Detecting Conflicts Between Data-Minimization and Security Requirements in Business Process Models

Detecting conflicts between security and data-minimization requirements is a challenging task. Since such conflicts arise in the specific context of how the technical and organizational components of the target system interact with each other, their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution for a task that writes data to a secure data storage, where the identity of the writer is needed for the purpose of accountability. To address this challenge, we propose an extension of the BPMN 2.0 business process modeling language to enable: (i) the specification of process-oriented data-minimization and security requirements, (ii) the detection of conflicts between these requirements based on a catalog of domain-independent anti-patterns. The considered security requirements were reused from SecBPMN2, a security-oriented extension of BPMN 2.0, while the data-minimization part is new. SecBPMN2 also provides a graphical query language called SecBPMN2-Q, which we extended to formulate our anti-patterns. We report on feasibility and usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

[1]  Lorrie Faith Cranor,et al.  Engineering Privacy , 2009, IEEE Transactions on Software Engineering.

[2]  Wouter Joosen,et al.  A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements , 2011, Requirements Engineering.

[3]  Jan Jürjens,et al.  Supporting privacy impact assessment by model-based privacy analysis , 2018, SAC.

[4]  Christoph Meinel,et al.  Security Requirements Specification in Service-Oriented Business Process Management , 2009, 2009 International Conference on Availability, Reliability and Security.

[5]  Haralambos Mouratidis,et al.  Aligning Security and Privacy to Support the Development of Secure Information Systems , 2012, J. Univers. Comput. Sci..

[6]  Nikolay Mehandjiev,et al.  Modeling of privacy-aware business processes in BPMN to protect personal data , 2014, SAC.

[7]  Austin Mohr,et al.  A Survey of Zero-Knowledge Proofs with Applications to Cryptography , 2007 .

[8]  Jan Jürjens,et al.  Model-Based Privacy Analysis in Industrial Ecosystems , 2017, ECMFA.

[9]  Achim D. Brucker,et al.  SecureBPMN: modeling and enforcing access control requirements in business processes , 2012, SACMAT '12.

[10]  Gabriele Taentzer,et al.  Multi-granular Conflict and Dependency Analysis in Software Engineering Based on Graph Transformation , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[11]  Jan Jürjens,et al.  From Secure Business Process Modeling to Design-Level Security Verification , 2017, 2017 ACM/IEEE 20th International Conference on Model Driven Engineering Languages and Systems (MODELS).

[12]  Thomas Allweyer BPMN 2.0 , 2010 .

[13]  José A. Montenegro,et al.  Towards a Business Process-Driven Framework for Security Engineering with the UML , 2003, ISC.

[14]  Carmela Troncoso,et al.  Engineering Privacy by Design , 2011 .

[15]  Kristian Beckers,et al.  A Problem-Based Approach for Computer-Aided Privacy Threat Identification , 2012, APF.

[16]  Mario Piattini,et al.  Secure business process model specification through a UML 2.0 activity diagram profile , 2011, Decis. Support Syst..

[17]  Klemens Böhm,et al.  A Security Language for BPMN Process Models , 2011 .

[18]  David Llewellyn-Jones,et al.  A Cyber Security Ontology for BPMN-Security Extensions , 2015, 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing.

[19]  Paolo Giorgini,et al.  Modeling and Verifying Security Policies in Business Processes , 2014, BMMDS/EMMSAD.

[20]  Haralambos Mouratidis,et al.  Conflicts Between Security and Privacy Measures in Software Requirements Engineering , 2015, ICGS3.

[21]  A. Pfitzmann,et al.  A terminology for talking about privacy by data minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management , 2010 .

[22]  Andreas Schaad,et al.  Modeling of Task-Based Authorization Constraints in BPMN , 2007, BPM.

[23]  Mohd Fadzil Hassan,et al.  A Domain-Specific Language for Modelling Security Objectives in a Business Process Models of SOA Applications , 2012 .

[24]  Maritta Heisel,et al.  Systematic identification of information flows from requirements to support privacy impact assessments , 2015, 2015 10th International Joint Conference on Software Technologies (ICSOFT).

[25]  Daniel L. Moody,et al.  The “Physics” of Notations: Toward a Scientific Basis for Constructing Visual Notations in Software Engineering , 2009, IEEE Transactions on Software Engineering.

[26]  Stefanos Gritzalis,et al.  Supporting the design of privacy-aware business processes via privacy process patterns , 2017, 2017 11th International Conference on Research Challenges in Information Science (RCIS).

[27]  Gabriele Taentzer,et al.  Granularity of Conflicts and Dependencies in Graph Transformation Systems , 2017, ICGT.

[28]  Luca Compagna,et al.  Security Validation of Business Processes via Model-Checking , 2011, ESSoS.

[29]  Duaa Alkubaisy,et al.  A framework managing conflicts between security and privacy requirements , 2017, 2017 11th International Conference on Research Challenges in Information Science (RCIS).

[30]  Stefanos Gritzalis,et al.  Addressing privacy requirements in system design: the PriS method , 2008, Requirements Engineering.

[31]  Marit Hansen,et al.  Protection Goals for Privacy Engineering , 2015, 2015 IEEE Security and Privacy Workshops.

[32]  M. Angela Sasse,et al.  Privacy is a process, not a PET: a theory for effective privacy practice , 2012, NSPW '12.