A Cyber Security Ontology for BPMN-Security Extensions

Maines, Curtis L.; Llewellyn‐Jones, David; Tang, Stephen; Zhou, Bo

doi:10.1109/cit/iucc/dasc/picom.2015.265

Cited by 21 publications

(18 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Modeling security requirements during the design phase of the business processes models is a promising research direction in the field of security engineering [40]. The key idea is to extend graphical business process modeling languages such as BPMN [7] to support the modeling and analysis of security requirements.…”

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

“…Despite the availability of various BPMN-based security extensions [40], support for data-minimization and fairness requirements in business process models is sparse. For dataminimization requirements, we are only aware of the work proposed in [62], which considers one data-minimization requirement, namely anonymity.…”

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

“…However, fairness and further data-minimization requirements such as unlinkability and undetectability were not addressed yet. Readers interested in a comprehensive overview of the concepts that have been considered by the previous BPMN security extensions are referred to Maines et al's survey in [40].…”

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

“…However, to allow capturing the variations between these concepts, a type attribute in the fairness annotation allows specifying the fairness type (i.e., group-or individual fairness), while a level attribute in the anonymity annotation allows specifying the required level of anonymity (i.e., full anonymous vs. pseudonymous). Using one annotation to represent related concepts is recommended to reduce [40]. For the same purpose, we introduced a specific annotation for unobservability, although unobservability, by definition, can be achieved by preserving both anonymity and undetectability.…”

Section: Data-minimization and Fairness Annotationsmentioning

confidence: 99%

See 3 more Smart Citations

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

et al. 2020

View full text Add to dashboard Cite

Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects' requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

show abstract

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

Section: Bpmn-based Security Engineeringmentioning

confidence: 99%

Section: Data-minimization and Fairness Annotationsmentioning

confidence: 99%

See 2 more Smart Citations

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

et al. 2020

View full text Add to dashboard Cite

show abstract

“…There are also proposed languages for the formulation of security constraints embedded in BPMN [41].…”

Section: Related Workmentioning

confidence: 99%

A Framework for Systematic Refinement of Trustworthiness Requirements

Mohammadi

Heisel

2017

Information

View full text Add to dashboard Cite

Abstract:The trustworthiness of systems that support complex collaborative business processes is an emergent property. In order to address users' trust concerns, trustworthiness requirements of software systems must be elicited and satisfied. The aim of this paper is to address the gap that exists between end-users' trust concerns and the lack of implementation of proper trustworthiness requirements. New technologies like cloud computing bring new capabilities for hosting and offering complex collaborative business operations. However, these advances might bring undesirable side effects, e.g., introducing new vulnerabilities and threats caused by collaboration and data exchange over the Internet. Hence, users become more concerned about trust. Trust is subjective; trustworthiness requirements for addressing trust concerns are difficult to elicit, especially if there are different parties involved in the business process. We propose a user-centered trustworthiness requirement analysis and modeling framework. We integrate the subjective trust concerns into goal models and embed them into business process models as objective trustworthiness requirements. Business process model and notation is extended to enable modeling trustworthiness requirements. This paper focuses on the challenges of elicitation, refinement and modeling trustworthiness requirements. An application example from the healthcare domain is used to demonstrate our approach.

show abstract

A Valid BPMN Extension for Supporting Security Requirements Based on Cyber Security Ontology

Chergui

Benslimane

2018

Model and Data Engineering

View full text Add to dashboard Cite

A Cyber Security Ontology for BPMN-Security Extensions

Cited by 21 publications

References 13 publications

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

A semi-automated BPMN-based framework for detecting conflicts between security, data-minimization, and fairness requirements

A Framework for Systematic Refinement of Trustworthiness Requirements

A Valid BPMN Extension for Supporting Security Requirements Based on Cyber Security Ontology

Contact Info

Product

Resources

About