Skip to main content
SpringerLink
Log in

PE-BPMN: Privacy-Enhanced Business Process Model and Notation

  • Conference paper
  • First Online:
Business Process Management (BPM 2017)

Part of the book series: Lecture Notes in Computer Science ((LNISA,volume 10445))

Included in the following conference series:

Abstract

Privacy Enhancing Technologies (PETs) play an important role in preventing privacy leakage of data along information flows. Although business process modelling is well-suited for expressing stakeholder collaboration and process support by technical solutions, little is done to visualise and analyse privacy leakages in the processes. We propose PE-BPMN – privacy-enhanced extensions to the BPMN language for capturing data leakages. We demonstrate its feasibility in the mobile app scenario where private data leakages are determined. Our approach helps system builders make decisions on the privacy solutions at the early stages of development and lets auditors analyse existing systems.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Notes

  1. 1.

    DARPA Brandeis—http://www.darpa.mil/program/brandeis.

References

  1. Privacy management reference model and methodology (PMRM) version 1.0. OASIS Committee Specification 02 (2016). http://docs.oasis-open.org/pmrm/PMRM/v1.0/cs02/PMRM-v1.0-cs02.html

  2. Accorsi, R., Lehmann, A., Lohmann, N.: Information leak detection in business process models. Inf. Syst. 47(C), 244–257 (2015)

    Article  Google Scholar 

  3. Altuhhova, O., Matulevičius, R., Ahmed, N.: An extension of business process model and notification for security risk management. IJISMD 4(4), 93–113 (2013)

    Google Scholar 

  4. Ayed, G.B., Ghernaouti-Helie, S.: Processes view modeling of identity-related privacy business interoperability: considering user-supremacy federated identity technical model and identity contract negotiation. In: 2012 Proceedings of the ASONAM (2012)

    Google Scholar 

  5. Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the 1979 AFIPS National Computer Conference, pp. 313–317. AFIPS Press (1979)

    Google Scholar 

  6. Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015). doi:10.1007/978-3-662-46803-6_12

    Chapter  Google Scholar 

  7. Brucker, A.D., Hang, I., Lückemeyer, G., Ruparel, R.: SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of the SACMAT 2012, pp. 123–126. ACM (2012)

    Google Scholar 

  8. Cherdantseva, Y., Hilton, J., Rana, O.: Towards SecureBPMN - aligning BPMN with the information assurance and security domain. In: Mendling, J., Weidlich, M. (eds.) BPMN 2012. LNBIP, vol. 125, pp. 107–115. Springer, Heidelberg (2012). doi:10.1007/978-3-642-33155-8_9

    Chapter  Google Scholar 

  9. Danezis, G., Domingo-Ferrer, J., Hansen, M., Hoepman, J.-H., Metayer, D.L., Tirtea, R., Schiffner, S.: Privacy and data protection by design-from policy to engineering. Technical report, European Union Agency for Network and Information Security (2015)

    Google Scholar 

  10. Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theor. 22(6), 644–654 (2006)

    Article  MathSciNet  Google Scholar 

  11. Dumas, M., García-Bañuelos, L., Laud, P.: Differential privacy analysis of data processing workflows. In: Kordy, B., Ekstedt, M., Kim, D.S. (eds.) GraMSec 2016. LNCS, vol. 9987, pp. 62–79. Springer, Cham (2016). doi:10.1007/978-3-319-46263-9_4

    Chapter  Google Scholar 

  12. Dumas, M., La Rosa, M., Mendling, J., Reijers, H.: Fundamentals of Business Process Management. Springer, Heidelberg (2013)

    Book  Google Scholar 

  13. Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016). http://data.europa.eu/eli/reg/2016/679/oj

  14. Joint Task Force and Transformation Initiative: Security and privacy controls for federal information systems and organizations. NIST Special Publication, 800:53 (2013)

    Google Scholar 

  15. Gentry, C.: Fully homomorphic encryption using ideal lattices. In: Proceedings of the Forty-first Annual ACM Symposium on Theory of Computing, STOC 2009, pp. 169–178. ACM, New York (2009)

