dumas,et al.  Approximate Clone Detection in Repositories of Business Process Models , 2012, BPM.

[13]  John A. Zachman,et al.  A Framework for Information Systems Architecture , 1987, IBM Syst. J..

[14]  Ramesh Nagappan,et al.  Core Security Patterns: Best Practices and Strategies for J2EE, Web Services, and Identity Management , 2005 .

[15]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[16]  John F. Sowa,et al.  Extending and Formalizing the Framework for Information Systems Architecture , 1992, IBM Syst. J..

[17]  Kobra Khanmohammadi,et al.  Business Process-Based Information Security Risk Assessment , 2010, 2010 Fourth International Conference on Network and System Security.

[18]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[19]  Erland Jonsson,et al.  How to systematically classify computer security intrusions , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[20]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[21]  George M. Giaglis,et al.  A Taxonomy of Business Process Modeling and Information Systems Modeling Techniques , 2001 .

[22]  B. J. Ferro Castro,et al.  Pattern-Oriented Software Architecture: A System of Patterns , 2009 .

[23]  J. Hogg Web service security : scenarios, patterns, and implementation guidance for Web services enhancements (WSE) 3.0 , 2005 .

[24]  Rafael M. Gasca,et al.  A Model-Driven engineering approach with diagnosis of non-conformance of security objectives in business process models , 2011, 2011 FIFTH INTERNATIONAL CONFERENCE ON RESEARCH CHALLENGES IN INFORMATION SCIENCE.

[25]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[26]  Michael Pidd,et al.  A conceptual framework for understanding business processes and business process modelling , 2000, Inf. Syst. J..

[27]  John Krogstie,et al.  Modelling Languages: Perspectives and Abstraction Mechanisms , 2012 .

[28]  Wouter Joosen,et al.  Architecting software with security patterns , 2008 .

[29]  Mathias Weske Business Process Management Architectures , 2012 .

[30]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[31]  Ashutosh Tiwari,et al.  Business Process Analysis and Optimization: Beyond Reengineering , 2008, IEEE Transactions on Systems, Man, and Cybernetics, Part C (Applications and Reviews).

[32]  Léa A. Deleris,et al.  Incorporating risk into business process models , 2010, IBM J. Res. Dev..

[33]  Ralph E. Johnson,et al.  Organizing Security Patterns , 2007, IEEE Software.

[34]  Christoph Bussler,et al.  Workflow Management: Modeling Concepts, Architecture and Implementation , 1996 .

[35]  Chris Aitken,et al.  Process Classification Frameworks , 2010 .

[36]  Remco M. Dijkman,et al.  Measuring Similarity between Business Process Models , 2008, CAiSE.

[37]  Laurie A. Williams,et al.  Security requirements patterns: understanding the science behind the art of pattern writing , 2012, 2012 Second IEEE International Workshop on Requirements Patterns (RePa).

[38]  Ronald D. Williams,et al.  Taxonomies of attacks and vulnerabilities in computer systems , 2008, IEEE Communications Surveys & Tutorials.