A Security Pattern-Driven Approach toward the Automation of Risk Treatment in Business Processes

  • Angel Jesus Varela-VacaEmail author
  • Robert Warschofsky
  • Rafael M. Gasca
  • Sergio Pozo
  • Christoph Meinel
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 189)


Risk management has become an essential mechanism for business and security analysts, since it enable the identification, evaluation and treatment of any threats, vulnerabilities, and risks to which organizations maybe be exposed. In this paper, we discuss the need to provide a standard representation of security countermeasures in order to automate the selection of countermeasures for business processes. The main contribution lies in the specification of security pattern as standard representation for countermeasures. Classical security pattern structure is extended to incorporate new features that enable the automatic selection of security patterns. Furthermore, a prototype has been developed which support the specification of security patterns in a graphical way.


Business Process Management Security Pattern Risk Treatment Automation 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    UML Profile for Modeling QoS and Fault Tolerance Characteristics and Mechanisms (2009),
  2. 2.
    Common Weakness Enumeration (2011),
  3. 3.
    NIST National Vulnerability Database (2011),
  4. 4.
  5. 5.
    Corchado, E., Herrero, L.: Neural visualization of network traffic data for intrusion detection. Applied Soft Computing 11(2), 2042–2056 (2011)CrossRefGoogle Scholar
  6. 6.
    Menzel, M., Warschofsky, R., Meinel, C.: A pattern-driven generation of security policies for service-oriented architectures. In: 2010 IEEE International Conference on Web Services (ICWS), pp. 243–250 (July 2010)Google Scholar
  7. 7.
    Menzel, M.: Model-driven Security in Service-oriented Architectures. Ph.D. thesis. Hasso-Plattner - University of Potsdam (2010)Google Scholar
  8. 8.
    Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: International Conference on Availability, Reliability and Security (ARES), pp. 41–48. IEEE Computer Society (2009)Google Scholar
  9. 9.
    Mrutyunjaya, Abraham, A., Das, S., Patra, M.R.: Intelligent Decision Technologies 5(4), 347–356 (2011)Google Scholar
  10. 10.
    Rosemann, M., zur Muehlen, M.: Integrating risks in business process models. In: 16th Australasian Conference on Information Systems (ACIS 2005), Paper 50, pp. 1–10 (2005)Google Scholar
  11. 11.
    Schumacher, M. (ed.): Security Engineering with Patterns - Origins, Theoretical Models, and New Applications. LNCS, vol. 2754. Springer, Heidelberg (2003)Google Scholar
  12. 12.
    Schumacher, M., Fernandez-Buglioni, E., Hybertson, D., Buschmann, F., Sommerlad, P.: Security Patterns: Integrating Security and Systems Engineering. John Wiley and Sons, Ltd (2006)Google Scholar
  13. 13.
    Varela-Vaca, A.J., Gasca, R.M.: OPBUS: Fault Tolerance against integrity attacks in business processes. In: 3rd International Conference on Computational Intelligence in Security for Information Systems, CISIS 2010 (2010)Google Scholar
  14. 14.
    Varela-Vaca, A., Gasca, R., Jimenez-Ramirez, A.: A model-driven engineering approach with diagnosis of non-conformance of security objectives in business process models. In: 2011 Fifth International Conference on Research Challenges in Information Science (RCIS), pp. 1–6 (May 2011)Google Scholar
  15. 15.
    Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. Journal of Systems Architecture - Embedded Systems Design 55(4), 211–223 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Angel Jesus Varela-Vaca
    • 1
    Email author
  • Robert Warschofsky
    • 2
  • Rafael M. Gasca
    • 1
  • Sergio Pozo
    • 1
  • Christoph Meinel
    • 2
  1. 1.Computer Languages and Systems Department, Quivir Research Group, ETS. Ingeniería InformáticaUniversity of SevilleSevilleSpain
  2. 2.Hasso-Plattner-InstitutePotsdamGermany

Personalised recommendations