Software & Systems Modeling

, Volume 16, Issue 3, pp 737–757 | Cite as

Designing secure business processes with SecBPMN

  • Mattia SalnitriEmail author
  • Fabiano Dalpiaz
  • Paolo Giorgini
Theme Section Paper


Modern information systems are increasingly large and consist of an interplay of technical components and social actors (humans and organizations). Such interplay threatens the security of the overall system and calls for verification techniques that enable determining compliance with security policies. Existing verification frameworks either have a limited expressiveness that inhibits the specification of real-world requirements or rely on formal languages that are difficult to use for most analysts. In this paper, we overcome the limitations of existing approaches by presenting the SecBPMN framework. Our proposal includes: (1) the SecBPMN-ml modeling language, a security-oriented extension of BPMN for specifying composite information systems; (2) the SecBPMN-Q query language for representing security policies; and (3) a query engine that enables checking SecBPMN-Q policies against SecBPMN-ml specifications. We evaluate our approach by studying its understandability and perceived complexity with experts, running scalability analysis of the query engine, and through an application to a large case study concerning air traffic management.


Information systems Security policies BPMN Compliance 



This research was partially supported by the ERC advanced Grant 267856, ‘Lucretius: Foundations for Software Evolution’, and by European Union’s Horizon 2020 research and innovation program under Grant Agreement No. 653642-VisiON.


  1. 1.
    Atluri, V., Huang, W.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: Samarati, P., Sandhu, R. (eds.) Database Security X: Status and Prospects, pp. 199–216. Chapman and Hall, london (1996)Google Scholar
  2. 2.
    Awad, A.: BPMN-Q: a language to query business processes. In: EMISA, vol. P-119, pp. 115–128 (2007)Google Scholar
  3. 3.
    Awad, A.: A Compliance Management Framework for Business Process Models. Ph.D. thesis (2010)Google Scholar
  4. 4.
    Basili, V.R., Caldiera, G., Rombach, D.H.: The Goal Question Metric Approach. Wiley, New York (1994)Google Scholar
  5. 5.
    Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Inf. Syst. 33(6), 477–507 (2008)CrossRefGoogle Scholar
  6. 6.
    Blanc, X., Mougenot, A., Mounier, I., Mens, T.: Incremental detection of model inconsistencies based on model operations. In: Proceedings of the CAiSE, pp. 32–46 (2009)Google Scholar
  7. 7.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of the SACMAT, pp. 123–126 (2012)Google Scholar
  8. 8.
    Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Proceedings of the ARES, pp. 546–555 (2013)Google Scholar
  9. 9.
    Clocksin, W., Mellish, C.: Programming in PROLOG. Springer, Berlin (2003)CrossRefzbMATHGoogle Scholar
  10. 10.
    Dalpiaz, F., Giorgini, P., Mylopoulos, J.: Adaptive socio-technical systems: a requirements-driven approach. Requir. Eng. 18(1), 1–24 (2013)CrossRefGoogle Scholar
  11. 11.
    Delfmann, P., Dietrich, H., Havel, J., Steinhorst, M.: A language-independent model query tool. In: Proceedings of the DESRIST, pp. 453–457 (2014)Google Scholar
  12. 12.
    Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Proceedings of the DPL, pp. 169–185 (2007)Google Scholar
  13. 13.
    Dumas, M., Hofstede, A.H.M.: UML activity diagrams as a workflow specification language. In: Proceedings of the UML, pp. 76–90 (2001)Google Scholar
  14. 14.
    Emerson, E.A., Halpern, J.Y.: Decision procedures and expressiveness in the temporal logic of branching time. In: Proc. of STOC, pp. 169–180 (1982)Google Scholar
  15. 15.
    Federal Aviation Administration: SWIM ATM Case Study, last visited March 2014. (2014)
  16. 16.
    Ferraiolo, D., Cugini, J., Richard Kuhn, D.: Role-Based Access Control (RBAC): Features and Motivations In: Proceedings of 11th annual computer security application conference, pp. 241–248 (1995)Google Scholar
  17. 17.
    Firesmith, D.: Specifying reusable security requirements. J. Object Technol. 3(1), 61–75 (2004)CrossRefGoogle Scholar
  18. 18.
    Ghose, A., Koliadis, G.: Auditing business process compliance. In: Proceedings of the ISOC, pp. 169–180 (2007)Google Scholar
  19. 19.
    Gruhn, V., Laue, R.: A heuristic method for detecting problems in business process models. Bus. Process Manag. J. 16(5), 806–821 (2010)CrossRefGoogle Scholar
  20. 20.
    Hofstede, A., Ouyang, C., La Rosa, M., Song, L., Wang, J., Polyvyanyy, A.: APQL: a process-model query language. In: Proceedings of the Asia-Pacific Business Process Management, vol. 159, pp. 23–38 (2013)Google Scholar
  21. 21.
    ISACA: An Introduction to the Business Model for Information Security. Technical report (2009).
  22. 22.
    Josang, A., Ismail, R., Boyd, C.: A survey of trust and reputation systems for online service provision. Decis. Support Syst. 43(2), 618–644 (2007)CrossRefGoogle Scholar
  23. 23.
    Jurjens, J.: UMLsec: extending UML for secure systems development. In: Proceedings of the UML, pp. 412–425 (2002)Google Scholar
  24. 24.
    Kharbili, M.E., de Medeiros, A.K.A., Stein, S., van der Aalst, W.M.P.: Business process compliance checking: current state and future challenges. In: Loos, P., Nttgens, M., Turowski, K., Werth, D. (eds.) MobIS, LNI, vol. 141, pp. 107–113. GI (2008)Google Scholar
  25. 25.
    Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation. In: Proceedings of the ARES, pp. 262–267 (2013)Google Scholar
  26. 26.
    Leitner, M., Rinderle-Ma, S.: A systematic review on security in process-aware information systems—constitution, challenges, and future directions. Inf. Softw. Technol. 56(3), 273–293 (2014)Google Scholar
  27. 27.
    Leitner, M., Schefer-Wenzl, S., Rinderle-Ma, S., Strembeck, M.: An experimental study on the design and modeling of security concepts in business processes. In: Proceedings of the PoEM, pp. 236–250 (2013)Google Scholar
  28. 28.
    Li, J., Mirkovic, J., Wang, M., Reiher, P., Zhang, L.: SAVE: source address validity enforcement protocol. In: Proceedings of the INFOCOM, vol. 3, pp. 1557–1566 (2002)Google Scholar
  29. 29.
    Li, N., Tripunitara, M.V., Bizri, Z.: On mutually exclusive roles and separation-of-duty. ACM Trans. Inf. Syst. Secur. 10(2), 5 (2007)CrossRefGoogle Scholar
  30. 30.
    Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)CrossRefGoogle Scholar
  31. 31.
    Mason, M.: Sample size and saturation in PhD studies using qualitative interviews. Forum Qual. Soc. Res. 11(3), 190–197 (2010)Google Scholar
  32. 32.
    McCumber, J.: Information systems security: a comprehensive model. In: Proceedings of the NCSC (1991)Google Scholar
  33. 33.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of the ARES, pp. 41–48 (2009)Google Scholar
  34. 34.
    Monakova, G., Brucker, A.D., Schaad, A.: Security and safety of assets in business processes. Appl. Comput. 27, 1667–1673 (2012)Google Scholar
  35. 35.
    Moody, D.: The physics of notations: toward a scientific basis for constructing visual notations in software engineering. IEEE Trans. Softw. Eng. 35, 756–779 (2009)CrossRefGoogle Scholar
  36. 36.
    OASIS: Web Services Business Process Execution Language. (2007)
  37. 37.
    OASIS: eXtensible Access Control Markup Language (XACML)Version 3.0. (2013)
  38. 38.
    OMG: BPMN 2.0. (2011)
  39. 39.
    OMG: Unified Modeling Language (UML), Infrastructure, V2.1.2. Technical report (2007).
  40. 40.
    Parker, D.: Our excessively simplistic information security model and how to fix it. ISSA J. 8(7), 12–21 (2010)Google Scholar
  41. 41.
    Parker, D.B.: Fighting Computer Crime—A New Framework for Protecting Information. Wiley, New York (1998)Google Scholar
  42. 42.
    Peffers, K., Tuunanen, T., Rothenberger, M., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24(3), 45–77 (2007)CrossRefGoogle Scholar
  43. 43.
    Rasmussen, J.L., Singh, M.: Designing a security system by means of coloured Petri nets. In: Proceedings of the ICATPN, pp. 400–419 (1996)Google Scholar
  44. 44.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)CrossRefGoogle Scholar
  45. 45.
    Sadiq, S., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Proceedings of the BPM, pp. 149–164 (2007)Google Scholar
  46. 46.
    Saleem, M., Jaafar, J., Hassan, M.: A domain-specific language for modelling security objectives in a business process models of SOA applications. Adv. Inf. Sci. Serv. Sci. 4(1), 353–362 (2012)Google Scholar
  47. 47.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Proc. of OTM, pp. 232–249 (2012)Google Scholar
  48. 48.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In Proceedings of the BPMDS, pp. 200–214 (2014)Google Scholar
  49. 49.
    Salnitri, M., Giorgini, P.: Modeling and verification of ATM security policies with SecBPMN. In: Proceedings of the SHPCS (2014)Google Scholar
  50. 50.
    Samarati, P., Vimercati, S.: Access control: policies, models, and mechanisms. In: FOSAD, vol. 2171, pp. 137–196 (2001)Google Scholar
  51. 51.
    Schmidt, R., Bartsch, C., Oberhauser, R.: Ontology-based representation of compliance requirements for service processes. In: Proceedings of the CEUR (2007)Google Scholar
  52. 52.
    SecBPMN Website: SecBPMN Website, last visited Sept 2014. (2014)
  53. 53.
    Simon, R., Zurko, M.: Separation of duty in role-based environments. In: Proceedings of the CSFW, pp. 183–194 (1997)Google Scholar
  54. 54.
    Sommerville, I., Cliff, D., Calinescu, R., Keen, J., Kelly, T., Kwiatkowska, M., Mcdermid, J., Paige, R.: Large-scale complex IT systems. Commun. ACM 55(7), 71–77 (2012)CrossRefGoogle Scholar
  55. 55.
    Störrle, H.: VMQL: a visual language for ad-hoc model querying. J. Vis. Lang. Comput. 22, 3–29 (2011)CrossRefGoogle Scholar
  56. 56.
    The Apache Software Foundation: Apache Rampart website, last visited Aug 2014. (2014)
  57. 57.
    van der Aalst, W.M.P.: Formalization and verification of event-driven process chains. Inf. Softw. Technol. 41(10), 639–650 (1999)CrossRefGoogle Scholar
  58. 58.
    Wohlin, C., Runeson, P., Höst, M., Ohlsson, M.C., Regnell, B., Wesslèn, A.: Experimentation in Software Engineering: An Introduction. Kluwer Academic, Boston, MA (2000)Google Scholar
  59. 59.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. J. Syst. Archit. 55(4), 211–223 (2009)CrossRefGoogle Scholar
  60. 60.
    Wolter, C., Schaad, A.: Modeling of task-based authorization constraints in BPMN. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) Business Process Management. Lecture Notes in Computer Science, vol. 4714, pp. 64–79. Springer, Berlin (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Mattia Salnitri
    • 1
    Email author
  • Fabiano Dalpiaz
    • 2
  • Paolo Giorgini
    • 1
  1. 1.Department of Information Engineering and Computer ScienceUniversity of TrentoTrentoItaly
  2. 2.Department of Information and Computing SciencesUtrecht UniversityUtrechtThe Netherlands

Personalised recommendations