Abstract
Socio-technical systems are an interplay of social (humans and organizations) and technical components interacting with one another to achieve their objectives. Security is a central issue in such complex systems, and it cannot be tackled only through technical mechanisms: the encryption of sensitive data while being transmitted, does not assure that the receiver will not disclose them to unauthorized parties. Therefore, dealing with security in socio-technical systems requires an analysis: (i) from a social and organizational perspective, to elicit the objectives and security requirements of each component; (ii) from a procedural perspective, to define how the actors behave and interact with each other. But, socio-technical systems need to adapt to changes of the external environment, making the need to deal with security a problem that has to be faced during all the systems’ life-cycle. We propose an iterative and incremental process to elicit security requirements and verify the socio-technical system’s compliance with such requirements throughout the systems’ life cycle.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
The System Wide Information Management (SWIM) [2].
- 2.
This scenario is a variant of Case Study B of the FP7 EU Funded Project Aniketos http://www.aniketos.eu.
- 3.
Note that we do not follow the flow of the process, but rather present the activities following a more natural description for SecBPMN, swapping activities 2.1. and 2.2.
- 4.
References
Final report on aniketos on industrial case studies. Technical report (2014). http://aniketos.eu/sites/default/files/downloads/Aniketos%20D6.4%20-%20Final%20report%20on%20Aniketos%20%20applied%20to%20industrial%20case%20studies.pdf
Federal Aviation Administration. SWIM ATM case study, Last visited, March 2014. http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/atc_comms_services/swim/
Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2008)
Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Inf. Syst. 33(6), 477–507 (2008)
Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of SACMAT’12, pp. 123–126 (2012)
Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Proceedings of ARES ’13, pp. 546–555 (2013)
Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of RE’02, pp. 203–205. IEEE (2002)
Dalpiaz, F., Paja, E., Giorgini, P.: Security requirements engineering via commitments. In: Proceedings of STAST’11, pp. 1–8 (2011)
Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Arenas, M. (ed.) DBPL 2007. LNCS, vol. 4797, pp. 169–185. Springer, Heidelberg (2007)
Ghose, A.K., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007)
Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proceedings of RE’05, pp. 167–176 (2005)
Johansson, H.J., McHugh, P., Pendlebury, A.J., Wheeler, W.A.: Business Process Reengineering: Breakpoint Strategies for Market Dominance. Wiley and Sons, Chichester (1993)
Johnstone, M.N.: Security requirements engineering-the reluctant oxymoron. In: Proceedings of Australian Information Security Management Conference, p. 5 (2009)
Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)
Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of ARES ’09, pp. 41–48 (2009)
Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. IJSEKE 17(2), 285–309 (2007)
OMG. BPMN 2.0., Jan 2011. http://www.omg.org/spec/BPMN/2.0
Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Proceedings of ER’13, pp. 270–283 (2013)
Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: Specifying and reasoning over socio-technical security requirements with STS-tool. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 504–507. Springer, Heidelberg (2013)
Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)
Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliab. Eng. Syst. Saf. 75, 167–177 (2002)
Sadiq, W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)
Saleem, M., Jaafar, J., Hassan, M.: A domain- specific language for modelling security objectives in a business process models of SOA applications. AISS 4(1), 353–362 (2012)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Meersman, R., Panetto, H., Dillon, T., Rinderle-Ma, S., Dadam, P., Zhou, X., Pearson, S., Ferscha, A., Bergamaschi, S., Cruz, I.F. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)
Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS 2014 and EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)
Salnitri, M., Giorgini, P.: Modeling and verification of ATM security policies with SecBPMN. In: Proceedings of SHPCS’14 (2014)
Salnitri, M., Giorgini, P.: Transforming socio-technical security requirements in SecBPMN security policies. In: Proceedings of IStar’14 (2014)
Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. JSA 55(4), 211–223 (2009)
Acknowledgment
The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under grant no. 257930 (Aniketos).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Salnitri, M., Paja, E., Giorgini, P. (2014). Preserving Compliance with Security Requirements in Socio-Technical Systems. In: Cleary, F., Felici, M. (eds) Cyber Security and Privacy. CSP 2014. Communications in Computer and Information Science, vol 470. Springer, Cham. https://doi.org/10.1007/978-3-319-12574-9_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-12574-9_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12573-2
Online ISBN: 978-3-319-12574-9
eBook Packages: Computer ScienceComputer Science (R0)