Skip to main content
SpringerLink
Log in

Preserving Compliance with Security Requirements in Socio-Technical Systems

  • Conference paper
  • First Online:
Cyber Security and Privacy (CSP 2014)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 470))

Included in the following conference series:

Abstract

Socio-technical systems are an interplay of social (humans and organizations) and technical components interacting with one another to achieve their objectives. Security is a central issue in such complex systems, and it cannot be tackled only through technical mechanisms: the encryption of sensitive data while being transmitted, does not assure that the receiver will not disclose them to unauthorized parties. Therefore, dealing with security in socio-technical systems requires an analysis: (i) from a social and organizational perspective, to elicit the objectives and security requirements of each component; (ii) from a procedural perspective, to define how the actors behave and interact with each other. But, socio-technical systems need to adapt to changes of the external environment, making the need to deal with security a problem that has to be faced during all the systems’ life-cycle. We propose an iterative and incremental process to elicit security requirements and verify the socio-technical system’s compliance with such requirements throughout the systems’ life cycle.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    The System Wide Information Management (SWIM) [2].

  2. 2.

    This scenario is a variant of Case Study B of the FP7 EU Funded Project Aniketos http://www.aniketos.eu.

  3. 3.

    Note that we do not follow the flow of the process, but rather present the activities following a more natural description for SecBPMN, swapping activities 2.1. and 2.2.

  4. 4.

    http://www.secbpmn.disi.unitn.it

References

  1. Final report on aniketos on industrial case studies. Technical report (2014). http://aniketos.eu/sites/default/files/downloads/Aniketos%20D6.4%20-%20Final%20report%20on%20Aniketos%20%20applied%20to%20industrial%20case%20studies.pdf

  2. Federal Aviation Administration. SWIM ATM case study, Last visited, March 2014. http://www.faa.gov/about/office_org/headquarters_offices/ato/service_units/techops/atc_comms_services/swim/

  3. Anderson, R.: Security Engineering: A Guide to Building Dependable Distributed Systems. Wiley, New York (2008)

    Google Scholar 

  4. Beeri, C., Eyal, A., Kamenkovich, S., Milo, T.: Querying business processes with BP-QL. Inf. Syst. 33(6), 477–507 (2008)

    Article  Google Scholar 

  5. Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of SACMAT’12, pp. 123–126 (2012)

    Google Scholar 

  6. Cherdantseva, Y., Hilton, J.: A reference model of information assurance and security. In: Proceedings of ARES ’13, pp. 546–555 (2013)

    Google Scholar 

  7. Crook, R., Ince, D., Lin, L., Nuseibeh, B.: Security requirements engineering: when anti-requirements hit the fan. In: Proceedings of RE’02, pp. 203–205. IEEE (2002)

    Google Scholar 

  8. Dalpiaz, F., Paja, E., Giorgini, P.: Security requirements engineering via commitments. In: Proceedings of STAST’11, pp. 1–8 (2011)

    Google Scholar 

  9. Deutch, D., Milo, T.: Querying structural and behavioral properties of business processes. In: Arenas, M. (ed.) DBPL 2007. LNCS, vol. 4797, pp. 169–185. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  10. Ghose, A.K., Koliadis, G.: Auditing business process compliance. In: Krämer, B.J., Lin, K.-J., Narasimhan, P. (eds.) ICSOC 2007. LNCS, vol. 4749, pp. 169–180. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  11. Giorgini, P., Massacci, F., Mylopoulos, J., Zannone, N.: Modeling security requirements through ownership, permission and delegation. In: Proceedings of RE’05, pp. 167–176 (2005)

    Google Scholar 

  12. Johansson, H.J., McHugh, P., Pendlebury, A.J., Wheeler, W.A.: Business Process Reengineering: Breakpoint Strategies for Market Dominance. Wiley and Sons, Chichester (1993)

    Google Scholar 

  13. Johnstone, M.N.: Security requirements engineering-the reluctant oxymoron. In: Proceedings of Australian Information Security Management Conference, p. 5 (2009)

    Google Scholar 

  14. Liu, Y., Müller, S., Xu, K.: A static compliance-checking framework for business process models. IBM Syst. J. 46(2), 335–361 (2007)

