An Analysis and Evaluation of Security Aspects in the Business Process Model and Notation

Enhancing existing business process modeling languages with security concepts has attracted increased attention in research and several graphical notations and symbols have been proposed. How these extensions can be comprehended by users has not been evaluated yet. However, the comprehensibility of security concepts integrated within business process models is of utmost importance for many purposes such as communication, training, and later automation within a process-aware information system. If users do not understand the security concepts, this might lead to restricted acceptance or even misinterpretation and possible security problems in the sequel. In this paper, we evaluate existing security extensions of Business Process Model and Notation (BPMN) as BPMN constitutes the de facto standard in business modeling languages nowadays. The evaluation is conducted along two lines, i.e., a literature study and a survey. The findings of both evaluations identify shortcomings and open questions of existing approaches. This will yield the basis to convey security-related information within business process models in a comprehensible way and consequently, unleash the full effects of security modeling in business processes.

[1]  Daniel L. Moody,et al.  Theoretical and practical issues in evaluating the quality of conceptual models: current state and future directions , 2005, Data Knowl. Eng..

[2]  Daniel Amyot,et al.  Analysing the Cognitive Effectiveness of the BPMN 2.0 Visual Notation , 2010, SLE.

[3]  Patrick Heymans,et al.  Towards a More Semantically Transparent i* Visual Syntax , 2012, REFSQ.

[4]  Stefanie Rinderle-Ma,et al.  SPRINT- Responsibilities: Design and Development of Security Policies in Process-aware Information Systems , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[5]  Michael Gertz,et al.  Handbook of Database Security - Applications and Trends , 2007, Handbook of Database Security.

[6]  Raimundas Matulevicius,et al.  Towards Definition of Secure Business Processes , 2012, CAiSE Workshops.

[7]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[8]  Mark von Rosing,et al.  Business Process Model and Notation - BPMN , 2015, The Complete Business Process Handbook, Vol. I.

[9]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[10]  Mario Piattini,et al.  A BPMN Extension for the Modeling of Security Requirements in Business Processes , 2007, IEICE Trans. Inf. Syst..

[11]  Christoph Meinel,et al.  Modelling Security Goals in Business Processes , 2008, Modellierung.

[12]  Jan Mendling,et al.  What Makes Process Models Understandable? , 2007, BPM.

[13]  Maria Kutar,et al.  Cognitive Dimensions of Notations: Design Tools for Cognitive Technology , 2001, Cognitive Technology.

[14]  Joanna Lumsden,et al.  Online-Questionnaire Design: Establishing Guidelines and Evaluating Existing Support , 2019 .

[15]  Andreas Schaad,et al.  Task-based entailment constraints for basic workflow patterns , 2008, SACMAT '08.

[16]  Günther Pernul,et al.  Supporting Compliance through Enhancing Internal Control Systems by Conceptual Business Process Security Modeling , 2010 .

[17]  Maria Leitner Security Policies in Adaptive Process-Aware Information Systems: Existing Approaches and Challenges , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[18]  Jan Mendling,et al.  On the Usage of Labels and Icons in Business Process Modeling , 2010, Int. J. Inf. Syst. Model. Des..

[19]  Daniel L. Moody,et al.  The “Physics” of Notations: Toward a Scientific Basis for Constructing Visual Notations in Software Engineering , 2009, IEEE Transactions on Software Engineering.

[20]  Vijayalakshmi Atluri,et al.  Security for Workflow Systems , 2001, Inf. Secur. Tech. Rep..

[21]  H. Cooper Organizing knowledge syntheses: A taxonomy of literature reviews , 1988 .

[22]  Mathias Weske,et al.  Business Process Management: Concepts, Languages, Architectures , 2007 .

[23]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[24]  Jan H. P. Eloff,et al.  Separation of duties for access control enforcement in workflow environments , 2001, IBM Syst. J..