Why Are Business Processes Not Secure?

Müller, Günter; Accorsi, Rafael

doi:10.1007/978-3-642-42001-6_17

Cited by 9 publications

(11 citation statements)

References 40 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The application layer defines the security needed by the services and the data schemas required for the execution of the business processes. The infrastructure layer defines the security needed for the software and hardware to automate the execution of business processes [6]. Business process security must consider security each of the three layers.…”

Section: A Bpm Securitymentioning

confidence: 99%

“…Both the application layer and infrastructure layer have been heavily investigated; however, the business layer is a relatively new and challenging area for research. Such research focuses on business process design time security; the security of the process model is investigated before the actual runtime of the business process instances [6].…”

Section: A Bpm Securitymentioning

confidence: 99%

“…A literature review shows several fraud cases that originate from the exploitation of different vulnerabilities in process models. For instance, the Swiss bank UBS had a loss of approximately two billion US dollars due to a structural issue of the process model [6]. In Europe, processes that include "forward-settling" exchangetraded funds (ETF) cash options do not issue confirmations until after settlement has taken place.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Empirical Investigation of the Relationship Between Business Process Transparency and Business Process Attack

Aldayel¹,

Alturki²

2021

IJACSA

View full text Add to dashboard Cite

Business Process Management (BPM) is a management approach to discover, analyze, redesign, execute and monitor business processes. Implementing BPM concepts help and benefit organizations by increasing their productivity, achieving their strategies and operational excellence, and saving costs. Rosemann et al. identify business process transparency as one of the key values of BPM, and essential to achieving other BPM benefits. Business process transparency provides visibility about how operations/activities are conducted in a detailed way, sometimes with technical details, within an organization; which facilitates the identification of structural issues of the process model. A conducted content analysis of the literature shows that fraudsters have leveraged structural issues of the business process model to commit fraud. Such fraud can be labeled as a Business Process Attack (BPA). In analogy to information system security attack, BPA can be defined as the exploitation of a vulnerability in a business process model to commit fraudulent activities that influence the business negatively such as achieving invalid or unwanted results. This research aims to investigate the relationship between the degree of business process transparency and exposure to BPA. If the relationship is positive, appropriate security controls shall be implemented on the business process transparency to avoid BPA. The main research question is: What is the relationship between an organization's degree of business process transparency and exposure to BPA. A quantitative research method is employed to measure and understand the impact of business process transparency on BPA. An experiment is designed and conducted to assess the awareness of the existence of vulnerabilities in various process models and how to exploit them to commit BPA. Results show that there is a positive significant relationship between increased business process transparency and exposure to BPA. This research contributes towards understanding and highlights the negative impact of business process transparency, which motivates researchers to investigate this phenomenon and find appropriate solutions.

show abstract

Section: A Bpm Securitymentioning

confidence: 99%

Section: A Bpm Securitymentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Empirical Investigation of the Relationship Between Business Process Transparency and Business Process Attack

Aldayel¹,

Alturki²

2021

IJACSA

View full text Add to dashboard Cite

show abstract

“…Most of the approaches introduced by the scientific literature of the area introduce overwhelming complexity for non-expert users which severely hinders their widespread adoption by the industry today [2], [4]. One important drawback of such approaches is their limited support for modelling techniques, as most of them require process models to be transformed in a specific manner (e.g., Petri-nets, FSMs) before they can be used as input for a model checker.…”

Section: Related Workmentioning

confidence: 99%

“…Due to the importance of security properties of business process models, a number of approaches specialising in security compliance verification have been developed. Nevertheless, as extensively discussed in Section V, since the formal specification of both the process models and their security requirements introduces considerable overhead in specialised knowledge and time, the adoption of such approaches in real life remains rather limited [2], [4].…”

Section: Introductionmentioning

confidence: 99%

Attribute-Based Security Verification of Business Process Models

Argyropoulos

Mouratidis

Fish³

2017

2017 IEEE 19th Conference on Business Informatics (CBI)

View full text Add to dashboard Cite

Business processes, as the instruments used by organisations to produce value, need to comply with a number of internally and externally imposed standards and restrictions. Since the majority of such processes involve the exchange of sensitive third party information, their compliance to security constraints needs to be verified before they can be implemented. Current attempts for the verification of security compliance of design-time business process models involve the transformation of both the model and the desired security properties into formal specifications, which can be then used as input for automated model checkers. Such an approach is usually costly both in terms of time and specialised knowledge, while also its coverage can be limited to specific types of security requirements. In this work we introduce an approach for the verification of security in business process models based on structural properties of the workflow of the process. To that end, we introduce a series of attributes to existing BPMN 2.0 concepts and algorithms for checking the compliance of a process model against the most common security requirements. Finally, a real-world business process is used to demonstrate and evaluate the applicability of our proposal.

show abstract

A Practitioner’s View on Process Mining Adoption, Event Log Engineering and Data Challenges

Accorsi

Lebherz

2022

Lecture Notes in Business Information Processing

Self Cite

View full text Add to dashboard Cite

Process mining is, today, an essential analytical instrument for data-driven process improvement and steering. While practical literature on how to derive value from process mining exists, less attention haas been paid to how it is being used in different industries, the effort involved in creating an event log and what are the best practices in doing so. Taking a practitioner’s view on process mining, we report on process mining adoption and illustrate the challenges of log contruction by means of the order to cash (i.e. sales) process in an SAP system. By doing so, we collect a set of best practices regarding the data selection, extraction, transformation and data model engineering, which proved themselves handy in large-scale process mining projects.

show abstract

Why Are Business Processes Not Secure?

Cited by 9 publications

References 40 publications

An Empirical Investigation of the Relationship Between Business Process Transparency and Business Process Attack

An Empirical Investigation of the Relationship Between Business Process Transparency and Business Process Attack

Attribute-Based Security Verification of Business Process Models

A Practitioner’s View on Process Mining Adoption, Event Log Engineering and Data Challenges

Contact Info

Product

Resources

About