Security requirement analysis of business processes

Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems. The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic applications and the inclusion of a higher number of—potentially unknown—persons, the business processes are more vulnerable against malicious attacks than traditional processes. Thus, a business should undergo a security analysis. Here, the vulnerabilities of the business process are recognized, the risks resulting from the vulnerabilities are calculated, and suitable safeguards reducing the vulnerabilities are selected. Unfortunately, a security analysis tends to be complex and affords expensive security expert support. In order to reduce the expense and to enable domain experts with in-depth insight in business processes but with limited knowledge about security to develop secure business processes, we developed the framework MoSS_BP facilitating the handling of business process security requirements from their specification to their realization. In particular, MoSS _BP provides graphical concepts to specify security requirements, repositories of various mechanisms enforcing the security requirements, and a collection of reference models and case studies enabling the modification of the business processes. In this paper, the MoSS _BP -framework is presented. Additionally, we introduce a tool supporting the MoSS_BP-related security analysis of business processes and the incorporation of safeguards. This tool is based on object-oriented process models and acts with graph rewrite systems. Finally, we clarify the application of the MoSS_BP-framework by means of a business process for tender-handling which is provided by anonymity-preserving safeguards. Peter Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1990). Afterwards, he worked as a Ph.D. student (doctorate in 1997) and postdoctoral researcher in the Computer Networks and Distributed Systems Group of the Computer Science Department at the University of Dortmund, Germany. Since 2005 he is a full professor for formal methods at the Department for Telematics of the Norwegian University of Science and Technology (NTNU) in Trondheim, Norway. His research interests include the formal-based development of networked systems and the engineering of distributed services. Moreover, he is interested in security and trust aspects of component structured distributed software. Gaby Herrmann studied computer science at the University of Karlsruhe, Germany (diploma in 1991). Afterwards, she worked as a researcher in the Communication Group and the Information Systems Group at University of Duisburg-Essen (Doctorate in 2001, topic: security of business processes). Since 2000 she works as executive secretary at the Department of Economics, Business Studies and Computer Sciences at the same university.