    Article  Google Scholar 

  15. Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: Proceedings of ARES ’09, pp. 41–48 (2009)

    Google Scholar 

  16. Mouratidis, H., Giorgini, P.: Secure tropos: a security-oriented extension of the tropos methodology. IJSEKE 17(2), 285–309 (2007)

    Google Scholar 

  17. OMG. BPMN 2.0., Jan 2011. http://www.omg.org/spec/BPMN/2.0

  18. Paja, E., Dalpiaz, F., Giorgini, P.: Managing security requirements conflicts in socio-technical systems. In: Proceedings of ER’13, pp. 270–283 (2013)

    Google Scholar 

  19. Paja, E., Dalpiaz, F., Poggianella, M., Roberti, P., Giorgini, P.: Specifying and reasoning over socio-technical security requirements with STS-tool. In: Ng, W., Storey, V.C., Trujillo, J.C. (eds.) ER 2013. LNCS, vol. 8217, pp. 504–507. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  20. Rodríguez, A., Fernández-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)

    Article  Google Scholar 

  21. Rushby, J.: Using model checking to help discover mode confusions and other automation surprises. Reliab. Eng. Syst. Saf. 75, 167–177 (2002)

    Article  Google Scholar 

  22. Sadiq, W., Governatori, G., Namiri, K.: Modeling control objectives for business process compliance. In: Alonso, G., Dadam, P., Rosemann, M. (eds.) BPM 2007. LNCS, vol. 4714, pp. 149–164. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  23. Saleem, M., Jaafar, J., Hassan, M.: A domain- specific language for modelling security objectives in a business process models of SOA applications. AISS 4(1), 353–362 (2012)

    Article  Google Scholar 

  24. Salnitri, M., Dalpiaz, F., Giorgini, P.: Aligning service-oriented architectures with security requirements. In: Meersman, R., Panetto, H., Dillon, T., Rinderle-Ma, S., Dadam, P., Zhou, X., Pearson, S., Ferscha, A., Bergamaschi, S., Cruz, I.F. (eds.) OTM 2012, Part I. LNCS, vol. 7565, pp. 232–249. Springer, Heidelberg (2012)

    Google Scholar 

  25. Salnitri, M., Dalpiaz, F., Giorgini, P.: Modeling and verifying security policies in business processes. In: Bider, I., Gaaloul, K., Krogstie, J., Nurcan, S., Proper, H.A., Schmidt, R., Soffer, P. (eds.) BPMDS 2014 and EMMSAD 2014. LNBIP, vol. 175, pp. 200–214. Springer, Heidelberg (2014)

    Chapter  Google Scholar 

  26. Salnitri, M., Giorgini, P.: Modeling and verification of ATM security policies with SecBPMN. In: Proceedings of SHPCS’14 (2014)

    Google Scholar 

  27. Salnitri, M., Giorgini, P.: Transforming socio-technical security requirements in SecBPMN security policies. In: Proceedings of IStar’14 (2014)

    Google Scholar 

  28. Wolter, C., Menzel, M., Schaad, A., Miseldine, P., Meinel, C.: Model-driven business process security requirement specification. JSA 55(4), 211–223 (2009)

    Google Scholar 

Download references

Acknowledgment

The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007–2013) under grant no. 257930 (Aniketos).

Author information

Authors and Affiliations

  1. University of Trento, Trento, Italy

    Mattia Salnitri, Elda Paja & Paolo Giorgini

Authors
  1. Mattia Salnitri
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Elda Paja
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Paolo Giorgini
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mattia Salnitri .

Editor information

Editors and Affiliations

  1. Waterford Institute of Technology, Waterford, Ireland

    Frances Cleary

  2. Hewlett-Packard Laboratories, Bristol, United Kingdom

    Massimo Felici

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Salnitri, M., Paja, E., Giorgini, P. (2014). Preserving Compliance with Security Requirements in Socio-Technical Systems. In: Cleary, F., Felici, M. (eds) Cyber Security and Privacy. CSP 2014. Communications in Computer and Information Science, vol 470. Springer, Cham. https://doi.org/10.1007/978-3-319-12574-9_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-12574-9_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-12573-2

  • Online ISBN: 978-3-319-12574-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation