Top

Published in:

2019 | OriginalPaper | Chapter

The Current State of the Holistic Privacy and Security Modelling Approach in Business Process and Software Architecture Modelling

Authors : Sascha Alpers, Roman Pilipchuk, Andreas Oberweis, Ralf Reussner

Published in: Information Systems Security and Privacy

Publisher: Springer International Publishing

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Modelling is central for business process and software architecture documentation and analysis. However, business processes and software architectures are specified with their own highly developed languages, methods and tools. There are approaches in the literature for modelling privacy and security issues using existing business process or architecture modelling languages to express different requirements by enriching these languages with annotations. Nevertheless, there is a lack of formalization and therefore the potential use for tool-based analyses are limited. In addition, the continuity between business and software models is not granted, but when modelling compliance requirements like privacy, traceability is very important, e.g. for compliance checks. In this contribution, approaches for modelling security and privacy in business and software models are examined. One key finding is that there is currently no comprehensive modelling approach which covers the necessary aspects and perspectives. This could include processes as well as, for example, organizational and data structure questions. In conclusion, we suggest developing a new holistic modelling approach which includes the needed aspects and with a concept for the traceability of the requirements from business models to software architecture models.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Notify This: Exploiting Android Notifications for Fun and Profit

next chapter A Critical Security Analysis of the Password-Based Authentication Honeywords System Under Code-Corruption Attack

Reisig, W.: Understanding Petri Nets: Modeling Techniques, Analysis Methods, Case Studies. Springer, New York (2013). https://doi.org/10.1007/978-3-642-33278-4CrossRefMATH

Object Management Group. OMG Unified Modeling Language TM (OMG UML), Version 2.5 (2015)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), vol. 119 (2016)

Alpers, S., Pilipchuk, R., Oberweis, A., Reussner, R.: Identifying needs for a holistic modelling approach to privacy aspects in enterprise software systems. In: Presented at the 4th International Conference on Information Systems Security and Privacy, pp. 74–82 (2018)

Accenture. Cost of cyber crime study (2017). https://www.accenture.com/us-en/insight-cost-of-cybercrime-2017. Accessed 26 Jun 2018

Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (2005). https://www.bundesbank.de/Redaktion/EN/Downloads/Tasks/Banking_supervision/PDF/minimum_requirements_for_risk_management_mindestanforderungen_an_das_risikomanagement_marisk.pdf. Accessed 26 Jun 2018

Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz) (2015)

Genz, A.: Datenschutz in Europa und den USA: Eine rechtsvergleichende Untersuchung unter besonderer Berücksichtigung der Safe-Harbor-Lösung. Deutscher Universitätsverlag (2004)

Hornung, G., Schnabel, C.: Data protection in Germany I: the population census decision and the right to informational self-determination. Comput. Law Secur. Rev. 25(1), 84–88 (2009)CrossRef

10.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, vol. OJ L (1995)

11.

ISO: ISO/ IEC 27000:2014(E) Information technology - Security techniques - Information security management systems - Overview and vocabulary (2014)

12.

Bundesamt für Sicherheit in der Informationstechnik, ‘IT-Grundschutz’. https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html. Accessed 26 Jun 2018

13.

Agutter, C.: ITIL Foundation Handbook, 3rd edn. The Stationery Office Ltd., London (2012)

14.

COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. http://www.isaca.org/cobit/pages/default.aspx. Accessed: 26 Jun 2018

15.

Störrle, H.: How are conceptual models used in industrial software development?: a descriptive survey. In: Proceedings of the 21st International Conference on Evaluation and Assessment in Software Engineering, New York, NY, USA, pp. 160–169 (2017)

16.

Aerts, A.T.M., Goossenaerts, J.B.M., Hammer, D.K., Wortmann, J.C.: Architectures in context: on the evolution of business, application software, and ICT platform architectures. Inf. Manag. 41(6), 781–794 (2004)CrossRef

17.

Jutla, D.N., Bodorik, P., Ali, S.: Engineering Privacy for Big Data Apps with the Unified Modeling Language. In: 2013 IEEE International Congress on Big Data, pp. 38–45 (2013)

18.

Basso, T., Montecchi, L., Moraes, R., Jino, M., Bondavalli, A.: Towards a UML profile for privacy-aware applications. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, pp. 371–378 (2015)

19.

Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32CrossRefMATH

20.

Jürjens, J.: Model-based security engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_2CrossRef

21.

Heldal, R., Schlager, S., Bende, J.: Supporting confidentiality in UML : a profile for the decentralized label model. In: Proceeding Workshop on Critical Systems Development with UML (2004)

22.

Goudalo, W., Seret, D.: Toward the engineering of security of information systems (ESIS): UML and the IS confidentiality. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 248–256 (2008)

23.

Hatebur, D., Heisel, M.: A UML profile for requirements analysis of dependable software. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 317–331. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15651-9_24CrossRef

24.

Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Extending UML for designing secure data warehouses. In: Atzeni, P., Chu, W., Lu, H., Zhou, S., Ling, T.-W. (eds.) ER 2004. LNCS, vol. 3288, pp. 217–230. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30464-7_18CrossRef

25.

Triki, S., Ben-Abdallah, H., Feki, J., Harbi, N.: Modeling conflict of interest in the design of secure data warehouses, pp. 445–448 (2010)

26.

Mouheb, D., Talhi, C., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Weaving security aspects into UML 2.0 design models. In: Proceedings of the 13th Workshop on Aspect-oriented Modeling, New York, NY, USA, pp. 7–12 (2009)

27.

Simons, C.: CMP: a UML context modeling profile for mobile distributed systems. In: 2007 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 289b (2007)

28.

Shariati, M., Bahmani, F., Shams, F.: Enterprise information security, a review of architectures and frameworks from interoperability perspective. Procedia Comput. Sci. 3, 537–543 (2011)CrossRef

29.

Huang, H., Kirchner, H.: Secure interoperation design in multi-domains environments based on colored Petri nets. Inf. Sci. 221, 591–606 (2013)MathSciNetCrossRef

30.

Mixia, L., Qiuyu, Z., Dongmei, Y., Hong, Z.: Formal security model research based on Petri-net. In: 2005 IEEE International Conference on Granular Computing, vol. 2, pp. 575–578 (2005)

31.

Akbarzadeh, M., Azgomi, M.A.: A framework for probabilistic model checking of security protocols using coloured stochastic activity networks and PDETool. In: 5th International Symposium on Telecommunications (IST), pp. 210–215 (2010)

32.

Bouroulet, R., Devillers, R., Klaudel, H., Pelz, E., Pommereau, F.: Modeling and analysis of security protocols using role based specifications and petri nets. In: van Hee, Kees M., Valk, R. (eds.) PETRI NETS 2008. LNCS, vol. 5062, pp. 72–91. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68746-7_9CrossRefMATH

33.

Crazzolara, F., Winskel, G.: Events in security protocols. In: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 96–105 (2001)

34.

Zhang, Z.-L., Hong, F., Liao, J.-G.: Modeling Chinese wall policy using colored Petri nets. In: The Sixth IEEE International Conference on Computer and Information Technology, p. 162 (2006)

35.

Henry, M.H., Layer, R.M., Zaret, D.R.: Coupled Petri nets for computer network risk analysis. Int. J. Crit. Infrastruct. Prot. 3(2), 67–75 (2010)CrossRef

36.

Sun, H., Yang, J., Wang, X., Zhang, Y.: A verification mechanism for secured message processing in business collaboration. In: Li, Q., Feng, L., Pei, J., Wang, S.X., Zhou, X., Zhu, Q.-M. (eds.) APWeb/WAIM -2009. LNCS, vol. 5446, pp. 480–491. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00672-2_42CrossRef

37.

Lai, H., Hong, J., Jeng, W.: Model e-contract update by coloured activity net. In: 2008 IEEE Asia-Pacific Services Computing Conference, APSCC 2008, pp. 488–493 (2008)

38.

Accorsi, R., Wonnemann, C.: InDico: information flow analysis of business processes for confidentiality requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22444-7_13CrossRef

39.

Accorsi, R., Lehmann, A., Lohmann, N.: Information leak detection in business process models: theory, application, and tool support. Inf. Syst. 47, 244–257 (2015)CrossRef

40.

Li, W., Wu, R., Huang, H.: Colored Petri nets based modeling of information flow security. In: 2009 Second International Workshop on Knowledge Discovery and Data Mining, WKDD 2009, pp. 681–684 (2009)

41.

Knorr, K.: Multilevel security and information flow in Petri net workflows. In: Proceedings of the 9th International Conference on Telecommunication Systems, pp. 613–615 (2001)

42.

Atluri, V., Huang, W.-K.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: Samarati, P., Sandhu, R.S. (eds.) Database Security. IFIP Advances in Information and Communication Technology, pp. 240–258. Springer, Boston (1996). https://doi.org/10.1007/978-0-387-35167-4_15CrossRef

43.

Atluri, V., Huang, W.-K.: A Petri net based safety analysis of workflow authorization models. J. Comput. Secur. 8(2–3), 209–240 (2000)CrossRef

44.

Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation, pp. 262–267 (2013)

45.

Meland, P.H., Gjaere, E.A.: Representing threats in BPMN 2.0, pp. 542–550 (2012)

46.

Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010)CrossRef

47.

Mülle, J., von Stackelberg, S., Böhm, K.: Modelling and transforming security constraints in privacy-aware business processes. In: 2011 IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–4 (2011)

48.

Labda, W., Mehandjiev, N., Sampaio, P.: Privacy-aware business processes modeling notation (PrvBPMN) in the context of distributed mobile applications. In: Matera, M., Rossi, G. (eds.) MobiWIS 2013. CCIS, vol. 183, pp. 120–134. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03737-0_13CrossRef

Title: The Current State of the Holistic Privacy and Security Modelling Approach in Business Process and Software Architecture Modelling
Authors: Sascha Alpers
Roman Pilipchuk
Andreas Oberweis
Ralf Reussner
Publisher: Springer International Publishing
Book: Information Systems Security and Privacy
Print ISBN: 978-3-030-25108-6

Electronic ISBN: 978-3-030-25109-3

Copyright Year: 2019
DOI: https://doi.org/10.1007/978-3-030-25109-3_6

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner