Affiliation:
1. Institute of Computer Science, University of Tartu, Tartu, Estonia
Abstract
Business process modelling is one of the major aspects in the modern information system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Typically the BPMN notations are used to understand enterprise's business processes. However, limited work exists regarding how security concerns are addressed during the management of the business processes. This is a problem, since both business processes and security should be understood in parallel to support a development of the secure information systems. In the previous work we have analysed BPMN with respect to the domain model of the IS security risk management (ISSRM) and showed how the language constructs could be aligned to the concepts of the ISSRM domain model. In this paper the authors propose the BPMN extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We illustrate how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store regarding the asset confidentiality, integrity and availability. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. The paper opens the possibility for business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).
Subject
Management of Technology and Innovation,Information Systems
Reference36 articles.
1. Ahmed, N., & Matulevičius, R. (2013, in press). Securing business processes using security risk-oriented patterns. Journal of Computer Standards & Interfaces. Elsevier.
2. Ahmed, N., Matulevičius, R., & Khan, N. H. (2012). Eliciting security requirements for business processes using patterns. In Proceedings of the 9th International Workshop on Security in Information Systems (pp 49-58). SciTePress
3. OCTAVE Method Implementation Guide Version 2.0. Volume 1: Introduction
4. Altuhhova, O., Matulevičius, R., & Ahmed, N. (2012). Towards definition of secure business process. In M. Bajec, & J. Eder (Eds.), Lecture Notes in Business Information Research: CAiSE 2012 International Workshops, Workshop on Information Systems Security Engineering (pp. 1-15). Springer Heidelberg, LNBIP.
5. From trust to dependability through risk analysis.;Y.Asnar;Proceedings of ARES,2007
Cited by
40 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献