Abstract
Despite the advantages of cloud services, businesses still face compliance challenges. Some have withdrawn from cloud services due to the inability to adhere completely to compliance requirements from regulatory bodies. Considering that adopting cloud services does not require adherence to domain-based requirements but also security requirements, a compliance management approach is essential to cater for such constraints. Existing literature shows that many compliance management approaches focus on data flow and control flow requirements. A few of them considered timing but not security constraints. Hence, compliance monitoring is incomplete and inaccurate. It was also deduced that monitoring business processes against compliance requirements in real-time was not considered appropriately, which is essential for keeping track of performance. This paper presents a business process compliance management system that ensures that business processes can be verified against compliance requirements at both designs and run time. The verification of the business processes was done at design time using a SPIN (Simple Promela Interpreter) model checker and extended compliance patterns at runtime. The evaluation was done using case studies from the financial and health domains, which returned an improved level of accuracy compared to an existing approach. The proposed approach’s uniqueness, completeness and traceability were evaluated against the model-based business process compliance management system and the papazoglou compliance management system. It returned 0.95, 0.94, and 0.86, respectively, for the proposed system. Adopting this improved business process compliance management system helps enterprises save penalty costs laid against them due to non-compliance or incomplete compliance.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Agnihotri M, Chug A (2020) Application of machine learning algorithms for code smell prediction using object-oriented software metrics. J Stat Manag Syst 23(7):1159–1171. https://doi.org/10.1080/09720510.2020.1799576
Agostinelli S, Maggi FM, Marrella A, Sapio F (2019) Achieving GDPR compliance of BPMN process models. In: International conference on advanced information systems engineering, Springer, Cham, p 10–22 https://doi.org/10.1007/978-3-030-21297-1_2
Ali A, Khan N, Abu-Tair M, Noppen J, McClean S, McChesney I (2021) Discriminating features-based cost-sensitive approach for software defect prediction. Autom Softw Eng 28(2):1–18. https://doi.org/10.1007/s10515-021-00289-8
Amankwah-Amoah J, Wang X (2019) Contemporary business risks: an overview and new research agenda. J Bus Res 97:208–211. https://doi.org/10.1016/j.jbusres.2019.01.036
Amaral JN et al (2011) About computing science research methodology. Edmonton, Alberta
Antignac T, Scandariato R, Schneider G (2018) Privacy compliance via model transformations. In: 2018 IEEE European symposium on security and privacy workshops (EuroS&PW), IEEE p 120–126 https://doi.org/10.1109/EuroSPW.2018.00024
Attaran M, Woods J (2018) Cloud computing technology: improving small business performance using the Internet. J Small Bus Entrep 31(6):495–519. https://doi.org/10.1080/08276331.2018.1466850
Ayadi R, Naceur SB, Casu B, Quinn B (2016) Does Basel compliance matter for bank performance? J Financ Stab 23:15–32. https://doi.org/10.1016/j.jfs.2015.12.007
Barnawi A, Awad A, Elgammal A, El Shawi R, Almalaise A, Sakr S (2015) BP-MaaS: a runtime compliance-monitoring system for business processes. In: BPM (Demos), p 25–29
Bayer P (2019) Strategic government enforcement and firm compliance with international regulation: evidence from carbon regulation. In: PEIO Conference
Bottoms A (2019) Understanding compliance with laws and regulations: a mechanism-based approach. In: Financial Compliance, Palgrave Macmillan, Cham, p 1–45 https://doi.org/10.1007/978-3-030-14511-8_1
Breaux T, Antón A (2008) Analyzing regulatory rules for privacy and security requirements. IEEE Trans Softw Eng 34(1):5–20. https://doi.org/10.1109/TSE.2007.70746
