The innovative and disruptive power with which the digital transformation changes organizations along with more regulations force enterprises to automate the implementation of regulatory rules in their information systems. The tendency of these regulations to unintentionally impede the operative business is consequently increasing. Although the concepts of governance, risk, and compliance management set a framework for the realization of regulations, their implementation in enterprise information systems for automating business processes can lead to technical obstructions, which occur from the enforcement of access control security that blocks the execution of business processes or an additional combination with an unexpectedly diminishing user base. The potential occurrence of such obstructions has an increasing effect on the high-level of uncertainty organizations must deal with. However, this challenge has not been sufficiently addressed. By developing methods for the analysis, detection, and handling of obstructions, this dissertation contributes to the engineering of information systems that provide flexible solutions to harmonize the conflicting goals of business and security at the process level. The introduction of indicator-based process security extends classic IT security concepts and provides a conceptional basis for the work. By considering indicators for compliance, the processes once again perform within the comprehensive frame designated by corporate governance. In this way, an obstructed process execution may still be completed within compliance while recognizing security requirements.

The Petri net-based SecANet  representation covers the different aspects of a security-aware business process that incorporates indicators by providing a comprehensive starting point for analysis, detection, capturing, and resolution of obstructions. The model-based OLive-M  approach then resolves an obstructed state with minimal security violations by considering the indicators assigned to the SecANet  nodes as costs. Moreover, based on an obstructed trace, the log-based OLive-L  method detects the most similar historical successful trace to complete the process. Both approaches constitute use cases of the net and propose to which users the tasks are to be assigned to security-sensitively resolve obstructions. Therefore, the SecANet, OLive-M, and OLive-L  methods compose a holistic approach that addresses obstructability by considering all inputs (model, policy, log) resulting from the design, runtime, and audit phases of a security-aware process. More specifically, the contributions of this thesis are summarized as follows:

  • This work derives the paradigm of security in business processes by extending the safety-oriented classic IT security paradigm of “keep bad things from happening” to a liveness-oriented indicator-based view of “make good things happen” that pursues the process goal. When the enforcement of safety properties blocks process execution, the interface provided by the inclusion of indicators enables additional security-related insights from the data to be considered (e.g., the fraud risk of an initially unauthorized user-task assignment) for assessing the compliance of potential solutions. Therefore, just as the digitization of processes fosters obstructions, another essential component of the digital transformation, namely data, forms the basis for handling these obstructions.

  • The systematic review of existing research on security-related obstructions in PAIS within the context of the design, runtime, and auditing phases of business processes provides a foundation for further research in this field. While the existing literature provides approaches for related problems concerning the design and execution phases, e.g., the workflow satisfiability problem (WSP) or resilience, this work illustrates the potential use of logs within this respect for the first time. In particular, the extraction of information from process log data using process mining, e.g., methods for generating statistical information about the outcome of a process (i.e., predictive monitoring) or by checking the conformance of (safety) properties on process traces, can determine a wide range of indicators based on realistic process behavior. Requirements for the introduced notions of obstructability and completability of security-aware processes are deduced by examining the distinct phases of process executions and their entities.

  • The developed SecANet  approach captures all aspects of a security-aware process into a formal representation integrating indicators as costs to explore security-sensitive behavior. This approach establishes a profound and expandable framework that explicitly addresses obstructions in security-aware workflows and provides comprehensive support for subsequent analyses and handlings. In contrast to the typical structural assumptions of security-aware processes in the context of WSP research, the representation can model specifications that contain conditional branching tasks and cyclic behavior, which are strongly motivated by their occurrence in real-world applications. The SecANet  approach provides a detailed basis to answer questions about obstructions in business processes against existing research. The approach also facilitates the application of existing Petri-net (or workflow net-related) analysis methods, such as an analysis of the language-based properties of a SecANet, the introduction of SecANet  soundness, as well as the possibility to create workflow-net characteristics for a SecANet  (SecA-WF-Net). The developed SecANet+  approach integrates additional restrictions modularly, e.g., encoding the user’s (un)availability to investigate resilience.

  • The developed OLive-M  approach demonstrates for the first time how, by using a SecANet, obstructions can be solved by practically handling them, instead of changing the policy beforehand or preventing their occurrence. In finding a solution, the approach minimizes the number of violations while completing the process simultaneously. While the approach provides the framework for the security-sensitive handling of obstructions, the specific details of the weighting and determination of related indicators that still act in a compliant framework depend on the organizational and regulatory context. In practice, an organization could define a level or threshold of security-sensitivity such that solutions within these thresholds are assumed compliant—for example, the risk of the security violations associated with the security-sensitive completion of the blocked process execution is lower than the associated risk of damage.

