Enhancing secure business process design with security process patterns

Business process definition and analysis are an important activity for any organisation. As research has demonstrated, well-defined business processes can reduce cost, improve productivity and provide organisations with competitive advantages. In the last few years, the need to ensure the security of business processes has been identified as a major research challenge. Limited security expertise of business process developers together with a clear lack of appropriate methods and techniques to support the security analysis of business processes is important prohibitors to providing answers to that research challenge. This paper introduces the first attempt in the literature to produce a novel pattern-based approach to support the design and analysis of secure business processes. Our work draws on elements from the security requirements engineering area and the security patterns area, combined with business process modelling, and it produces a set of process-level security patterns which are used to implement security in a given business process model. Such an approach advances the existing literature by providing a structured way of operationalising security at the business process level of abstraction. The applicability of the work is illustrated through an application to a real-life information system, and the effectiveness and usability of the work are evaluated via a workshop-based experiment. The evaluation clearly indicates that non-experts are able to comprehend and utilise the developed patterns to construct secure business process designs.