Security Requirements Engineering Framework with BPMN 2.0.2 Extension Model for Development of Information Systems

Zareen, Saima; Akram, Adeel; Khan, Shoab A.

doi:10.3390/app10144981

Cited by 27 publications

(13 citation statements)

References 39 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Essentially, we found that (a) most of the current approaches require meta-model extensions that add a considerable number of security-related BPMN components, of which many are (b) excessively verbose, and thus difficult to manage (e. g., [21], [27], [32]) or fail to express security concepts in a format that is fully comprehensible to business experts, others propose only a theoretical or descriptive extension (e. g., [16], [18]). Threat modeling A threat profile security framework was proposed as a BPMN extension by Zareen et al in [32]. The authors leveraged the extension mechanism provided in BPMN 2.0 to model threat-based security requirements and introduced several graphical components for BPMN diagrams.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Towards Automated Attack Simulations of BPMN-based Processes

Hacks¹,

Lagerström²,

Ritter³

2021

2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC)

View full text Add to dashboard Cite

Process digitization and integration is an increasing need for enterprises, while cyber-attacks denote a growing threat. Using the Business Process Model and Notation (BPMN) is common to handle the digital and integration focus within and across organizations. In other parts of the same companies, threat modeling and attack graphs are used for analyzing the security posture and resilience.In this paper, we propose a novel approach to use attack graph simulations on processes represented in BPMN. Our contributions are the identification of BPMN's attack surface, a mapping of BPMN elements to concepts in a Meta Attack Language (MAL)-based Domain-Specific Language (DSL), called coreLang, and a prototype to demonstrate our approach in a case study using a real-world invoice integration process. The study shows that non-invasively enriching BPMN instances with cybersecurity analysis through attack graphs is possible without much human expert input. The resulting insights into potential vulnerabilities could be beneficial for the process modelers.

show abstract

Section: Related Workmentioning

confidence: 99%

“…Different ways to enrich the standardized BPMN with new concepts that reflect various security aspects already exist (e. g., [15], [18], [21], [27], [32]). However, if organizations have a large set of productive processes, adding supplementary information is often an unfeasible effort.…”

Section: Introductionmentioning

confidence: 99%

Towards Automated Attack Simulations of BPMN-based Processes

Hacks¹,

Lagerström²,

Ritter³

2021

2021 IEEE 25th International Enterprise Distributed Object Computing Conference (EDOC)

View full text Add to dashboard Cite

show abstract

“…Semantics, namely the meaning of the requirements, allows the enhancement of accuracy and completeness, leading to a better understanding of hidden connections [8,10,[25][26][27]. In the literature, however, there are even domain-specific approaches, such as in [28], that deal with a specific case, and such as with security requirements that propose visual notations in order to express requirements. In [28], the authors propose the use of business process management notation (BPMN), a graphical representation for business requirements to define business processes.…”

Section: Related Workmentioning

confidence: 99%

SENSE: A Flow-Down Semantics-Based Requirements Engineering Framework

2021

View full text Add to dashboard Cite

The processes involved in requirements engineering are some of the most, if not the most, important steps in systems development. The need for well-defined requirements remains a critical issue for the development of any system. Describing the structure and behavior of a system could be proven vague, leading to uncertainties, restrictions, or improper functioning of the system that would be hard to fix later. In this context, this article proposes SENSE, a framework based on standardized expressions of natural language with well-defined semantics, called boilerplates, that support a flow-down procedure for requirement management. This framework integrates sets of boilerplates and proposes the most appropriate of them, depending, among other considerations, on the type of requirement and the developing system, while providing validity and completeness verification checks using the minimum consistent set of formalities and languages. SENSE is a consistent and easily understood framework that allows engineers to use formal languages and semantics rather than the traditional natural languages and machine learning techniques, optimizing the requirement development. The main aim of SENSE is to provide a complete process of the production and standardization of the requirements by using semantics, ontologies, and appropriate NLP techniques. Furthermore, SENSE performs the necessary verifications by using SPARQL (SPIN) queries to support requirement management.

show abstract

“…Since security is the main concern of any organization, the level of security features available with the access management scheme should be well organized and arranged according to the time requirements. Previous authors [3][4][5][6] are mainly concerned with the analysis of information security components and risk analysis. This research focuses on managing privileged access using Active Directory services to provide an authentic and improved way of identity management for any organization.…”

Section: Introductionmentioning

confidence: 99%

Identity Governance Framework for Privileged Users

Alruwies¹,

Mishra²,

Alshehri³

2022

Computer Systems Science and Engineering

View full text Add to dashboard Cite

Information technology companies have grown in size and recognized the need to protect their valuable assets. As a result, each IT application has its authentication mechanism, and an employee needs a username and password. As the number of applications increased, as a result, it became increasingly complex to manage all identities like the number of usernames and passwords of an employee. All identities had to be retrieved by users. Both the identities and the access rights associated with those identities had to be protected by an administrator. Management couldn't even capture such access rights because they couldn't verify things like privacy and security. Identity management can help solve this problem. The concept behind identity management is to centralize identity management and manage access identity centrally rather than multiple applications with their authentication and authorization mechanisms. In this research work, we develop governance and an identity management framework for information and technology infrastructures with privileged access management, consisting of cybersecurity policies and strategies. The results show the efficiency of the framework compared to the existing information security components. The integrated identity and access management and privileged access management enable organizations to respond to incidents and facilitate compliance. It can automate use cases that manage privileged accounts in the real world.

show abstract

Security Requirements Engineering Framework with BPMN 2.0.2 Extension Model for Development of Information Systems

Cited by 27 publications

References 39 publications

Towards Automated Attack Simulations of BPMN-based Processes

Towards Automated Attack Simulations of BPMN-based Processes

SENSE: A Flow-Down Semantics-Based Requirements Engineering Framework

Identity Governance Framework for Privileged Users

Contact Info

Product

Resources

About