From Consumer Requirements to Policies in Secure Services

Part of the Lecture Notes in Computer Science book series (LNCS, volume 8900)


Automatic translation of elicited consumer security requirements at high level (problem space) into application or service level security requirements (solution space) has been traditionally the Achilles’ heel of security requirements engineering. Such automated translation would result in significant failure and cost reduction in application development and maintenance, particularly in those complex applications based on compositions and choreographies of services. In this paper we present a framework which makes a step forward to solve this dilemma. The framework supports the engineering of composite service security and trust requirements directly derived from the organisational needs expressed for such service. The followed approach starts with the modelling of organisation actors’ objectives and commitments among these actors, and follows with the transformation of such commitments into security elements in the service business process specification and into a consumer security policy which the service will need to be compliant with.


security requirements transformation service composition BPMN consumer policy 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Aktug, I., Naliuka, K.: ConSpec — a formal language for policy specification. Electronic Notes in Theoretical Computer Science 197(1), 45–58 (2008)MathSciNetCrossRefGoogle Scholar
  2. 2.
    Aniketos Website,
  3. 3.
    Baxter, G., Sommerville, I.: Socio-technical systems: From design methods to systems engineering. Interacting with Computers 23(1), 4–17 (2011)CrossRefGoogle Scholar
  4. 4.
    Bresciani, P., Perini, A., Giorgini, P., Giunchiglia, F., Mylopoulos, J.: Tropos: An agent-oriented software development methodology. Autonomous Agents and Multi-Agent Systems 8(3), 203–236 (2004)CrossRefGoogle Scholar
  5. 5.
    Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: Modeling and enforcing access control requirements in business processes. In: Proceedings of the 17th ACM symposium on Access Control Models and Technologies, pp. 123–126. ACM (June 2012)Google Scholar
  6. 6.
    Brucker, A.D., Malmignati, F., Merabti, M., Shi, Q., Zhou, B.: A Framework for Secure Service Composition. In: International Conference on Information Privacy, Security, Risk and Trust (PASSAT), pp. 1–6. IEEE (September 2013)Google Scholar
  7. 7.
    Dalpiaz, F., Paja, E., Giorgini, P.: Security requirements engineering via commitments. In: 2011 1st Workshop on Socio-Technical Aspects in Security and Trust (STAST), pp. 1–8 (September 2011)Google Scholar
  8. 8.
    Dragoni, N., Massacci, F., Naliuka, K., Siahaan, I.: Security-by-contract: Toward a semantics for digital signatures on mobile code. In: López, J., Samarati, P., Ferrer, J.L. (eds.) EuroPKI 2007. LNCS, vol. 4582, pp. 297–312. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  9. 9.
    Emery, F.E., Trist, E.L.: Socio-Technical Systems. Management Science, Models and Techniques 2, 83–97 (1960)Google Scholar
  10. 10.
    ENISA. Procure Secure: A guide to monitoring of security service levels in cloud contracts (April 2012), (Cited on September 10, 2013)
  11. 11.
    Erlingsson, U.: The inlined reference monitor approach to security policy enforcement. Cornell University (2003)Google Scholar
  12. 12.
    Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE International Conference on Requirements Engineering, pp. 167–176. IEEE (August 2005)Google Scholar
  13. 13.
    Trist, E.L.: On socio-technical systems. Sociotechnical systems: A sourcebook, 43-57 (1978)Google Scholar
  14. 14.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: International Conference on Availability, Reliability and Security, ARES 2009, pp. 41–48. IEEE (March 2009)Google Scholar
  15. 15.
    Mouratidis, H., Giorgini, P.: Secure tropos: A security-oriented extension of the tropos methodology. International Journal of Software Engineering and Knowledge Engineering 17(02), 285–309 (2007)CrossRefGoogle Scholar
  16. 16.
    Mulle, J., Stackelberg, S., Bohm, K.: A Security Language for BPMN Process Models. Karlsruhe Reports in Informatics (September 2011)Google Scholar
  17. 17.
    Noguero, A., Espinoza, H.: A generic executable framework for model-driven engineering. In: 2012 7th Iberian Conference on Information Systems and Technologies (CISTI), pp. 1–6. IEEE (June 2012)Google Scholar
  18. 18.
    OASIS, Reference Model for Service Oriented Architecture 1.0 (2009), (cited September 12, 2013)
  19. 19.
    OMG. Business Process Model and Notation (BPMN) Version 2.0 (2011), (Cited on September 10, 2013)
  20. 20.
    Paja, E., Dalpiaz, F., Giorgini, P.: Identifying Conflicts in Security Requirements with STS-ml. University of Trento. Technical report (2012)Google Scholar
  21. 21.
    Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: STS-Tool: Specifying and Reasoning over Socio-Technical Security Requirements. In: iStar 2013, pp. 131–133 (2013)Google Scholar
  22. 22.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A bpmn extension for the modeling of security requirements in business processes. IEICE Transactions on Information and Systems 90(4), 745–752 (2007)CrossRefGoogle Scholar
  23. 23.
    Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning Service-Oriented Architectures with Security Requirements. In: Meersman, R., Panetto, H., Dillon, T., Rinderle-Ma, S., Dadam, P., Zhou, X., Pearson, S., Ferscha, A., Bergamaschi, S., Cruz, I.F. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)Google Scholar
  24. 24.
    Singh, M.P.: An ontology for commitments in multiagent systems. Artificial Intelligence and Law 7(1), 97–113 (1999)CrossRefGoogle Scholar
  25. 25.
    University of trento, STS-ml manual (2013), (cited September 12, 2013)
  26. 26.
    Wolter, C., Menzel, M., Meinel, C.: Modelling Security Goals in Business Processes. Modellierung 127, 201–216 (2008)Google Scholar
  27. 27.
    van Lamsweerde, A.: Requirements engineering in the year 00: a research perspective. In: Proceedings of the 22nd International Conference on Software Engineering, pp. 5–19 (2000)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.TECNALIA Research and InnovationDerioSpain
  2. 2.SELEX, Selex ES S.p.A, A Finmeccanica CompanyRomeItaly
  3. 3.UNITNUniversity of TrentoTrentoItaly

Personalised recommendations