Skip to main content
Springer Nature Link
Log in

BPMN4FRSS: An BPMN Extension to Support Risk-Based Development of Forensic-Ready Software Systems

  • Conference paper
  • First Online:
Evaluation of Novel Approaches to Software Engineering (ENASE 2022)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1829))

Abstract

The importance of systems secure-by-design is well recognised. However, incidents or disputes requiring thorough investigation might occur even in highly secure systems. Forensic-ready software systems aim to ease the investigations by including requirements for reliable, admissible, and on-point data - potential evidence. Yet, the software engineering techniques for such systems have numerous open challenges. One of them, representation and reasoning, is tackled in this chapter by defining the syntax and semantics of modelling language BPMN for Forensic-Ready Software Systems (BPMN4FRSS). In addition to representing the requirements and specific controls, a semantic mapping to forensic-ready risk management is defined to support risk-oriented design. This approach of designing forensic-ready software systems, supported by BPMN4FRSS models, is then demonstrated.

This research was supported by ERDF “CyberSecurity, CyberCrime and Critical Information Infrastructures Center of Excellence" (No. CZ.02.1.01/0.0/0.0/16_019/0000822).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Ab Rahman, N.H., Glisson, W.B., Yang, Y., Choo, K.K.R.: Forensic-by-design framework for cyber-physical cloud systems. IEEE Cloud Comput. 3(1), 50–59 (2016). https://doi.org/10.1109/MCC.2016.5

  2. Alrajeh, D., Pasquale, L., Nuseibeh, B.: On evidence preservation requirements for forensic-ready systems. In: Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering, ESEC/FSE 2017, pp. 559–569. ACM (2017). https://doi.org/10.1145/3106237.3106308

  3. Alrimawi, F., Pasquale, L., Nuseibeh, B.: Software engineering challenges for investigating cyber-physical incidents. In: 2017 IEEE/ACM 3rd International Workshop on Software Engineering for Smart Cyber-Physical Systems (SEsCPS), pp. 34–40 (2017). https://doi.org/10.1109/SEsCPS.2017.9

  4. Altuhhova, O., Matulevičius, R., Ahmed, N.: An extension of business process model and notation for security risk management. Int. J. Inf. Syst. Model. Des. 4, 93–113 (2013). https://doi.org/10.4018/ijismd.2013100105

    Article  Google Scholar 

  5. Arlow, J., Neustadt, I.: UML 2 and The Unified Process: Practical Object-Oriented Analysis and Design. Pearson Education, Boston (2005)

    Google Scholar 

  6. Asnar, Y., Giorgini, P.: Modelling risk and identifying countermeasure in organizations. In: Lopez, J. (ed.) CRITIS 2006. LNCS, vol. 4347, pp. 55–66. Springer, Heidelberg (2006). https://doi.org/10.1007/11962977_5

    Chapter  Google Scholar 

  7. Baror, S.O., Venter, H.S., Adeyemi, R.: A natural human language framework for digital forensic readiness in the public cloud. Aust. J. Forensic Sci. 53(5), 566–591 (2021)

    Article  Google Scholar 

  8. Van den Berghe, A., Scandariato, R., Yskout, K., Joosen, W.: Design notations for secure software: a systematic literature review. Softw. Syst. Model. 16(3), 809–831 (2017)

    Article  Google Scholar 

  9. Bruneliere, H., Burger, E., Cabot, J., Wimmer, M.: A feature-based survey of model view approaches. Softw. Syst. Model. 18(3), 1931–1952 (2019)

    Article  Google Scholar 

  10. Casey, E.: Digital Evidence and Computer Crime, 3rd edn. Academic Press, New York (2011)

    Google Scholar 

  11. Casey, E., Nikkel, B.: Forensic analysis as iterative learning. In: Keupp, M.M. (ed.) The Security of Critical Infrastructures. ISORMS, vol. 288, pp. 177–192. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-41826-7_11

    Chapter  Google Scholar 

  12. CESG: Good Practice Guide No. 18: Forensic Readiness. Guideline, National Technical Authority for Information Assurance, United Kingdom (2015)

    Google Scholar 

  13. Chergui, M.E.A., Benslimane, S.M.: A valid BPMN extension for supporting security requirements based on cyber security ontology. In: Abdelwahed, E.H., Bellatreche, L., Golfarelli, M., Méry, D., Ordonez, C. (eds.) MEDI 2018. LNCS, vol. 11163, pp. 219–232. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-00856-7_14

    Chapter  Google Scholar 

  14. Daubner, L., Macak, M., Buhnova, B., Pitner, T.: Towards verifiable evidence generation in forensic-ready systems. In: 2020 IEEE International Conference on Big Data (Big Data), pp. 2264–2269 (2020)

    Google Scholar 

  15. Daubner, L., Macak, M., Buhnova, B., Pitner, T.: Verification of forensic readiness in software development: a roadmap. In: Proceedings of the 35th Annual ACM Symposium on Applied Computing, SAC 2020, pp. 1658–1661. ACM (2020). https://doi.org/10.1145/3341105.3374094

  16. Daubner, L., Macak, M., Matulevicius, R., Buhnova, B., Maksovic, S., Pitner, T.: Addressing insider attacks via forensic-ready risk management. J. Inf. Secur. Appl. 73, 103433 (2023). https://doi.org/10.1016/j.jisa.2023.103433

    Article  Google Scholar 

  17. Daubner, L., Matulevičius, R.: Risk-oriented design approach for forensic-ready software systems. In: The 16th International Conference on Availability, Reliability and Security. ACM (2021). https://doi.org/10.1145/3465481.3470052

  18. Daubner, L., Matulevičius, R., Buhnova, B., Pitner, T.: Business process model and notation for forensic-ready software systems. In: Proceedings of the 17th International Conference on Evaluation of Novel Approaches to Software Engineering, ENASE 2022, Online Streaming, 25–26 April 2022, pp. 95–106. SCITEPRESS (2022). https://doi.org/10.5220/0011041000003176

  19. Dijkman, R.M., Dumas, M., Ouyang, C.: Semantics and analysis of business process models in BPMN. Inf. Softw. Technol. 50(12), 1281–1294 (2008)

    Article  Google Scholar 

  20. Dubois, É., Heymans, P., Mayer, N., Matulevičius, R.: A systematic approach to define the domain of information system security risk management, pp. 289–306. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12544-7_16

  21. Elyas, M., Ahmad, A., Maynard, S.B., Lonie, A.: Digital forensic readiness: expert perspectives on a theoretical framework. Comput. Secur. 52, 70–89 (2015). https://doi.org/10.1016/j.cose.2015.04.003

    Article  Google Scholar 

  22. Firesmith, D.: Using quality models to engineer quality requirements. J. Object Technol. 2(5), 67–75 (2003)

    Article  Google Scholar 

  23. Geismann, J., Bodden, E.: A systematic literature review of model-driven security engineering for cyber-physical systems. J. Syst. Softw. 169, 110697 (2020). https://doi.org/10.1016/j.jss.2020.110697

    Article  Google Scholar 

  24. Grispos, G., García-Galán, J., Pasquale, L., Nuseibeh, B.: Are you ready? towards the engineering of forensic-ready systems. In: 2017 11th International Conference on Research Challenges in Information Science (RCIS), pp. 328–333 (2017). https://doi.org/10.1109/RCIS.2017.7956555

  25. Grispos, G., Glisson, W.B., Choo, K.K.R.: Medical cyber-physical systems development: a forensics-driven approach. In: 2017 IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies (CHASE), pp. 108–113 (2017)

    Google Scholar 

  26. Grobler, C.P., Louwrens, C.P.: Digital forensic readiness as a component of information security best practice. In: Venter, H., Eloff, M., Labuschagne, L., Eloff, J., von Solms, R. (eds.) SEC 2007. IIFIP, vol. 232, pp. 13–24. Springer, Boston, MA (2007). https://doi.org/10.1007/978-0-387-72367-9_2

    Chapter  Google Scholar 

  27. Harel, D., Rumpe, B.: Meaningful modeling: what’s the semantics of “semantics"? Computer 37(10), 64–72 (2004). https://doi.org/10.1109/MC.2004.172

    Article  Google Scholar 

  28. Henley, J.: Denmark frees 32 inmates over flaws in phone geolocation evidence. The Guardian (2019). https://www.theguardian.com/world/2019/sep/12/denmark-frees-32-inmates-over-flawed-geolocation-revelations

  29. Hepp, T., Schoenhals, A., Gondek, C., Gipp, B.: Originstamp: a blockchain-backed system for decentralized trusted timestamping. it - Inf. Technol. 60(5–6), 273–281 (2018)

