Assoc. Prof. PhD. Raimundas Matulevicius, University of Tartu
Prof. PhD. Marlon Dumas, University of Tartu
Prof. PhD. Andreas L. Opdahl, University of Bergen, Norway
Assoc. Prof. PhD. Rafael Accorsi, University of Freiburg, Germany
Any given enterprise produces some value that is for the benefit of its customers. An enterprise can reach its business goals in an efficient and effective manner only if individuals and other enterprise resources, such as information systems, play together well. Business processes are an important concept to facilitating this effective collaboration.
These business processes are described with models that are called business process models. In recent years, modeling of these business process models has received considerable attention. This is due to the fact that information systems increasingly being designed to support business processes. Moreover, given the dynamic business environment that the digital economy has brought about, enterprises need to continuously evolve their business processes and supporting information systems in order to cope with market changes and to take advantage of technology innovations.
This phenomenon increases the need for appropriate information security in business processes. Nowadays, the importance of security has gone far away from just ensuring the business continuity or protecting enterprise's assets; some authors claim security to be the driving force to do business at all. The major problems in existing methods for addressing security analysis are that, these approaches focuses on the implementation of security controls, and leaving behind the rationale for security. Similarly, the requirements elicitation is either missing or haphazard, this leads to miss some critical security requirements; and due to the dynamic and complicated nature of business processes the studies only addresses varying aspects but not the overall security of business processes.
To consider this need, the approach taken in this thesis is to analyse the business process models from a security perspective to derive security objectives and requirements. The thesis has proposed three complementary contributions: Firstly, security risk-oriented patterns that integrate the security risk analysis into business process models. These patterns supports security risk concepts in business process models that business analyst can understand easily. Secondly, the taxonomy for assessing security in business processes. This taxonomy is used to classify the security risk-oriented patterns and helps analysts to apply these patterns in business process models. Finally, these contributions form a foundation for a method, security requirements elicitation from business processes (SREBP) that performs a systematic elicitation of security requirements for their business processes.
These contributions work together to support the security requirements elicitation from business process models, where, i) the identification of business assets and determination of security objectives are carried out from the enterprise's business processes. Moreover, ii) the elicitation of security requirements are performed on the operational business processes using contextual areas.