    Google Scholar 

  16. Greenberg, A.: Apple’s ‘Differential Privacy’ is about collecting your data-but not your data. Wired (2016)

    Google Scholar 

  17. Heurix, J., Zimmermann, P., Neubauer, T., Fenz, S.: A taxonomy for privacy enhancing technologies. Comput. Secur. 53, 1–17 (2015)

    Article  Google Scholar 

  18. ISO/IEC DIS 29134: Information technology - security techniques - privacy impact assessment - guidelines. Technical report, International Organization for Standardization (2016)

    Google Scholar 

  19. Koorn, R., van Gils, H., ter Hart, J., Overbeek, P., Tellegen, R., Borking, J.: Privacy Enhancing Technologies, White Paper for Decision Makers. Ministry of the Interior and Kingdom Relations, The Netherlands (2004)

    Google Scholar 

  20. Ladha, W., Mehandjiev, N., Sampaio, P.: Modelling of privacy-aware business processes in BPMN to protect personal data. In: Proceedings of the 29th Annual ACM Symposium on Applied Computing, pp. 1399–1405 (2014)

    Google Scholar 

  21. Menzel, M., Thomas, I., Meinel, C.: Security requirements specification in service-oriented business process management. In: ARES 2009, pp. 41–49 (2009)

    Google Scholar 

  22. Mouratidis, H., Kalloniatis, C., Islam, S., Hudic, A., Zechner, L.: Model based process to support security and privacy requirements engineering. Int. J. Secur. Softw. Eng. 3(3), 1–22 (2012)

    Article  Google Scholar 

  23. OMG: Business Process Model and Notation (BPMN). http://www.omg.org/spec/BPMN/2.0/

  24. Rodriguez, A., Fernandez-Medina, E., Piattini, M.: A BPMN extension for the modeling of security requirements in business processes. IEICE Trans. Inf. Syst. 90(4), 745–752 (2007)

    Article  Google Scholar 

  25. Schleicher, D., Leymann, F., Schumm, D., Weidmann, M.: Compliance scopes: extending the BPMN 2.0 meta model to specify compliance requirements. In: SOCA 2010, pp. 1–8 (2010)

    Google Scholar 

  26. Shamir, A.: How to share a secret. Commun. ACM 22(11), 612–613 (1979)

    Article  MathSciNet  Google Scholar 

  27. Solove, D.J.: A taxonomy of privacy. Univ. Pa. Law Rev. 154, 477–564 (2006)

    Article  Google Scholar 

  28. Weiss, M.A., Archick, K.: US-EU Data Privacy: From Safe Harbor to Privacy Shield. Congressional Research Service (2016)

    Google Scholar 

Download references

Acknowledgment

The authors would like to thank Prof. Marlon Dumas, Peeter Laud and other members of the NAPLES project for discussions, comments and feedback concerning this study. This research was, in part, funded by the Air Force Research laboratory (AFRL) and Defense Advanced Research Projects Agency (DARPA) under contract FA8750-16-C-0011. The views expressed are those of the authors and do not reflect the official policy or position of the Department of Defense or the U.S. Government. This work was also supported by the European Regional Development Fund through the Excellence in IT in Estonia (EXCITE) and by the Estonian Research Council under Institutional Research Grant IUT27-1.

Author information

Authors and Affiliations

  1. Cybernetica AS, Tartu, Estonia

    Pille Pullonen & Dan Bogdanov

  2. University of Tartu, Tartu, Estonia

    Raimundas Matulevičius

Authors
  1. Pille Pullonen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raimundas Matulevičius
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Dan Bogdanov
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pille Pullonen .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Universitat Politècnica de Catalunya, Barcelona, Spain

    Josep Carmona

  2. Department of Computer Science, University of Paderborn, Paderborn, Germany

    Gregor Engels

  3. Department of Supply Chain and Information Systems, Pennsylvania State University, University Park, Pennsylvania, USA

    Akhil Kumar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Pullonen, P., Matulevičius, R., Bogdanov, D. (2017). PE-BPMN: Privacy-Enhanced Business Process Model and Notation. In: Carmona, J., Engels, G., Kumar, A. (eds) Business Process Management. BPM 2017. Lecture Notes in Computer Science(), vol 10445. Springer, Cham. https://doi.org/10.1007/978-3-319-65000-5_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65000-5_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-64999-3

  • Online ISBN: 978-3-319-65000-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation