Abstract
Modelling is central for business process and software architecture documentation and analysis. However, business processes and software architectures are specified with their own highly developed languages, methods and tools. There are approaches in the literature for modelling privacy and security issues using existing business process or architecture modelling languages to express different requirements by enriching these languages with annotations. Nevertheless, there is a lack of formalization and therefore the potential use for tool-based analyses are limited. In addition, the continuity between business and software models is not granted, but when modelling compliance requirements like privacy, traceability is very important, e.g. for compliance checks. In this contribution, approaches for modelling security and privacy in business and software models are examined. One key finding is that there is currently no comprehensive modelling approach which covers the necessary aspects and perspectives. This could include processes as well as, for example, organizational and data structure questions. In conclusion, we suggest developing a new holistic modelling approach which includes the needed aspects and with a concept for the traceability of the requirements from business models to software architecture models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Reisig, W.: Understanding Petri Nets: Modeling Techniques, Analysis Methods, Case Studies. Springer, New York (2013). https://doi.org/10.1007/978-3-642-33278-4
Object Management Group. OMG Unified Modeling Language TM (OMG UML), Version 2.5 (2015)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), vol. 119 (2016)
Alpers, S., Pilipchuk, R., Oberweis, A., Reussner, R.: Identifying needs for a holistic modelling approach to privacy aspects in enterprise software systems. In: Presented at the 4th International Conference on Information Systems Security and Privacy, pp. 74–82 (2018)
Accenture. Cost of cyber crime study (2017). https://www.accenture.com/us-en/insight-cost-of-cybercrime-2017. Accessed 26 Jun 2018
Federal Financial Supervisory Authority (BaFin). Minimum Requirements for Risk Management (2005). https://www.bundesbank.de/Redaktion/EN/Downloads/Tasks/Banking_supervision/PDF/minimum_requirements_for_risk_management_mindestanforderungen_an_das_risikomanagement_marisk.pdf. Accessed 26 Jun 2018
Gesetz zur Erhöhung der Sicherheit informationstechnischer Systeme (IT-Sicherheitsgesetz) (2015)
Genz, A.: Datenschutz in Europa und den USA: Eine rechtsvergleichende Untersuchung unter besonderer Berücksichtigung der Safe-Harbor-Lösung. Deutscher Universitätsverlag (2004)
Hornung, G., Schnabel, C.: Data protection in Germany I: the population census decision and the right to informational self-determination. Comput. Law Secur. Rev. 25(1), 84–88 (2009)
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, vol. OJ L (1995)
ISO: ISO/ IEC 27000:2014(E) Information technology - Security techniques - Information security management systems - Overview and vocabulary (2014)
Bundesamt für Sicherheit in der Informationstechnik, ‘IT-Grundschutz’. https://www.bsi.bund.de/DE/Themen/ITGrundschutz/itgrundschutz_node.html. Accessed 26 Jun 2018
Agutter, C.: ITIL Foundation Handbook, 3rd edn. The Stationery Office Ltd., London (2012)
COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. http://www.isaca.org/cobit/pages/default.aspx. Accessed: 26 Jun 2018
Störrle, H.: How are conceptual models used in industrial software development?: a descriptive survey. In: Proceedings of the 21st International Conference on Evaluation and Assessment in Software Engineering, New York, NY, USA, pp. 160–169 (2017)
Aerts, A.T.M., Goossenaerts, J.B.M., Hammer, D.K., Wortmann, J.C.: Architectures in context: on the evolution of business, application software, and ICT platform architectures. Inf. Manag. 41(6), 781–794 (2004)
Jutla, D.N., Bodorik, P., Ali, S.: Engineering Privacy for Big Data Apps with the Unified Modeling Language. In: 2013 IEEE International Congress on Big Data, pp. 38–45 (2013)
Basso, T., Montecchi, L., Moraes, R., Jino, M., Bondavalli, A.: Towards a UML profile for privacy-aware applications. In: 2015 IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing, pp. 371–378 (2015)
Jürjens, J.: UMLsec: extending UML for secure systems development. In: Jézéquel, J.-M., Hussmann, H., Cook, S. (eds.) UML 2002. LNCS, vol. 2460, pp. 412–425. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45800-X_32
Jürjens, J.: Model-based security engineering with UML. In: Aldini, A., Gorrieri, R., Martinelli, F. (eds.) FOSAD 2004-2005. LNCS, vol. 3655, pp. 42–77. Springer, Heidelberg (2005). https://doi.org/10.1007/11554578_2
Heldal, R., Schlager, S., Bende, J.: Supporting confidentiality in UML : a profile for the decentralized label model. In: Proceeding Workshop on Critical Systems Development with UML (2004)
Goudalo, W., Seret, D.: Toward the engineering of security of information systems (ESIS): UML and the IS confidentiality. In: 2008 Second International Conference on Emerging Security Information, Systems and Technologies, pp. 248–256 (2008)
Hatebur, D., Heisel, M.: A UML profile for requirements analysis of dependable software. In: Schoitsch, E. (ed.) SAFECOMP 2010. LNCS, vol. 6351, pp. 317–331. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-15651-9_24
Fernández-Medina, E., Trujillo, J., Villarroel, R., Piattini, M.: Extending UML for designing secure data warehouses. In: Atzeni, P., Chu, W., Lu, H., Zhou, S., Ling, T.-W. (eds.) ER 2004. LNCS, vol. 3288, pp. 217–230. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30464-7_18
Triki, S., Ben-Abdallah, H., Feki, J., Harbi, N.: Modeling conflict of interest in the design of secure data warehouses, pp. 445–448 (2010)
Mouheb, D., Talhi, C., Lima, V., Debbabi, M., Wang, L., Pourzandi, M.: Weaving security aspects into UML 2.0 design models. In: Proceedings of the 13th Workshop on Aspect-oriented Modeling, New York, NY, USA, pp. 7–12 (2009)
Simons, C.: CMP: a UML context modeling profile for mobile distributed systems. In: 2007 40th Annual Hawaii International Conference on System Sciences, HICSS 2007, p. 289b (2007)
Shariati, M., Bahmani, F., Shams, F.: Enterprise information security, a review of architectures and frameworks from interoperability perspective. Procedia Comput. Sci. 3, 537–543 (2011)
Huang, H., Kirchner, H.: Secure interoperation design in multi-domains environments based on colored Petri nets. Inf. Sci. 221, 591–606 (2013)
Mixia, L., Qiuyu, Z., Dongmei, Y., Hong, Z.: Formal security model research based on Petri-net. In: 2005 IEEE International Conference on Granular Computing, vol. 2, pp. 575–578 (2005)
Akbarzadeh, M., Azgomi, M.A.: A framework for probabilistic model checking of security protocols using coloured stochastic activity networks and PDETool. In: 5th International Symposium on Telecommunications (IST), pp. 210–215 (2010)
Bouroulet, R., Devillers, R., Klaudel, H., Pelz, E., Pommereau, F.: Modeling and analysis of security protocols using role based specifications and petri nets. In: van Hee, Kees M., Valk, R. (eds.) PETRI NETS 2008. LNCS, vol. 5062, pp. 72–91. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-68746-7_9
Crazzolara, F., Winskel, G.: Events in security protocols. In: Proceedings of the 8th ACM conference on Computer and Communications Security, pp. 96–105 (2001)
Zhang, Z.-L., Hong, F., Liao, J.-G.: Modeling Chinese wall policy using colored Petri nets. In: The Sixth IEEE International Conference on Computer and Information Technology, p. 162 (2006)
Henry, M.H., Layer, R.M., Zaret, D.R.: Coupled Petri nets for computer network risk analysis. Int. J. Crit. Infrastruct. Prot. 3(2), 67–75 (2010)
Sun, H., Yang, J., Wang, X., Zhang, Y.: A verification mechanism for secured message processing in business collaboration. In: Li, Q., Feng, L., Pei, J., Wang, S.X., Zhou, X., Zhu, Q.-M. (eds.) APWeb/WAIM -2009. LNCS, vol. 5446, pp. 480–491. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00672-2_42
Lai, H., Hong, J., Jeng, W.: Model e-contract update by coloured activity net. In: 2008 IEEE Asia-Pacific Services Computing Conference, APSCC 2008, pp. 488–493 (2008)
Accorsi, R., Wonnemann, C.: InDico: information flow analysis of business processes for confidentiality requirements. In: Cuellar, J., Lopez, J., Barthe, G., Pretschner, A. (eds.) STM 2010. LNCS, vol. 6710, pp. 194–209. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22444-7_13
Accorsi, R., Lehmann, A., Lohmann, N.: Information leak detection in business process models: theory, application, and tool support. Inf. Syst. 47, 244–257 (2015)
Li, W., Wu, R., Huang, H.: Colored Petri nets based modeling of information flow security. In: 2009 Second International Workshop on Knowledge Discovery and Data Mining, WKDD 2009, pp. 681–684 (2009)
Knorr, K.: Multilevel security and information flow in Petri net workflows. In: Proceedings of the 9th International Conference on Telecommunication Systems, pp. 613–615 (2001)
Atluri, V., Huang, W.-K.: An extended Petri net model for supporting workflows in a multilevel secure environment. In: Samarati, P., Sandhu, R.S. (eds.) Database Security. IFIP Advances in Information and Communication Technology, pp. 240–258. Springer, Boston (1996). https://doi.org/10.1007/978-0-387-35167-4_15
Atluri, V., Huang, W.-K.: A Petri net based safety analysis of workflow authorization models. J. Comput. Secur. 8(2–3), 209–240 (2000)
Leitner, M., Miller, M., Rinderle-Ma, S.: An analysis and evaluation of security aspects in the business process model and notation, pp. 262–267 (2013)
Meland, P.H., Gjaere, E.A.: Representing threats in BPMN 2.0, pp. 542–550 (2012)
Wolter, C., Meinel, C.: An approach to capture authorisation requirements in business processes. Requir. Eng. 15(4), 359–373 (2010)
Mülle, J., von Stackelberg, S., Böhm, K.: Modelling and transforming security constraints in privacy-aware business processes. In: 2011 IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1–4 (2011)
Labda, W., Mehandjiev, N., Sampaio, P.: Privacy-aware business processes modeling notation (PrvBPMN) in the context of distributed mobile applications. In: Matera, M., Rossi, G. (eds.) MobiWIS 2013. CCIS, vol. 183, pp. 120–134. Springer, Cham (2013). https://doi.org/10.1007/978-3-319-03737-0_13
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Alpers, S., Pilipchuk, R., Oberweis, A., Reussner, R. (2019). The Current State of the Holistic Privacy and Security Modelling Approach in Business Process and Software Architecture Modelling. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-25109-3_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-25108-6
Online ISBN: 978-3-030-25109-3
eBook Packages: Computer ScienceComputer Science (R0)