  • The developed OLive-L  approach represents a SecANet  use case for the log-based resolution of obstructions that, given an obstructed trace, proposes a completion trace. In contrast to the designed process model, logs already contain traces that encode how emergencies or other unforeseen exceptional circumstances (e.g., suddenly absent employees) were handled before and approved by audit. Such behaviors encoded in the log can additionally enable alternative process execution to solve obstructions. Moreover, the OLive-L  and OLive-M  approaches can beneficially complement each other by deducing indicators by comparing completion traces with the model or relating theoretical results against the background of actual process behavior encoded in the log.

The developed methods are evaluated as effective. The SecANet  allows for the identification of obstructions, and the construction of SecANet  models can be formally proven that the behavior of the original process model is preserved. Theoretical worst-case considerations show that the complexity of the SecANet  encoding has polynomial runtime behavior and constant space requirements. The increased structural complexity that a SecANet  entails must be weighed against its added value. Empirical analyses based on generated security-aware process data and real-world examples provide strong indications that the complexity of solving SecANet-based WSP instances undercuts the runtime of typical SAT-Solvers. The analysis of obstructability is more complex however still moderate for mid-sized problem instances. The OLive-M  and OLive-L  approaches effectively resolve obstructed executions through experiments that find solutions to correct obstructions, even in larger models or logs. For common smaller problem instances, the experiments suggest that the methods discover solutions efficiently in terms of time and memory consumption.

This work tackles the uncertainty of if a security-aware process contains obstructions that paradoxically result from the intention to achieve a supposedly secure state through the enforcement of security controls. Thus, handling such obstructions can improve security in business processes. By adding process execution sequences representing compliant behavior, resolving obstructions in a security-aware and process-aware information system extends the intrinsic limits of mechanisms that enforce safety-oriented access control security. By opening up security-sensitive behavior that complements classic security concepts, business goals can be considered along with reducing the risk of fraud when computing solutions to obstructive situations. The approaches contribute to the security-aware automation in PAISs and facilitate the implementation of the increasing number of regulations and regulatory changes. The “digesting” of regulation and interpretation regarding the weighting of risks and costs remains a challenging problem and must be approached based on the entrepreneurial context from which this thesis abstracts. In a broader context, by developing automated methods that consider empirical aspects, this work contributes towards the advancement of reliable, agile, and autonomous solutions in information systems that leverage recent advances in big data analytics, artificial intelligence, and machine learning. In addition, research in future access control systems for PAIS is expanded within the fields of information systems and cybersecurity, which are also concerned with economic benefits and solving practical problems.

6.1 Application

Along with contributing to existing research related to satisfiability and resilience, this work provides a solid foundation for future research in the field of obstructability in security-aware processes and the development of software tools for the analysis and handling of obstructions. The integration of the developed methods into a software solution for the security-aware analysis of business processes, the Security Workflow Analysis Toolkit (SWAT), provides a foundation to transfer the contributions of this workFootnote 1. SWAT contains methods for the preventive model-based or forensic log-based analysis of business processes and verification of security properties to show the principal integrability of the developed methods in a PAIS. These methods enable process designers and auditors to bridge the gap between the technical level on which corresponding methods operate and the business level they interpret.

In particular, the WF-Net-oriented Petri-net editor developed therein allows for the analysis of obstructability and satisfiabilityFootnote 2. Simultaneously, based on the encoding, existing Petri net analysis tools can be used for the reasoning on obstructability and satisfiability, which lowers the hurdle of leveraging these approaches. The model- and log-based techniques integrate additional solvers (ILP) and software libraries (kNN), respectively. To optionally assign costs to the nodes in a SecANet, these approaches rely on P/T cost Petri nets (P/TCost-nets), which extend the Petri net type definition (PNTD) of Place/Transition nets used in SWAT.