    Google Scholar 

  30. Iqbal, A., Ekstedt, M., Alobaidli, H.: Digital forensic readiness in critical infrastructures: a case of substation automation in the power sector. In: Matoušek, P., Schmiedecker, M. (eds.) ICDF2C 2017. LNICST, vol. 216, pp. 117–129. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-73697-6_9

    Chapter  Google Scholar 

  31. ISO/IEC: Information technology - Security techniques - Incident investigation principles and processes. Standard, International Organization for Standardization, Switzerland (2015)

    Google Scholar 

  32. ISO/IEC: Information technology - Security techniques - Information security risk management. Standard, International Organization for Standardization, Switzerland (2018)

    Google Scholar 

  33. Kävrestad, J.: Fundamentals of Digital Forensics. Springer, Heidelberg (2018). https://doi.org/10.1007/978-3-030-38954-3

    Book  Google Scholar 

  34. Kebande, V.R., Venter, H.S.: On digital forensic readiness in the cloud using a distributed agent-based solution: issues and challenges. Aust. J. Forensic Sci. 50(2), 209–238 (2018)

    Article  Google Scholar 

  35. Kruchten, P.: The 4+1 view model of architecture. IEEE Softw. 12(6), 42–50 (1995). https://doi.org/10.1109/52.469759

    Article  Google Scholar 

  36. Liang, X., Shetty, S., Tosh, D., Kamhoua, C., Kwiat, K., Njilla, L.: Provchain: a blockchain-based data provenance architecture in cloud environment with enhanced privacy and availability. In: 2017 17th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing (CCGRID), pp. 468–477 (2017). https://doi.org/10.1109/CCGRID.2017.8

  37. Matulevičius, R.: Fundamentals of Secure System Modelling. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-61717-6

    Book  Google Scholar 

  38. Mayer, N.: Model-based Management of Information System Security Risk. Theses, University of Namur (2009). https://tel.archives-ouvertes.fr/tel-00402996

  39. McKemmish, R.: When is digital evidence forensically sound? In: Ray, I., Shenoi, S. (eds.) DigitalForensics 2008. ITIFIP, vol. 285, pp. 3–15. Springer, Boston, MA (2008). https://doi.org/10.1007/978-0-387-84927-0_1

    Chapter  Google Scholar 

  40. Mead, N.R., Stehney, T.: Security quality requirements engineering (square) methodology. In: Proceedings of the 2005 Workshop on Software Engineering for Secure Systems-Building Trustworthy Applications, SESS 2005, pp. 1–7. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1083200.1083214

  41. Mülle, J., Stackelberg, S.v., Böhm, K.: A security language for bpmn process models. Technical Report 9, Karlsruher Institut für Technologie (2011)

    Google Scholar 

  42. Nwaokolo, A.O.: A Comparison of Privacy Enhancing Technologies in Internet of Vehicle Systems. Master’s thesis, University of Tartu (2020)

    Google Scholar 

  43. OMG: Business process model and notation (2010). https://www.omg.org/spec/BPMN/2.0/

  44. Pasquale, L., Alrajeh, D., Peersman, C., Tun, T., Nuseibeh, B., Rashid, A.: Towards forensic-ready software systems. In: Proceedings of the 40th International Conference on Software Engineering: New Ideas and Emerging Results, ICSE-NIER 2018, pp. 9–12. ACM (2018)

    Google Scholar 

  45. Pasquale, L., Hanvey, S., Mcgloin, M., Nuseibeh, B.: Adaptive evidence collection in the cloud using attack scenarios. Comput. Secur. 59, 236–254 (2016). https://doi.org/10.1016/j.cose.2016.03.001

    Article  Google Scholar 

  46. Pasquale, L., Yu, Y., Salehie, M., Cavallaro, L., Tun, T.T., Nuseibeh, B.: Requirements-driven adaptive digital forensics. In: 2013 21st IEEE International Requirements Engineering Conference (RE), pp. 340–341 (2013). https://doi.org/10.1109/RE.2013.6636745

  47. Pullonen, P., Matulevičius, R., Bogdanov, D.: PE-BPMN: privacy-enhanced business process model and notation. In: Carmona, J., Engels, G., Kumar, A. (eds.) BPM 2017. LNCS, vol. 10445, pp. 40–56. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-65000-5_3

    Chapter  Google Scholar 

  48. Pullonen, P., Tom, J., Matulevičius, R., Toots, A.: Privacy-enhanced bpmn: enabling data privacy analysis in business processes models. Softw. Syst. Model. 18(6), 3235–3264 (2019)

