Security requirement analysis of business processes |
| |
Authors: | Peter Herrmann Gaby Herrmann |
| |
Affiliation: | (1) Department of Telematics, Norwegian University of Science and Technology, 7491 Trondheim, Norway;(2) Institute of Computer Science and Business Information Systems, University of Duisburg-Essen, 45141 Essen, Germany |
| |
Abstract: | Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems.
The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic
applications and the inclusion of a higher number of—potentially unknown—persons, the business processes are more vulnerable
against malicious attacks than traditional processes. Thus, a business should undergo a security analysis. Here, the vulnerabilities
of the business process are recognized, the risks resulting from the vulnerabilities are calculated, and suitable safeguards
reducing the vulnerabilities are selected. Unfortunately, a security analysis tends to be complex and affords expensive security
expert support. In order to reduce the expense and to enable domain experts with in-depth insight in business processes but
with limited knowledge about security to develop secure business processes, we developed the framework MoSSBP facilitating the handling of business process security requirements from their specification to their realization. In particular,
MoSS
BP
provides graphical concepts to specify security requirements, repositories of various mechanisms enforcing the security requirements,
and a collection of reference models and case studies enabling the modification of the business processes. In this paper,
the MoSS
BP
-framework is presented. Additionally, we introduce a tool supporting the MoSSBP-related security analysis of business processes and the incorporation of safeguards. This tool is based on object-oriented
process models and acts with graph rewrite systems. Finally, we clarify the application of the MoSSBP-framework by means of a business process for tender-handling which is provided by anonymity-preserving safeguards.
Peter Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1990). Afterwards, he worked as a Ph.D. student
(doctorate in 1997) and postdoctoral researcher in the Computer Networks and Distributed Systems Group of the Computer Science
Department at the University of Dortmund, Germany. Since 2005 he is a full professor for formal methods at the Department
for Telematics of the Norwegian University of Science and Technology (NTNU) in Trondheim, Norway. His research interests include
the formal-based development of networked systems and the engineering of distributed services. Moreover, he is interested
in security and trust aspects of component structured distributed software.
Gaby Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1991). Afterwards, she worked as a researcher
in the Communication Group and the Information Systems Group at University of Duisburg-Essen (Doctorate in 2001, topic: security
of business processes). Since 2000 she works as executive secretary at the Department of Economics, Business Studies and Computer
Sciences at the same university. |
| |
Keywords: | e-Commerce Business process MoSSBP Object-oriented security analysis Graph rewriting |
本文献已被 SpringerLink 等数据库收录! |
|