Towards Definition of Secure Business Processes

  • Olga Altuhhova
  • Raimundas Matulevičius
  • Naved Ahmed
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 112)


Business process modelling is one of the major aspects in the modern system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Although BPMN is a good approach to understand business processes, there is a limited work to understand how it could deal with business security and security risk management. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure systems. In this paper we analyse BPMN with respect to the domain model of the IS security risk management (ISSRM). We apply a structured approach to understand key aspects of BPMN and how modeller could express secure assets, risks and risk treatment using BPMN. We align the main BPMN constructs with the key concepts of the ISSRM domain model. We show applicability of our approach on a running example related to the Internet store. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. In addition we open a possibility for the business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).


Business process model and notation (BPMN) Security risk management Alignment of modelling languages Information systems 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alberts, C.J., Dorofee, A.J.: OCTAVE Method Implementation Guide Version 2.0. Carnegie Mellon University - Software Engineering Institute, Pennsylvania (2001)Google Scholar
  2. 2.
    Asnar, Y., Giorgini, P., Massacci, F., Zannone, N.: From Trust to Dependability through Risk Analysis. In: Proceedings of ARES 2007, pp. 19–26. IEEE Computer Society (2007)Google Scholar
  3. 3.
    AS/NZS 4360, Risk management. SAI Global (2004)Google Scholar
  4. 4.
    Braber, F., Hogganvik, I., Lund, M.S., Stølen, K., Vraalsen, F.: Model-based Security Analysis in Seven Steps—a Guided Tour to the CORAS Method. BT Technology Journal 25(1), 101–117 (2007)CrossRefGoogle Scholar
  5. 5.
    Chowdhury, M.J.M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell, B., Damian, D. (eds.) REFSQ 2011. LNCS, vol. 7195, pp. 132–139. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  6. 6.
    Common Criteria version 2.3, Common Criteria for Information Technology Security Evaluation, CCMB-2005-08-002 (2005),
  7. 7.
    Dubois, E., Heymans, P., Mayer, N., Matulevičius, R.: A Systematic Approach to Define the Domain of Information System Security Risk Management. In: Intentional Perspectives on Information Systems Engineering, pp. 289-306. Springer (2010)Google Scholar
  8. 8.
    Firesmith, D.G.: Engineering Safety and Security Related Requirements for Software Intensive Systems. In: Companion to the Proceedings of the 29th International Conference on Software Engineering (COMPANION 2007), p. 169. IEEE Computer Society (2007)Google Scholar
  9. 9.
    Haley, C.B., Laney, R.C., Moffett, J.D., Nuseibeh, B.: Security Requirements Engineering: A Framework for Representation and Analysis. IEEE Transactions on Software Engineering 34, 133–153 (2008)CrossRefGoogle Scholar
  10. 10.
    Herrmann, A., Morali, A., Etalle, S., Wieringa, R.: Risk and Business Goal Based Security Requirement and Countermeasure Prioritization. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR Workshops 2011. LNBIP, vol. 106, pp. 64–76. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  11. 11.
    ISO/IEC Guide 73, Risk management - Vocabulary - Guidelines for use in standards. International Organization for Standardization, Geneva (2002)Google Scholar
  12. 12.
    Jürjens, J.: Secure Systems Development with UML. Springer, Heidelberg (2005)MATHGoogle Scholar
  13. 13.
    Matulevičius, R., Mayer, N., Heymans, P.: Alignment of Misuse Cases with Security Risk Management. In: Proceedings of ARES 2008, pp. 1397–1404. IEEE (2008)Google Scholar
  14. 14.
    Matulevičius, R., Mayer, N., Mouratidis, H., Martinez, F.H., Heymans, P., Genon, N.: Adapting Secure Tropos for Security Risk Management in the Early Phases of Information Systems Development. In: Bellahsène, Z., Léonard, M. (eds.) CAiSE 2008. LNCS, vol. 5074, pp. 541–555. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  15. 15.
    Mayer, N.: Model-based Management of Information System Security Risk. Doctoral Thesis, University of Namur (2009)Google Scholar
  16. 16.
    Menzel, M., Thomas, I., Meinel, C.: Security Requirements Specification in Service-oriented Business Process Management. In: ARES 2009, pp. 41–49 (2009)Google Scholar
  17. 17.
    Paja, E., Giorgini, P., Paul, S., Meland, P.H.: Security Requirements Engineering for Secure Business Processes. In: Niedrite, L., Strazdina, R., Wangler, B. (eds.) BIR Workshops 2011. LNBIP, vol. 106, pp. 77–89. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  18. 18.
    Remco, M., Dijkman, R.M., Dumas, M., Ouyang, C.: Formal Semantics and Analysis of BPMN Process Models using Petri Nets. Queensland University of Technology, TR (2007)Google Scholar
  19. 19.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN Extension for the Modeling of Security Requirements in Business Processes. IEICE – Transactions on Information and Systems E90-D(4), 745–752 (2007)Google Scholar
  20. 20.
    Rodríguez, A., Fernández-Medina, E., Piattini, M.: UbiComp 2007. LNCS, vol. 4717, pp. 408–415 (2007)Google Scholar
  21. 21.
    Silver, B.: BPMN Method and Style: A Levels-based Methodology for BPMN Process Modeling and Improvement using BPMN 2.0. Cody-Cassidy Press (2009)Google Scholar
  22. 22.
    Stoneburner, G., Goguen, A., Feringa, A.: NIST Special Publication 800-30: Risk Management Guide for Information Technology Systems. National Institute of Standards and Technology, Gaithersburg (2002)Google Scholar
  23. 23.
    Trendowicz, A.: Tutorial: CoBRA - Cost Estimation, Benchmarking and Risk Analysis Method (2005),
  24. 24.
    White, S.A.: Introduction to BPMN, IBM (2004),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Olga Altuhhova
    • 1
  • Raimundas Matulevičius
    • 1
  • Naved Ahmed
    • 1
  1. 1.Institute of Computer ScienceUniversity of TartuTartuEstonia

Personalised recommendations