    Article  Google Scholar 

  49. Rivera-Ortiz, F., Pasquale, L.: Automated modelling of security incidents to represent logging requirements in software systems. In: Proceedings of the 15th International Conference on Availability, Reliability and Security. ACM (2020)

    Google Scholar 

  50. Rodrigues da Silva, A.: Model-driven engineering: A survey supported by the unified conceptual model. Comput. Lang. Syst. Struct. 43, 139–155 (2015). https://doi.org/10.1016/j.cl.2015.06.001

  51. Rodríguez, A., Fernández-Medina, E., Piattini, M.: A bpmn extension for the modeling of security requirements in business processes. IEICE - Trans. Inf. Syst. E90-D(4), 745–752 (2007)

    Google Scholar 

  52. Rowlingson, R.: A ten step process for forensic readiness. Int. J. Digital Evid. 2, 1–28 (2004)

    Google Scholar 

  53. Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., et al. (eds.) BPMDS/EMMSAD -2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43745-2_14

    Chapter  Google Scholar 

  54. Silver, B.: BPMN Method and Style, with BPMN Implementer’s Guide: a structured approach for business process modeling and implementation using BPMN 2.0. Cody-Cassidy Press Aptos, CA, USA (2011)

    Google Scholar 

  55. Simou, S., Kalloniatis, C., Gritzalis, S., Katos, V.: A framework for designing cloud forensic-enabled services (CFeS). Requir. Eng. 24(3), 403–430 (2018). https://doi.org/10.1007/s00766-018-0289-y

    Article  Google Scholar 

  56. Sindre, G.: Mal-activity diagrams for capturing attacks on business processes. In: Sawyer, P., Paech, B., Heymans, P. (eds.) REFSQ 2007. LNCS, vol. 4542, pp. 355–366. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73031-6_27

    Chapter  Google Scholar 

  57. Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requir. Eng. 10(1), 34–44 (2005). https://doi.org/10.1007/s00766-004-0194-4

    Article  Google Scholar 

  58. Sommerville, I.: Software Engineering, 9th edn. Pearson, Boston (2011)

    MATH  Google Scholar 

  59. Studiawan, H., Sohel, F., Payne, C.: A survey on forensic investigation of operating system logs. Digital Invest. 29, 1–20 (2019). https://doi.org/10.1016/j.diin.2019.02.005

    Article  Google Scholar 

  60. Tan, J.: Forensic readiness. Technical report, @stake, Inc. (2001)

    Google Scholar 

  61. Vraalsen, F., Mahler, T., Lund, M., Hogganvik, I., Braber, F., Stølen, K.: Assessing enterprise risk level: the CORAS approach, pp. 311–333 (2007). https://doi.org/10.4018/978-1-59904-090-5.ch018

  62. Weilbach, W.T., Motara, Y.M.: Applying distributed ledger technology to digital evidence integrity. SAIEE Afr. Res. J. 110(2), 77–93 (2019). https://doi.org/10.23919/SAIEE.2019.8732798

  63. Ćosić, J., Bača, M.: (im)proving chain of custody and digital evidence integrity with time stamp. In: The 33rd International Convention MIPRO, pp. 1226–1230 (2010)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Faculty of Informatics, Masaryk University, Botanická 68a, 60200, Brno, Czechia

    Lukas Daubner, Barbora Buhnova & Tomas Pitner

  2. Institute of Computer Science, University of Tartu, Narva mnt 18, 51009, Tartu, Estonia

    Raimundas Matulevičius

Authors
  1. Lukas Daubner
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raimundas Matulevičius
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Barbora Buhnova
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tomas Pitner
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lukas Daubner .

Editor information

Editors and Affiliations

  1. TU Wien, Vienna, Austria

    Hermann Kaindl

  2. Glasgow Caledonian University, Glasgow, UK

    Mike Mannion

  3. Wroclaw University of Economics, Wroclaw, Poland

    Leszek A. Maciaszek

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Daubner, L., Matulevičius, R., Buhnova, B., Pitner, T. (2023). BPMN4FRSS: An BPMN Extension to Support Risk-Based Development of Forensic-Ready Software Systems. In: Kaindl, H., Mannion, M., Maciaszek, L.A. (eds) Evaluation of Novel Approaches to Software Engineering. ENASE 2022. Communications in Computer and Information Science, vol 1829. Springer, Cham. https://doi.org/10.1007/978-3-031-36597-3_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-36597-3_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-36596-6

  • Online ISBN: 978-3-031-36597-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation