nach oben

Business & Information Systems Engineering

Erschienen in:

15.01.2018 | Research Paper

Security Requirements Elicitation from Airline Turnaround Processes

verfasst von: Raimundas Matulevičius, Alex Norta, Silver Samarütel

Erschienen in: Business & Information Systems Engineering | Ausgabe 1/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Security risk management is an important part of system development. Given that a majority of modern organizations rely heavily on information systems, security plays a big part in ensuring smooth operations of business processes. For example, many people rely on e-services offered by banks and medical establishments. Inadequate security measures in information systems have unwanted effects on an organization’s reputation and on people’s lives. This case study paper targets the secure system development problem by suggesting the application of security requirements elicitation from business processes (SREBP). This approach provides business analysts with means to elicit and introduce security requirements to business processes through the application of the security risk-oriented patterns (SRPs). These patterns help find security risk occurrences in business processes and present mitigations for these risks. At the same time, they reduce the efforts needed for risk analysis. In this paper, the authors report their experience to derive security requirements for mitigating security risks in the distributed airline turnaround systems.

Vorheriger Artikel Enterprise Modeling for Business Agility

Nächster Artikel Process Modeling Recommender Systems

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

WIRTSCHAFTSINFORMATIK

WI – WIRTSCHAFTSINFORMATIK – ist das Kommunikations-, Präsentations- und Diskussionsforum für alle Wirtschaftsinformatiker im deutschsprachigen Raum. Über 30 Herausgeber garantieren das hohe redaktionelle Niveau und den praktischen Nutzen für den Leser.

Jetzt informieren

Business & Information Systems Engineering

BISE (Business & Information Systems Engineering) is an international scholarly and double-blind peer-reviewed journal that publishes scientific research on the effective and efficient design and utilization of information systems by individuals, groups, enterprises, and society for the improvement of social welfare.

Jetzt informieren

Wirtschaftsinformatik & Management

Texte auf dem Stand der wissenschaftlichen Forschung, für Praktiker verständlich aufbereitet. Diese Idee ist die Basis von „Wirtschaftsinformatik & Management“ kurz WuM. So soll der Wissenstransfer von Universität zu Unternehmen gefördert werden.

Jetzt informieren

http://www.securechange.eu/.

Captured using check-in process description, such as: https://www.airbaltic.com/en/online check in conditions.

In comparison to SRP1, which defines permissions to execute system activities (i.e., functions, operations), the SRP5 pattern takes into account permissions and access control constraints defined regarding the access of the data storage (e.g., database and its separate tables). Such a security model defines the access policy and contributes to the monitoring controls for the data access.

Ahmed N (2014) Deriving security requirements from business process models. PhD thesis, University of Tartu

Ahmed N, Matulevičius R (2014) Securing business process using security risk-oriented patterns. Comput Stand Interfaces 36:723–733CrossRef

Ahmed N, Matulevičius R (2015) Presentation and validation of method for security requirements elicitation from business processes. In: Information systems engineering in complex environments, selected extended papers from CAiSE Forum 2014

Altuhhova O, Matulevičius R, Ahmed N (2013) An extension of business process model and notification for security risk management. Int J Inf Syst Model Des 4(4):93–113CrossRef

Anderson R (2008) Security engineering: a guide to building dependable distributed systems, 2nd edn. Wiley, New York

Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Security and privacy, pp 387–401. IEEE

Bartelt C, Rausch A, Rehfeldt K (2015) Quo vadis cyber-physical systems: research areas of cyber-physical ecosystems: a position paper. In: Proceedings of the 1st international workshop on control theory for software engineering, pp 22–25, New York. ACM

Belobaba P, Odoni A, Barnhart C (2015) The global airline industry. Wiley, New York

Brucker AD, Hang I, Lückemeyer G, Ruparel R (2012) SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of the 17th ACM symposium on access control models and technologies, pp 123–126. ACM

CC (2015) Common criteria for information technology security evaluation, CC v3.1. Release 4. https://www.commoncriteriaportal.org/cc/. Accessed 2 Feb 2016

Cherdantseva Y, Hilton J, Rana O (2012) Towards SecureBPMN: aligning BPMN with the information assurance and security domain. In: Business process model and notation, LNBIP, pp 107–115. Springer

Clarke J, Fowler K, Oftedal E, Alvarez RM, Hartley D, Kornbrust A, O’Leary-Steele G, Revelli A, Siddharth S, Slaviero M (2012) SQL injection attacks and defense, 2nd edn. Syngress, Burlington

Dalpiaz F, Paja E, Giorgini P (2016) Security requirements engineering: designing secure socio-technical systems. MITT Press, Cambridge

Dubois E, Heymans P, Mayer N, Matulevičius R (2010) A systematic approach to define the domain of information system security risk management. Springer, Berlin, pp 289–306

Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Req Eng 15(1):7–40CrossRef

Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005a) Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE international conference on requirements engineering (RE’05). IEEE Computer Society

Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005b) Modelling social and individual trust in requirements engineering methodologies. In: Proceedings of the 3nd international conference on trust management, LNCS, pp 161–176. Springer

Jürjens J (2005) Secure system development with UML. Springer, Heidelberg

Kutvonen L, Norta A, Ruohomaa S (2012) Inter-enterprise business transaction management in open service ecosystems. In: Enterprise distributed object computing conference (EDOC), 2012 IEEE 16th International, pp 31–40. IEEE

Leonardi M, Piracci E, Galati G (2014) ADS-B vulnerability to low cost jammers: risk assessment and possible solutions. In: Tyrrhenian international workshop on digital communications-enhanced surveillance of aircraft and vehicles, pp 41–46. IEEE

Long S (2013) Socioanalytic methods: discovering the hidden in organisations and social systems. Karnac, London

Maiden N, Ncube C, Lockerbie J (2008) Inventing requirements: experiences with an airport operations system. In: Paech B, Rolland C (eds) Proceedings of REFSQ 2008. Springer, Heidelberg, pp 58–72

Massacci F, Paci F, Tedeschi A (2014) Assessing a requirements evolution approach: empirical studies in the air traffic management domain. J Syst Softw 95:70–88CrossRef

Matulevičius R, Norta A, Udokwu C, Nõukas R (2016) Security risk management in the aviation turnaround sector. In: Proceeding of FDSE 2016, pp 119–140

Mayer N (2009) Model-based management of information system security risk. PhD thesis, University of Namur

Mead NR, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. In: Software Engineering for Secure Systems (SESS05)

Mead NR, Hough ED, Stehney II TR (2005) Security quality requirements engineering (SQUARE) methodology. Technical Report CMU/SEI-2005-TR-009, ESC-TR-2005-009, Software Engineering Institute

Mellado D, Fernández-Medina E, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information systems. Comput Stand Interfaces 29(2):244–253CrossRef

Mellado D, Fernández-Medina E, Piattini M (2008) Towards security requirements management for software product lines: a security domain requirements engineering process. Comput Stand Interfaces 30(6):361–371CrossRef

Mellado D, Blanco C, Sánchez LE, Fernández-Medina E (2010a) A systematic review of security requirements engineering. Comput Stand Interfaces 32:153–165CrossRef

Menzel M, Thomas I, Meinel C (2009) Security requirements specification in service-oriented business process management. In: International conference on availability, reliability and security, pp 41–49

Mülle J, Stackelberg S, Bohm K (2011) A security language for BPMN process models. Technical Report 9, Karlsruhe Reports in Informatics

Nõukas R (2015) Service brokering environment for an airline. Master’s thesis, Tallinn University of Technology

Norta A, Grefen P, Narendra NC (2014) A reference architecture for managing dynamic inter-organizational business processes. Data Knowl Eng 91:52–89CrossRef

Norta A, Ma L, Duan Y, Rull A, Kõlvart M, Taveter K (2015) eContractual choreography-language properties towards cross-organizational business collaboration. J Int Serv Appl 6(1):1–23CrossRef

Rodriguez A, Fernandez-Medina E, Piattini M (2007) A BPMN extension for the modeling of security requirements in business processes. IEICE Trans Inf Syst 90(4):745–752CrossRef

Runeson P, Höst M, Rainer A, Regnell B (2012) Case study research in software engineering: guidelines and examples. Wiley, New YorkCrossRef

Samarütel S (2016) Revision of security risk-oriented patterns for distributed systems. Master’s thesis, University of Tartu

Samarütel S, Matulevičius R, Norta A, Nõukas R (2016) Securing airline-turnaround processes using security risk-oriented patterns. In Proceedings of PoEM 2016, pp 209–224

Sampigethaya K, Poovendran R (2013) Aviation cyber-physical systems: foundations for future aircraft and air transport. Proc IEEE 101(8):1834–1855CrossRef

Sandkuhl K, Matulevičius R, Ahmed N, Kirikova M (2015) Refining security requirement elicitation from business process using method engineering. In: Joint proceedings of the BIR 2015 workshops and doctoral consortium

Schleicher D, Leymann F, Schumm D, Weidmann M (2010) Compliance scopes: extending the BPMN 2.0 meta model to specify compliance requirements. In: IEEE international conference on service-oriented computing and applications, pp 1–8. IEEE

Schumacher M, Fernandez E, Hybertson D, Buschmann F (2005) Security patterns: integrating security and systems engineering. Wiley, New York

Shim W, Massacci F, Tedeschi A, Pollini A (2014) A relative cost-benefit approach for evaluating alternative airport security policies. In: 9th international conference on availability, reliability and security, pp 514–522. IEEE

Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44CrossRef

Titel: Security Requirements Elicitation from Airline Turnaround Processes
verfasst von: Raimundas Matulevičius
Alex Norta
Silver Samarütel
Publikationsdatum: 15.01.2018
Verlag: Springer Fachmedien Wiesbaden
Erschienen in: Business & Information Systems Engineering / Ausgabe 1/2018
Print ISSN: 2363-7005
Elektronische ISSN: 1867-0202
DOI: https://doi.org/10.1007/s12599-018-0518-4

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

WIRTSCHAFTSINFORMATIK

Business & Information Systems Engineering

Wirtschaftsinformatik & Management

Weitere Artikel der Ausgabe 1/2018

Robo-Advisory

From Expert Discipline to Common Practice: A Vision and Research Agenda for Extending the Reach of Enterprise Modeling

Interview with Anne Persson on “The Practice of Enterprise Modeling”

Enabling Normalized Systems in Practice – Exploring a Modeling Approach

Modeling Simultaneous Cooperation and Competition Among Enterprises

Process Modeling Recommender Systems