Evaluating A Uml-Based Modeling Framework For Process-Related Security Properties: A Qualitative Multi-Method Study

In recent years, we developed a modeling framework for process-related security properties, the BusinessActivities Framework. This paper reports on a long-term empirical study to evaluate the applicability of four UML extensions included in the BusinessActivities Framework. We used an exploratory research design employing four interpretative case studies followed by three semistructured interviews based on 30 real-world business processes from a large Austrian school center. The case work resulted in 23 process models. By assessing the model complexity quantitatively and by interpreting the case as well as the interview material, we found that modelers are predominantly affected by the upfront effort of establishing a conceptual background on process-related security concepts and by the semantic complexity of control-flow modeling in UML activity diagrams. Nontechnical domain experts considered the visual process models as suitable communication instruments. The findings demonstrate the potential value of applying our modeling framework in a practitioner’s setting.

[1]  Michael D. Myers,et al.  A Set of Principles for Conducting and Evaluating Interpretive Field Studies in Information Systems , 1999, MIS Q..

[2]  Sigrid Schefer Consistency Checks for Duties in Extended UML2 Activity Models , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[3]  Muhammad Ali Babar,et al.  Applying empirical software engineering to software architecture: challenges and lessons learned , 2010, Empirical Software Engineering.

[4]  John Mylopoulos,et al.  Requirement Engineering Meets Security: A Case Study on Modelling Secure Electronic Transactions by VISA and Mastercard , 2003, ER.

[5]  J. Knottnerus,et al.  Real world research. , 2010, Journal of clinical epidemiology.

[6]  L. Compeau,et al.  Book Review: Handbook of Mixed Methods in Social & Behavioral Research , 2003 .

[7]  Jan Jürjens Sound methods and effective tools for model-based security engineering with UML , 2005, ICSE '05.

[8]  Martin Bichler,et al.  Design science in information systems research , 2006, Wirtschaftsinf..

[9]  Mark Strembeck,et al.  Modeling Support for Delegating Roles, Tasks, and Duties in a Process-Related RBAC Context , 2011, CAiSE Workshops.

[10]  Ninghui Li,et al.  Proceedings of the 13th ACM symposium on Access control models and technologies , 2008, SACMAT 2008.

[11]  Jan Jürjens,et al.  Modelling and Verification of Layered Security Protocols: A Bank Application , 2003, SAFECOMP.

[12]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[13]  Jan Jürjens,et al.  Towards a Comprehensive Framework for Secure Systems Development , 2006, CAiSE.

[14]  Rafael Accorsi,et al.  On the exploitation of process mining for security audits: the conformance checking case , 2012, SAC '12.

[15]  Alexander Förster,et al.  On the Pitfalls of UML 2 Activity Modeling , 2007, International Workshop on Modeling in Software Engineering (MISE'07: ICSE Workshop 2007).

[16]  Marta Indulska,et al.  Towards integrated modeling of business processes and business rules , 2008 .

[17]  Mark Strembeck,et al.  A UML Extension for Modeling Break-Glass Policies , 2012, EMISA.

[18]  Jan Mendling,et al.  Understanding Business Process Models: The Costs and Benefits of Structuredness , 2012, CAiSE.

[19]  Per Runeson,et al.  Guidelines for conducting and reporting case study research in software engineering , 2009, Empirical Software Engineering.

[20]  J. Adamson Handbook of Mixed Methods in Social and Behavioural Research. Tashakkori A, Teddlie C (eds). Thousand Oaks: Sage, 2003, pp.768, £77.00 ISBN: 0-7619-2073-0. , 2004 .

[21]  David W. Chadwick,et al.  Obligations for Role Based Access Control , 2007, 21st International Conference on Advanced Information Networking and Applications Workshops (AINAW'07).

[22]  Alan R. Hevner,et al.  Design Science in Information Systems Research , 2004, MIS Q..

[23]  Mark Strembeck,et al.  An Approach for Consistent Delegation in Process-Aware Information Systems , 2012, BIS.

[24]  Jan Mendling,et al.  Seven process modeling guidelines (7PMG) , 2010, Inf. Softw. Technol..

[25]  Mark Strembeck,et al.  Modeling process-related RBAC models with extended UML activity models , 2011, Inf. Softw. Technol..

[26]  Yi Deng,et al.  Applying Aspect-Orientation in Designing Security Systems: A Case Study , 2004, SEKE.

[27]  Haralambos Mouratidis,et al.  Secure Tropos: a Security-Oriented Extension of the Tropos Methodology , 2007, Int. J. Softw. Eng. Knowl. Eng..

[28]  Ravi S. Sandhu,et al.  PBDM: a flexible delegation model in RBAC , 2003, SACMAT '03.

[29]  Daniel L. Moody,et al.  The “Physics” of Notations: Toward a Scientific Basis for Constructing Visual Notations in Software Engineering , 2009, IEEE Transactions on Software Engineering.

[30]  Beate List,et al.  An evaluation of conceptual business process modelling languages , 2006, SAC.

[31]  Mark Strembeck,et al.  Modeling Process-Related Duties with Extended UML Activity and Interaction Diagrams , 2011, Electron. Commun. Eur. Assoc. Softw. Sci. Technol..

[32]  Mark Strembeck,et al.  Modeling Context-Aware RBAC Models for Business Processes in Ubiquitous Computing Environments , 2012, 2012 Third FTRA International Conference on Mobile, Ubiquitous, and Intelligent Computing.

[33]  Jason Crampton,et al.  Delegation and satisfiability in workflow systems , 2008, SACMAT '08.

[34]  Jan Jürjens,et al.  From goal‐driven security requirements engineering to secure design , 2010, Int. J. Intell. Syst..

[35]  Andreas Schaad,et al.  Separation, review and supervision controls in the context of a credit application process: a case study of organisational control principles , 2004, SAC '04.

[36]  Vijayalakshmi Atluri,et al.  Role-based Access Control , 1992 .

[37]  Bente Anda,et al.  Experiences from conducting semi-structured interviews in empirical software engineering research , 2005, 11th IEEE International Software Metrics Symposium (METRICS'05).