Designing secure business processes from organisational goal models

  • Nikolaos Argyropoulos

    Student thesis: Doctoral Thesis

    Abstract

    Business processes are essential instruments used for the coordination of organisational
    activities in order to produce value in the form of products and
    services. Information security is an important non-functional characteristic of
    business processes due to the involvement of sensitive data exchanged between
    their participants. Therefore, potential security shortfalls can severely impact
    organisational reputation, customer trust and cause compliance issues. Nevertheless,
    despite its importance, security is often considered as a technical concern
    and treated as an afterthought during the design of information systems and the
    business processes which they support.
    The consideration of security during the early design stages of information
    systems is highly beneficial. Goal-oriented security requirements engineering approaches
    can contribute to the early elicitation of system requirements at a high
    level of abstraction and capture the organisational context and rationale behind
    design choices. Aligning such requirements with process activities at the operational
    level augments the traceability between system models of different abstraction
    levels and leads to more robust and context-aware operationalisations
    of security. Therefore, there needs to be a well-defined and verifiable interconnection
    between a system’s security requirements and its business process models.
    This work introduces a framework for the design of secure business process
    models. It uses security-oriented goal models as its starting point to capture
    a socio-technical view of the system to-be and its security requirements during
    its early design stages. Concept mappings and model transformation rules are
    also introduced as a structured way of extracting business process skeletons from
    such goal models, in order to facilitate the alignment between the two different
    levels of abstraction. The extracted business process skeletons, are refined to
    complete business process models through the use of a set of security patterns,
    which standardise proven solutions to recurring security problems. Finally, the
    framework also offers security verification capabilities of the produced process
    models through the introduction of security-related attributes and model checking
    algorithms.
    Evaluation of this work is performed: (i) through individual evaluation of
    its components via their application in real-life systems, (ii) a workshop-based
    modelling exercise where participants used and evaluated parts of the framework
    and (iii) a case study from the public administration domain where the overall
    framework was applied in cooperation with stakeholders of the studied system.
    The evaluation indicated that the developed framework provides a structured approach which supports stakeholders in designing and evaluating secure business
    process models.
    Date of Award2018
    Original languageEnglish
    Awarding Institution
    • University of Brighton
    SupervisorHaris Mouratidis (Supervisor)

    Keywords

    • Information security
    • goal-oriented security requirements engineering
    • business process modelling
    • business process security

    Cite this

    '