The use of the developed methods in a PAIS could manifest in practical applications. In the design and audit phases, the methods can make the security-aware process specification less obstructive, satisfiable, more resilient, or assess the associated risks, e.g., of obstructability. The occurrence of obstructive sequences of user-task assignments and task executions, which are subjected to a more detailed investigation, can be retraced and visualized in detail with the help of the Petri net model representation. Concerning the structural complexity of SecANet  models, the concentration on self-contained security-aware sub-processes, i.e., only users exclusively authorized for tasks of the sub-process, seems to be useful to maintain clarity. During runtime, applying the developed methods to resolve obstructions could recommend who performs which tasks, for example, in a “Break-the-Glass” situation, or as an assisted delegation, showing the potential best delegates (with the least violation) to the delegator. However, to adequately tackle the implementation of regulations, automating the handling of obstructions is crucial. In this example, the efficient solvability of practical problem sizes of security-aware processes suggests that solving obstructions in a timely (online) fashion is realistic. The automated application of the methods in a PAIS then mimics an autonomous delegator that assigns outstanding tasks to the appropriate users based on experience, competence, and expertise. A PAIS usually offers task assignments to its users, typically as work items, so could also provide additional mitigating actions by creating “breakable” work items. Similar to typical “Break-Glass” scenarios, these could imply that the resolved obstructed cases are prioritized for audit.

6.2 Extension

The developed methods, especially the framework established by the SecANet   approach and the theoretical basis, offer room for extension and adaptation into further questions of security-aware business processes. Three possible directions are identified in the following.

6.2.1 Beyond Security-Sensitivity: Multi-Objective Solutions

The OLive-M  approach can be used to determine the resilience of a uniformly costed SecANet  to estimate the minimal amount of users needed to complete a workflow. In addition, it could exclusively incorporate resilience-oriented indicators, e.g., the probability of user presence or the working together and handover-of-work metrics from social network analysis. Then, in the case of a non-resilient workflow or an unexpected user-absence that obstructs the execution of the process, a resilience-sensitive solution can be identified. Although security-related obstructions can correlate to the sudden non-availability of users, security and resilience remain at odds. A security-aware business process without any security requirements are trivially the most resilient and require only one user who is allowed to perform all tasks. The solution of a security-related obstruction with additional consideration of the resilience must lead to a trade-off solution. Multiple cost dimensions beyond security-sensitivity alone should be included and weighted to find an optimal solution for adequately addressing this multi-objectivity. As a plastic example, depending on the entrepreneurial and regulatory context, a dashboard offered by a PAIS could be used by a Chief Compliance Officer to set the weighting of the security- and resilience-oriented parameters by two sliders. In this way, further objectives assigned as a separate cost dimension, for example, regarding the performance of the process (KPI), could be added. The unraveling of presumably opposing indicators so far settled in a single cost dimension would be enabled through a more fine-grained approach that better reflects reality.

6.2.2 Beyond the Case: Inter-Instance- and Inter-Process-Related Obstructions

By expanding the focus from single process executions to the overall interrelations between processes orchestrated and steered by a PAIS, new problems regarding obstructive situations could be identified that accompany new possibilities for solutions beyond the individual case perspective. The SecANet  encoding must then be extended to represent entire process architectures, e.g., with constraints between processes or their instances and users participating in different processes. Obstructions could result from the dependencies within the execution of several processes and their interplay with the overall policy. Besides control-flow dependencies between processes, this could affect the data flow, e.g., when a process is waiting for a processing file to complete because another obstructed process is idly accessing the file. Such more complex security-aware workflow specifications could also be related to satisfiability and resilience aspects. For example, requesting a vacation in such a system would reveal the impact of a user’s absence from a process and provide a realistic overall view to determine the possibility of increasing obstructive risk or changing levels of resilience.

For resolving obstructed processes, this approach also makes it possible to consider the affected case along with its relation to other ongoing process executions, such as the users involved. An indicator could then correspond to the importance of executing specific (core) processes against the background of all processes running in a PAIS.

6.2.3 Beyond Predictions: Corrective Monitoring upon Occurring Obstructions

Due to the comparable problem setting, the developed methods can complement predictive monitoring by considering obstruction-related metrics as outcome-oriented predictions. Considering an obstructability metric during execution is comparable to an obstruction-free enforcement mechanism. For example, depending on a certain threshold of the obstructability metric, an attempt to assign a user to a task may or may not be permitted. Correspondingly, a completability metric that also captures the similarity of the execution to obstructed sequences, or a trend metric indicating if a process execution is tending towards an obstruction or completion, could refine predictions.

The predictive monitoring within the process mining could be complemented through a further step that prevents or avoids process execution from “going wrong,” while also correcting an occurring obstruction at runtime as a variant of online process mining. Such corrective monitoring can resolve the obstructed process execution at runtime by steering it to completion on-the-fly.