Designing secure business processes from organisational goal models

  • Nikolaos Argyropoulos

Student thesis: Doctoral Thesis


Business processes are essential instruments used for the coordination of organisational
activities in order to produce value in the form of products and
services. Information security is an important non-functional characteristic of
business processes due to the involvement of sensitive data exchanged between
their participants. Therefore, potential security shortfalls can severely impact
organisational reputation, customer trust and cause compliance issues. Nevertheless,
despite its importance, security is often considered as a technical concern
and treated as an afterthought during the design of information systems and the
business processes which they support.
The consideration of security during the early design stages of information
systems is highly beneficial. Goal-oriented security requirements engineering approaches
can contribute to the early elicitation of system requirements at a high
level of abstraction and capture the organisational context and rationale behind
design choices. Aligning such requirements with process activities at the operational
level augments the traceability between system models of different abstraction
levels and leads to more robust and context-aware operationalisations
of security. Therefore, there needs to be a well-defined and verifiable interconnection
between a system’s security requirements and its business process models.
This work introduces a framework for the design of secure business process
models. It uses security-oriented goal models as its starting point to capture
a socio-technical view of the system to-be and its security requirements during
its early design stages. Concept mappings and model transformation rules are
also introduced as a structured way of extracting business process skeletons from
such goal models, in order to facilitate the alignment between the two different
levels of abstraction. The extracted business process skeletons, are refined to
complete business process models through the use of a set of security patterns,
which standardise proven solutions to recurring security problems. Finally, the
framework also offers security verification capabilities of the produced process
models through the introduction of security-related attributes and model checking
Evaluation of this work is performed: (i) through individual evaluation of
its components via their application in real-life systems, (ii) a workshop-based
modelling exercise where participants used and evaluated parts of the framework
and (iii) a case study from the public administration domain where the overall
framework was applied in cooperation with stakeholders of the studied system.
The evaluation indicated that the developed framework provides a structured approach which supports stakeholders in designing and evaluating secure business
process models.
Date of Award2018
Original languageEnglish
Awarding Institution
  • University of Brighton
SupervisorHaris Mouratidis (Supervisor)


  • Information security
  • goal-oriented security requirements engineering
  • business process modelling
  • business process security

Cite this