Goal-Equivalent Secure Business Process Re-engineering

  • Hugo A. López
  • Fabio Massacci
  • Nicola Zannone
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4907)


The introduction of information technologies in health care systems often requires to re-engineer the business processes used to deliver care. Obviously, the new and re-engineered processes are observationally different and thus we cannot use existing model-based techniques to argue that they are somehow “equivalent”. In this paper we propose a method for passing from SI*, a modeling language for capturing and modeling functional, security, and trust organizational and system requirements, to business process specifications and vice versa. In particular, starting from an old secure business process, we reconstruct the functional and security requirements at organizational level that such a business process was supposed to meet (including the trust relations that existed among the members of the organization). To ensure that the re-engineered business process meets the elicited requirements, we employ a notion of equivalence based on goal-equivalence. Basically, we verify if the execution of the business process, described in terms of the trace it generates, satisfies the organizational model. We motivate and illustrate the method with an e-health case study.


  1. 1.
    Crazzolara, F.: Language, Semantics, and Methods for Security Protocols. Doctoral dissertation, BRICS, daimi. PhD thesis. xii+160 (May 2003)Google Scholar
  2. 2.
    Javier, F., Fabrega, T., Herzog, J.C., Guttman, J.D.: Strand spaces: Proving security protocols correct. Journal of Computer Security 7, 191–230 (1999)CrossRefGoogle Scholar
  3. 3.
    Hoare, C.A.R.: Communicating Sequential Processes. Commun. ACM 26(1), 100–106 (1983)CrossRefGoogle Scholar
  4. 4.
    Johansson, H.J., McHugh, P., Pendlebury, A.J., Wheeler, W.A.: Business Process Reengineering–Breakpoint Strategies for Market Dominance. John Wiley & Sons, Chichester (1993)Google Scholar
  5. 5.
    Lowe, G.: Casper: A compiler for the analysis of security protocols. Journal of Computer Security 6(1–2), 53–84 (1998)CrossRefGoogle Scholar
  6. 6.
    Massacci, F., Mylopoulos, J., Zannone, N.: An Ontology for Secure Socio-Technical Systems. In: Handbook of Ontologies for Business Interaction. The IDEA Group (2007)Google Scholar
  7. 7.
    Milner, R., Parrow, J., Walker, D.: A calculus of mobile processes, parts I and II. Journal of Information and Computation 100, 1–77 (1992)CrossRefzbMATHGoogle Scholar
  8. 8.
    van Glabbeek, R.J.: The linear time-branching time spectrum. In: Proceedings of the Theories of Concurrency: Unification and Extension, pp. 278–297 (1990)Google Scholar
  9. 9.
    White, S.A.: Business Process Modeling Notation (BPMN) Version 1.0. Business Process Management Initiative, BPMI. org. (May 2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Hugo A. López
    • 1
  • Fabio Massacci
    • 1
  • Nicola Zannone
    • 1
  1. 1.Università degli Studi di TrentoPovo (Trento)Italy

Personalised recommendations