An algorithm for the appraisal of assurance indicators for complex business processes

In order to provide certified security services we must provide indicators that can measure the level of assurance that a complex business process can offer. Unfortunately the formulation of security indicators is not amenable to efficient algorithms able to evaluate the level of assurance of complex process from its components.In this paper we show an algorithm based on FD-Graphs (a variant of directed hypergraphs) that can be used to compute in polynomial time (i) the overall assurance indicator of a complex business process from its components for arbitrary monotone composition functions, (ii) the subpart of the business process that is responsible for such assurance indicator (i.e. the best security alternative).

[1]  Ferdinand E. Marcos Report to the nation , 1976 .

[2]  Pradeep Kumar Ray,et al.  Evaluation methodology for the security of e-finance systems , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[3]  Philip Robinson,et al.  Security and Trust in IT Business Outsourcing: a Manifesto , 2007, STM.

[4]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[5]  Tao Yu,et al.  A broker-based framework for QoS-aware Web service composition , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[6]  Mario Piattini,et al.  Towards an integration of Security Requirements into Business Process Modeling , 2005, WOSIS.

[7]  Birgit Pfitzmann,et al.  Service-oriented Assurance - Comprehensive Security by Explicit Assurances , 2006, Quality of Protection.

[8]  Gero Mühl,et al.  QoS aggregation in Web service compositions , 2005, 2005 IEEE International Conference on e-Technology, e-Commerce and e-Service.

[9]  Giorgio Gallo,et al.  Directed Hypergraphs and Applications , 1993, Discret. Appl. Math..

[10]  Daniele Frigioni,et al.  Directed Hypergraphs: Problems, Algorithmic Results, and a Novel Decremental Approach , 2001, ICTCS.

[11]  Fabio Massacci,et al.  Modelling Quality of Protection in Outsourced Business Processes , 2007, Third International Symposium on Information Assurance and Security.

[12]  Giorgio Ausiello,et al.  Graph Algorithms for Functional Dependency Manipulation , 1983, JACM.

[13]  C J FOLEY,et al.  Report to the nation. , 1954, Hospitals.

[14]  Rodolphe Ortalo,et al.  Experimenting with Quantitative Evaluation Tools for Monitoring Operational Security , 1999, IEEE Trans. Software Eng..

[15]  Pontus Johnson,et al.  Assessment of Enterprise Information Security - An Architecture Theory Diagram Definition - , 2005 .

[16]  G. Italiano,et al.  Optimal Traversal of Directed Hypergraphs , 1992 .

[17]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[18]  Elisa Bertino,et al.  The specification and enforcement of authorization constraints in workflow management systems , 1999, TSEC.

[19]  William List The common criteria - Good, bad or indifferent? , 1997, Inf. Secur. Tech. Rep..

[20]  Joon S. Park,et al.  Access control mechanisms for inter-organizational workflow , 2001, SACMAT '01.

[21]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[22]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[23]  Shawn A. Butler Security attribute evaluation method: a cost-benefit approach , 2002, ICSE '02.

[24]  Ronda R. Henning,et al.  Security service level agreements: quantifiable security for the enterprise? , 1999, NSPW '99.

[25]  Antonino Mazzeo,et al.  A SLA evaluation methodology in Service Oriented Architectures , 2006, Quality of Protection.

[26]  Fabio Massacci,et al.  Modelling Quality of Protection in Outsourced Business Processes , 2007 .

[27]  Aasmund Eilifsen,et al.  The Demand Attributes of Assurance Services and the Role of Independent Accountants , 2004 .