A Graphical Audit Facility for Data Processing and Its Evaluation with Users
Personally-identifiable information (PII) is increasingly processed in a distributed way. This makes it much harder for individuals to oversee how their PII is used. In the legal systems of many countries, processing of PII is subject to restrictions. In particular, companies have to inform an individual on how they use his PII, and which external parties they transfer it to. We hypothesize that naïve approaches like log messages or plain text are not sufficient to this end. We in turn have developed a user-friendly auditing facility based on business processes (BPs). It visualizes data processing in real time, using the graphical process models one would deploy on a BP engine for execution. We also propose an approach to let a BP-management system generate the necessary audit events at runtime. An evaluation of realistic scenarios with users shows that our tool helps them to understand how their PII is used.
KeywordsBusiness Process Audit Information Audit Event Audit Tool Security Component
Unable to display preview. Download preview PDF.
- 1.Intalio BPMS Designer, http://www.intalio.com/bpms/designer
- 2.WoSec website, http://dbis.ipd.uni-karlsruhe.de/english/1746.php
- 3.European Community: Directive 95/46/EC (Data Protection Directive)Google Scholar
- 4.Hollingsworth, D.: Workflow Handbook 2004, vol. 10, ch. The Workflow Reference Model 10 Years On (2004)Google Scholar
- 5.Hollingsworth, D.: The Workflow Reference Model. WfMC Specification TC00-1003, Workflow Management Coalition (1995)Google Scholar
- 6.Mülle, J., von Stackelberg, S., Böhm, K.: Modelling and Transforming Security Constraints in Privacy-Aware Business Processes. In: Proc. SOCA 2011 (2011)Google Scholar
- 7.Müller, J., Böhm, K.: The Architecture of a Secure Business-Process-Management System in Service-Oriented Environments. In: ECOWS 2011 (2011)Google Scholar
- 8.Müller, J., Kavak, M., Böhm, K.: A Graphical Audit Facility for Data Processing and its Evaluation with Users. Tech. Rep. 2012-1, Karlsruhe Reports in InformaticsGoogle Scholar
- 10.Workflow Management Coalition: Audit Data Specification (1998)Google Scholar
- 11.Yao, J., Chen, S., Wang, C., Levy, D., Zic, J.: Accountability as a service for the cloud. In: SCC 2010 (2010)Google Scholar
- 12.zur Muehlen, M. (ed.): Business Process Analytics Format (BPAF). WfMC Draft Standard WFMC-TC-1015 (February 2008)Google Scholar