A BPMN Extension for the Modeling of Security Requirements in Business Processes

Business Processes are considered a crucial issue by many enterprises because they are the key to maintain competitiveness. Moreover, business processes are important for software developers, since they can capture from them the necessary requirements for software design and creation. Besides, business process modeling is the center for conducting and improving how the business is operated. Security is important for business performance, but traditionally, it is considered after the business processes definition. Empirical studies show that, at the business process level, customers, end users, and business analysts are able to express their security needs. In this work, we will present a proposal aimed at integrating security requirements through business process modeling. We will summarize our Business Process Modeling Notation extension for modeling secure business process through Business Process Diagrams, and we will apply this approach to a typical health-care business process.

[1]  Günther Pernul,et al.  Viewing Business-Process Security from Different Perspectives , 1999, Int. J. Electron. Commer..

[2]  Hans-Erik Eriksson,et al.  Business Modeling with UML , 2001 .

[3]  Albin Zuccato,et al.  Holistic security requirement engineering for electronic commerce , 2004, Comput. Secur..

[4]  George M. Giaglis,et al.  A Taxonomy of Business Process Modeling and Information Systems Modeling Techniques , 2001 .

[5]  Donald Firesmith,et al.  Specifying Reusable Security Requirements , 2004, J. Object Technol..

[6]  David A. Basin,et al.  SecureUML: A UML-Based Modeling Language for Model-Driven Security , 2002, UML.

[7]  Haralambos Mouratidis,et al.  When security meets software engineering: a case of modelling secure information systems , 2005, Inf. Syst..

[8]  José A. Montenegro,et al.  Towards a Business Process-Driven Framework for Security Engineering with the UML , 2003, ISC.

[9]  S. T. Buckland,et al.  An Introduction to the Bootstrap. , 1994 .

[10]  Jan Jürjens Using UMLsec and goal trees for secure systems development , 2002, SAC '02.

[11]  Donald Firesmith,et al.  Engineering Security Requirements , 2003, J. Object Technol..

[12]  Mohammad Zulkernine,et al.  Software Security Engineering: Towards Unifying Software Engineering and Security Engineering , 2009 .

[13]  Stephen A. White,et al.  Business Process Modeling Notation (BPMN), Version 1.0 , 2004 .

[14]  Günther Pernul,et al.  A language for modelling secure business transactions , 1999, Proceedings 15th Annual Computer Security Applications Conference (ACSAC'99).

[15]  Demissie B. Aredo,et al.  Integrating a Security Requirement Language with UML , 2004, UML.

[16]  Ed Dawson,et al.  Specification and design of advanced authentication and authorization services , 2005, Comput. Stand. Interfaces.

[17]  Carsten Rudolph,et al.  A business process-driven approach to security engineering , 2003, 14th International Workshop on Database and Expert Systems Applications, 2003. Proceedings..

[18]  Mikko T. Siponen,et al.  Analysis of modern IS security development approaches: towards the next generation of social and adaptable ISS methods , 2005, Inf. Organ..

[19]  Ilia Bider Choosing Approach to Business Process Modeling - Practical Perspective , 2005 .

[20]  Jan Jürjens,et al.  Towards Development of Secure Systems Using UMLsec , 2001, FASE.

[21]  Michael J. Owen,et al.  BPMN and Business Process Management-Introduction to the New Business Process modeling Standard , 2003 .

[22]  José M. Tribolet,et al.  Business Process Modeling with UML , 2001, ICEIS.

[23]  David A. Basin,et al.  Model driven security for process-oriented systems , 2003, SACMAT '03.

[24]  Gerald Quirchmayr,et al.  Survivability and Business Continuity Management , 2004, ACSW.

[25]  Günther Pernul,et al.  Modelling secure and fair electronic commerce , 1998, Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217).

[26]  Anneke Kleppe,et al.  The Object Constraint Language: Getting Your Models Ready for MDA , 2003 .

[27]  Birgit Pfitzmann,et al.  Security in Business Process Engineering , 2003, Business Process Management.

[28]  Haralambos Mouratidis,et al.  Integrating Security and Systems Engineering: Towards the Modelling of Secure Information Systems , 2003, CAiSE.