Abstract
This article introduces POSeM, a method that uses business process descriptions to derive appropriate security safeguards. This is achieved by assigning security levels to the components of a business process such as actors, artefacts, and activities with a specially developed description language. These levels are checked for consistency, and security measures are derived using a configurable rule base that maps security objectives to safeguards. POSeM in practice is illustrated by an application to electronic business, i.e., the publication process of information for a company's web-site. Both the advantages of POSeM and its possible refinements are discussed.
Similar content being viewed by others
References
Abrams, M.D., S. Jajodia, and H.J. Podell (eds.). (1995). Information Security: An Integrated Collection of Essays. IEEE Computer Society Press.
Barthelmess, P. (2000). “Security in Workflow Systems.” University of Colorado at Boulder, http://ugrad-www.cs.Colorado.edu/~barthelm/security/, accessed 11/9/2000.
Bell, D.E. and L.J. LaPadula. (1974). “Secure Computer Systems: Mathematical Foundations and Model.” Technical Report, The Mitre Corporation.
Biba, K. (1977). “Integrity Considerations for Secure Computer Systems.” Technical Report TR-3153, MITRE Corp., Bedford, MA.
BSI. (1999). “Information Security Management-Part 1: Code of Practice for Information Security Management.” BSI: British Standards Institute.
BSI. (2000). “IT-Grundschutzhandbuch: Maßnahmenempfehlungen für den mittleren Schutzbedarf.” Bundesamt für die Sicherheit in der Informationstechnik (BSI), Bonn.
Chung, L. (1993). “Dealing with Security Requirements During the Development of Information Systems.” In C. Rolland, F. Bodart, and C. Cauvet (eds.), Advanced Information Systems Engineering, CAiSE'93 Lecture Notes in Computer Science, Vol. 685. Paris, France: Springer, pp. 234–251.
Curtis, B., M.I. Kellner, and J. Over. (1992). “Process Modeling.” Communications of the ACM 35(9), 75–90.
Davenport, T. (1993). Process Innovation-Reengineering Work through Information Technology. Boston: Harvard Business School Press.
FIPS80. (1980). “Guidelines for Security of Computer Application, Federal Information Processing Standards Publication 73.” Department of Commerce, National Bureau of Standards.
Hammer, M. and J. Champy. (1994). Reengineering the Cororation-A Manifest for Business Revolution. London: Nicholas Brealey.
Herrmann, G. (1999). “Security and Integrity Requirements of Business Processes-Analysis and Approach to Support their Realisation.” In Proc. of CAiSE'99, 6th Doctoral Consortium on Advanced Information Systems Engineering Heidelberg, pp. 36-47.
Holbein, R. (1996). “Secure Information Exchange in Organisations-An Approach for Solving the Information Misuse Problem.” Ph.D. thesis, Universität Zürich.
Jansen, H. (1998). “Integration von Bedrohungs-und Risikoanalyse in ein Vorgehens-modell für Geschäftsprozeßmodellierung und Workflow-Management.” Master's thesis, Fachbereich Informatik der Carl von Ossietzky, Universität Oldenburg.
Karagiannis, D. and M. Heidenfeld. (1998). “Modellierung, Analyse und Evaluation sicherer Geschäftsprozesse: Ein Implementierungsansatz für Security Workflows.” In K. Bauknecht, A. Büllesbach, H. Pohl, and S. Teufel (eds.), Sicherheit in Informationssystemen-SIS'98. vdf Hochschulverlag AG, pp. 223-246.
Knorr, K. (2000). “Dynamic Access Control through Petri Net Workflows.” In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC) New Orleans, pp. 159-167.
Knorr, K. and S. Röhrig. (2001). “Security Requirements for E-Commerce Processes.” In B. Schmid, K. Stanoevska-Slabeva, and V. Tschammer (eds.), Towards the E-Society: E-Commerce, E-Business and E-Government. Zurich, Switzerland: Kluwer Academic Publishers, pp. 73–86.
Knorr, K. and H. Stormer. (2001). “Modeling and Analyzing Separation of Duties in Workflow Environments.” In Proceedings of 16th International Conference on Information Security (IFIP/Sec) Paris, France, pp. 199-212.
Long, D.L., J. Baker, and F. Fung. (1999). “A Prototype Secure Workflow Server.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona.
McDermott, J. and C. Fox. (1999). “Using Abuse Case Models for Security Requirements Analysis.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona, http://www.acsac.org/1999/abstracts/wed-b-1030-john.html.
Meier, A. and S. Röhrig. (2001). “Sicherheitsanforderungen für elektronische Verträge: Ein prozessbasierter Ansatz.” In P. Horster (ed.), Elektronische Geschäftsprozesse-Grundlagen, Sicherheitsaspekte, Realisierungen, Anwendungen IT-Verlag für Informationstechnik, pp. 242-253.
NCSC. (1992). NCSC-TG-010: A Guide to Understanding Modeling in Trusted Systems (Acqua Book). National Computer Security Center.
Pfitzmann, A. and G.Wolf. (1999). “Empowering Users to Set Their Protection Goals.” In G. Müller and K. Rannenberg (eds.), Multilateral Security in Communications Informationssicherheit. München: Addison-Wesley.
Röhm, A.W., G. Herrmann, and G. Pernul. (1999). “A Language for Modelling Secure Business Transactions.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona.
Röhrig, S., K. Knorr, and H. Noser. (2000). “Sicherheit von E-Business-Anwendungen-Struktur und Quantifizierung.” Wirtschaftsinformatik 42(6), 499–507.
Shirey, R. (2000). “Internet Security Glossary.” Request for Comments 2828.
Thoben, W. (1998). “Sicherheit für Workflow-basierte Anwendungen.” In K. Bauknecht, A. Büllesbach, H. Pohl, and S. Teufel (eds.), Sicherheit in Informationssystemen SIS' 98. Stuttgart: vdf Hochschulverlag AG, pp. 201–222.
Walker, W.E. (2001). “Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0.” National Security Agency. Version 1.2, http://www.nsa.gov.
WFMC. (1996). “Terminology and Glossary.” Workflow Management Coalition, http://www.aiim. org/wfmc/. Document Number TC-1011.
WFMC. (1998). “Interface 1: Process Definition Interchange-Process Model.” Workflow Management Coalition, Document Number TC-1016-P.
Author information
Authors and Affiliations
Rights and permissions
About this article
Cite this article
Röhrig, S., Knorr, K. Security Analysis of Electronic Business Processes. Electronic Commerce Research 4, 59–81 (2004). https://doi.org/10.1023/B:ELEC.0000009282.06809.c5
Issue Date:
DOI: https://doi.org/10.1023/B:ELEC.0000009282.06809.c5