Copyright © 2007 The Institute of Electronics, Information and Communication Engineers
Regular Section -- Papers -- Software Engineering |
A BPMN Extension for the Modeling of Security Requirements in Business Processes
1 The author is with the Departamento de Auditoría e Informática, Universidad del Bio Bio, Chillán, Chile. E-mail: alrodriguez{at}inf-cr.uclm.es, 2 The authors are with the ALARCOS Research Group, UCLM-Soluziona Research and Development Institute, University of Castilla-La Mancha, Ciudad Real, Spain.
Business Processes are considered a crucial issue by many enterprises because they are the key to maintain competitiveness. Moreover, business processes are important for software developers, since they can capture from them the necessary requirements for software design and creation. Besides, business process modeling is the center for conducting and improving how the business is operated. Security is important for business performance, but traditionally, it is considered after the business processes definition. Empirical studies show that, at the business process level, customers, end users, and business analysts are able to express their security needs. In this work, we will present a proposal aimed at integrating security requirements through business process modeling. We will summarize our Business Process Modeling Notation extension for modeling secure business process through Business Process Diagrams, and we will apply this approach to a typical health-care business process.
Key Words: security requirement, business process, BPMN
Manuscript received July 6, 2006. Manuscript revised September 29, 2006.
References
[1] WfMC, Workflow Management Coalition: Terminology & Glossary, 1999.
[2] G. Quirchmayr, "Survivability and business continuity management," ACSW Frontiers 2004 Workshops, Dunedin, New Zealand, 2004.
[3] A. Zuccato, "Holistic security requirement engineering for electronic commerce," Computers & Security, vol.23, no.1, pp.63–76, 2004.
[4] M. Backes, B. Pfitzmann, and M. Waider, "Security in business process engineering," International Conference on Business Process Management (BPM), Eindhoven, The Netherlands, 2003.
[5] G. Herrmann and G. Pernul, "Viewing business process security from different perspectives," 11th International Bled Electronic Commerce Conference, Slovenia, 1998.
[6] H. Mouratidis, P. Giorgini, and G.A. Manson, "When security meets software engineering: A case of modelling secure information systems," Information Systems, vol.30, no.8, pp.609–629, 2005.
[7] J. Lopez, J.A. Montenegro, J.L. Vivas, E. Okamoto, and E. Dawson, "Specification and design of advanced authentication and authorization services," Computer Standards & Interfaces, vol.27, no.5, pp.467–478, 2005.
[8] D. Firesmith, "Engineering security requirements," J. Object Technology, vol.2, no.1, Jan.-Feb., pp.53–68, 2003.
[9] C. Artelsmair and R. Wagner, "Towards a security engineering process," The 7th World Multiconference on Systemics, Cybernetics and Informatics, Orlando, Florida, USA, 2003.
[10] H.-E. Eriksson and M. Penker, Business Modeling with UML, OMG Press, 2001.
[11] G.M. Giaglis, "A taxonomy of business process modelling and information systems modelling techniques," Int. J. Flexible Manufacturing Systems, vol.13, no.2, pp.209–228, 2001.
[12] Mega, "Business process modeling and standardization," in http://www.bpmg.org/downloads/Articles/Article-MEGA-BusinessProcessModeling&StandardizationEN.pdf, 2004.
[13] BPMN, "Business process modeling notation (BPMN)," in http://www.bpmn.org/Documents/BPMN%20V1-0%20May%203%202004.pdf, 2004.
[14] BPMN, "Business process modeling notation specification," OMG Final Adopted Specification, dtc/06-02-01. In http://www.bpmn.org/Documents/OMG%20Final%20Adopted%20BPMN%201-0%20Spec%2006-02-01.pdf, 2006.
[15] D.S. Frankel, "BPMI and OMG: The BPM merger," MDA Journal. In http://www.bptrends.com/publicationfiles/02-06%20COL%20MDA%20BPMI-OMG%20-%20Frankel1.pdf, 2006.
[16] T. Lodderstedt, D. Basin, and J. Doser, "SecureUML: A UML-based modeling language for model-driven security," The Unified Modeling Language, 5th International Conference, Dresden, Germany, 2002.
[17] A. Maña, D. Ray, F. Sánchez, and M.I. Yagüe, "Integrando la Ingeniería de Seguridad en un Proceso de Ingeniería Software," VIII Reunión Española de Criptología y Seguridad de la Información, RECSI, Leganés, Madrid, España, 2004.
[18] A.W. Röhm, G. Pernul, and G. Herrmann, "Modelling secure and fair electronic commerce," 14th Annual Computer Security Applications Conference, Scottsdale, Arizona, 1998.
[19] J.L. Vivas, J.A. Montenegro, and J. Lopez, "Towards a business process-driven framework for security engineering with the UML," Information Security: 6th International Conference, ISC, Bristol, U.K., 2003.
[20] A. Maña, J.A. Montenegro, C. Rudolph, and J.L. Vivas, "A business process-driven approach to security engineering," 14th International Workshop on Database and Expert Systems Applications (DEXA), Prague, Czech Republic, 2003.
[21] A.W. Röhm, G. Herrmann, and G. Pernul, "A language for modelling secure business transactions," 15th Annual Computer Security Applications Conference, Phoenix, Arizona, 1999.
[22] H. Abie, D.B. Aredo, T. Kristoffersen, S. Mazaher, and T. Raguin, "Integrating a security requirement language with UML," 7th International Conference, The UML: Modelling Languages and Applications, Lisbon, Portugal, 2004.
[23] J. Jürjens, "Towards development of secure systems using UMLsec," Fundamental Approaches to Software Engineering, 4th International Conference, FASE 2001 at ETAPS-2001, Genova, Italy, 2001.
[24] J. Jürjens, "Using UMLsec and goal trees for secure systems development," Proc. 2002 ACM Symposium on Applied Computing (SAC), Madrid, Spain, 2002.
[25] D. Basin, J. Doser, and T. Lodderstedt, "Model driven security for process-oriented systems," SACMAT 2003, 8th ACM Symposium on Access Control Models and Technologies, Villa Gallia, Como, Italy, 2003.
[26] H. Mouratidis, P. Giorgini, and G.A. Manson, "Integrating security and systems engineering: Towards the modelling of secure information systems," Advanced Information Systems Engineering, 15th International Conference, CAiSE 2003, Proceedings, vol.2681, pp.63–78, Klagenfurt, Austria, June 2003.
[27] M.T. Siponen, "Analysis of modern IS security development approaches: Towards the next generation of social and adaptable ISS methods," Information and Organization, vol.15, pp.339–375, 2005.
[28] M. Zulkernine and S.I. Ahamed, "Software security engineering: Toward unifying software engineering and security engineering," in Enterprise Information Systems Assurance and Systems Security: Managerial and Technical Issues, Idea Group, ed. M. Warkentin and R. Vaughn, pp.215–232, 2006.
[29] D. Firesmith, "Specifying reusable security requirements," Journal of Object Technology, vol.3, no.1, pp.61–75, Jan.-Feb. 2004.
[30] N. Castela, J. Tribolet, A. Silva, and A. Guerra, "Business process modeling with UML," Proc. 3rd International Conference on Enterprise Information Systems, Setubal, Portugal, 2001.
[31] I. Bider, "Choosing approach to business process modeling — Practical perspective," in http://www.ibissoft.se/english/howto.pdf, 2003.
[32] T. Dufresne and J. Martin, Process Modeling for e-Business, George Mason University, 2003.
[33] A. Lonjon, "Business process modeling and standardization," BPTrends, in http://www.bptrends.com/, 2004.
[34] OMG, "Object management group," in http://www.omg.org/, 2004.
[35] M. Owen and J. Raj, "BPMN and business process management; Introduction to the new business process modeling standard," in http://www.bpmn.org/Documents/6AD5D16960.BPMN_and_BPM.pdf, 2003.
[36] S.A. White, Introduction to BPMN, IBM Corporation, in http://www.ebpml.org/bpmn.htm, 2004.
[37] Object Management Group, "OCL 2.0 specification, version 2.0," in http://www.omg.org/docs/ptc/05-06-06.pdf, 2005.
[38] J. Warmer and A. Kleppe, The Object Constraint Language: Getting Your Models Ready for MDA, Pearson Education, 2003.
CiteULike 
Connotea 
Del.icio.us What's this?
| ||||||||||||||||||||||||||||||||||||||||||||||||||