Modeling Human-in-the-Loop Security Analysis and Decision-Making Processes

This paper presents a novel application of computer-assisted formal methods for systematically specifying, documenting, statically and dynamically checking, and maintaining human-centered workflow processes. This approach provides for end-to-end verification and validation of process workflows, which is needed for process workflows that are intended for use in developing and maintaining high-integrity systems. We demonstrate the technical feasibility of our approach by applying it on the development of the US government's process workflow for implementing, certifying, and accrediting cross-domain computer security solutions. Our approach involves identifying human-in-the-loop decision points in the process activities and then modeling these via statechart assertions. We developed techniques to specify and enforce workflow hierarchies, which was a challenge due to the existence of concurrent activities within complex workflow processes. Some of the key advantages of our approach are: it results in development of a model that is executable, supporting both upfront and runtime checking of process-workflow requirements; aids comprehension and communication among stakeholders and process engineers; and provides for incorporating accountability and risk management into the engineering of process workflows.

[1]  James Bret Michael,et al.  Validating UML Statechart-Based Assertions Libraries for Improved Reliability and Assurance , 2008, 2008 Second International Conference on Secure System Integration and Reliability Improvement.

[2]  Zongyan Qiu,et al.  A Framework for Integrating Human Processes with Business Artifacts , 2010, SOSE.

[3]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[4]  V. Gruhn,et al.  Software processes are social processes , 1992, [1992] Proceedings of the Fifth International Workshop on Computer-Aided Software Engineering.

[5]  Doron Drusinsky,et al.  Using UML Statecharts with Knowledge Logic Guards , 2009, MoDELS.

[6]  Doron Drusinsky,et al.  Creation and Validation of Embedded Assertion Statecharts , 2006, Seventeenth IEEE International Workshop on Rapid System Prototyping (RSP'06).

[7]  T. C. Hartrum,et al.  An Air Force organization process model using formal software engineering techniques , 1996, Proceedings of the IEEE 1996 National Aerospace and Electronics Conference NAECON 1996.

[8]  Wolfgang Emmerich,et al.  Fine grained process modelling: an experiment at British Airways , 1996, Proceedings of Software Process 1996.

[9]  Volker Gruhn,et al.  FUNSOFT nets: a Petri-net based software process modeling language , 1991, Proceedings of the Sixth International Workshop on Software Specification and Design.

[10]  Santhosh Kumaran,et al.  From business process model to consistent implementation: a case for formal verification methods , 2002, Proceedings. Sixth International Enterprise Distributed Object Computing.

[11]  Jeremy Gibbons,et al.  A Process Semantics for BPMN , 2008, ICFEM.

[12]  Pierre Marzin,et al.  Understanding Formal Methods , 2003, Springer London.

[13]  James Bret Michael,et al.  Verification and Validation for Trustworthy Software Systems , 2011, IEEE Software.

[14]  Michael A Schumann,et al.  Use of Statechart Assertions for Modeling Human-in-the-Loop Security Analysis and Decision-Making Processes , 2012 .

[15]  Jeffrey O. Grady Universal Architecture Description Framework , 2009, Syst. Eng..

[16]  Boudewijn F. van Dongen,et al.  Verification of EPCs: Using Reduction Rules and Petri Nets , 2005, CAiSE.

[17]  Dean Kelley Automata and formal languages: an introduction , 1995 .

[18]  JianHong Ye,et al.  Formal Semantics of BPMN Process Models Using YAWL , 2008, 2008 Second International Symposium on Intelligent Information Technology Application.

[19]  Doron Drusinsky,et al.  From UML activity diagrams to specification requirements , 2008, 2008 IEEE International Conference on System of Systems Engineering.

[20]  Doron Drusinsky,et al.  Modeling and verification using UML statecharts - a working guide to reactive system design, runtime monitoring and execution-based model checking , 2006 .

[21]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[22]  Michael Goldsmith,et al.  Modelling and analysis of security protocols , 2001 .

[23]  Shensheng Zhang,et al.  Modeling workflow process models with statechart , 2003, 10th IEEE International Conference and Workshop on the Engineering of Computer-Based Systems, 2003. Proceedings..

[24]  J. Alegria,et al.  AVISPA : Localizing Improvement Opportunities in Software Process Models , 2010 .

[25]  Hossam A. Gabbar Modern Formal Methods and Applications , 2006 .

[26]  Julio B. Clempner A hierarchical decomposition of decision process Petri nets for modeling complex systems , 2010, Int. J. Appl. Math. Comput. Sci..

[27]  Bernd Bruegge,et al.  Object-Oriented Software Engineering Using UML, Patterns, and Java , 2009 .

[28]  Yoram Reich,et al.  Formalizing a Workflow-Net Implementation of Design-Structure-Matrix-Based Process Planning for New Product Development , 2011, IEEE Transactions on Systems, Man, and Cybernetics - Part A: Systems and Humans.

[29]  C. A. R. Hoare,et al.  Communicating sequential processes , 1978, CACM.

[30]  Jeffrey D. Ullman,et al.  Introduction to Automata Theory, Languages and Computation , 1979 .

[31]  Julio Ariel Hurtado Alegria,et al.  Analyzing software process models with AVISPA , 2011, ICSSP '11.

[32]  Volker Gruhn,et al.  What business process modelers can learn from programmers , 2007, Sci. Comput. Program..

[33]  William E. Lorensen,et al.  Object-Oriented Modeling and Design , 1991, TOOLS.

[34]  Wolfgang Emmerich,et al.  A fine-grained process modelling experiment at British Airways , 1997, Softw. Process. Improv. Pract..

[35]  Andreas L. Opdahl,et al.  Eliciting security requirements with misuse cases , 2004, Requirements Engineering.

[36]  Wolfgang Emmerich,et al.  A fine-grained process modelling experiment at British Airways , 1997 .

[37]  James Bret Michael,et al.  Statechart based formal modeling of workflow processes , 2009, 2009 IEEE International Conference on System of Systems Engineering (SoSE).

[38]  Kees M. van Hee,et al.  Workflow Management: Models, Methods, and Systems , 2002, Cooperative information systems.

[39]  Michelle L. Crane,et al.  UML vs. classical vs. rhapsody statecharts: not all models are created equal , 2005, MoDELS'05.

[40]  David Harel,et al.  Statecharts: A Visual Formalism for Complex Systems , 1987, Sci. Comput. Program..