Celesti A, Fazio M, Galletta A, Carnevale L, Wan J, Villari M (2019) An approach for the secure management of hybrid cloud–edge environments. Futur Gener Comput Syst 90:1–19. https://doi.org/10.1016/j.future.2018.06.043
Chang YT, Chen H, Cheng RK, Chi W (2019) The impact of internal audit attributes on the effectiveness of internal control over operations and compliance. J Contemp Account Econ 15(1):1–19. https://doi.org/10.1016/j.jcae.2018.11.002
Chen H, Soltes E (2018) Why compliance programs fail—and how to fix them. Harv Bus Rev 96(2):115–125
Ciccio Di, Claudio GM, Plebani P (2022) On the adoption of blockchain for business process monitoring. Softw Syst Model 21(3):915–937
CSA (2019) Security guidance v4.0, Accessed June, 2019
Deb D and Chaki N (2018) A framework for goal compliance of business process model. In: Progress in intelligent computing techniques: theory, practice, and applications, Springer, Singapore p 345–356 https://doi.org/10.1007/978-981-10-3376-6_38
Elgammal A, Turetken O, van den Heuvel WJ, Papazoglou M (2016) Formalizing and appling compliance patterns for business process compliance. Softw Syst Model 15(1):119–146. https://doi.org/10.1007/s10270-014-0395-3
Elgammal A and Turetken O (2015) Lifecycle business process compliance management: a semantically-enabled framework. In: 2015 International conference on cloud computing (ICCC), IEEE, p 1–8 https://doi.org/10.1109/CLOUDCOMP.2015.7149646
Fellmann M and Zasada A (2016) State-of-the-art of business process compliance approaches-a survey. In: EMISA Forum: Vol 36, No. 2. De Gruyter
Gulis G (2019) Compliance, adherence, or implementation? Int J Pub Health 64:411–412. https://doi.org/10.1007/s00038-019-01217-0
Harris MA, Martin R (2019) Promoting cybersecurity compliance. In: Cybersecurity education for awareness and compliance . IGI Global, p 54–71 https://doi.org/10.4018/978-1-5225-7847-5.ch004
Harstad B, Lancia F, Russo A (2019) Compliance technology and self-enforcing agreements. J Eur Econ Assoc 17(1):1–29. https://doi.org/10.1093/jeea/jvy055
Hashmi M, Governatori G, Wynn MT (2016) Normative requirements for regulatory compliance: An abstract formal framework. Inf Syst Front 18(3):429–455. https://doi.org/10.1007/s10796-015-9558-1
Heinrich B, Hristova D, Klier M, Schiller A, Szubartowicz M (2018) Requirements for data quality metrics. J Data Inf Qual (JDIQ) 9(2):1–32
Holz HJ, Applin A, Haberman B, Joyce D, Purchase H, Reed C (2006) Research methods in computing. In: Working group reports on iticse on innovation and technology in computer science education - ITiCSE-WGR 2006, ACM Press, New York, p 96 https://doi.org/10.1145/1189215.1189180
Iqbal M, Matulevičius R (2020) Managing security risks in post-trade matching and confirmation using CorDapp. In: International baltic conference on databases and information systems, Springer, Cham, p 325–339 https://doi.org/10.1007/978-3-030-57672-1_24
Jabbar J, Mehmood H, Malik H (2020) Security of cloud computing: belongings for the generations. International Journal of Engineering & Technology 9(2):454–457
Joshi M, Jetawat A (2021) Performance analysis of classification algorithms used for software defect prediction. In: Sustainable intelligent systems, p 1–9
Kammüller F, Ogunyanwo OO, Probst CW (2019) Designing data protection for GDPR compliance into IoT healthcare systems. Preprint at arXiv:1901.02426
Khan S, Dar SH, Iqbal Z, Zafar B, Ali N, Khalil T (2020) An approach for evaluating & ranking ontologies with applications in biomedical domain. Tech J 25(02):95–109
Kiyavitskaya N, Zeni N, Breaux TD, Antón AI, Cordy JR, Mich, Mylopoulos J (2008) Automating the extraction of rights and obligations for regulatory compliance. In: International conference on conceptual modeling, p 154–168, Springer, Heidelberg https://doi.org/10.1007/978-3-540-87877-3_13
Klochkov YS, Tveryakov AM (2020) Approaches to the improvement of quality management methods. Int J Syst Assur Eng Manag 11(2):163–172. https://doi.org/10.1007/s13198-019-00939-x
Ly LT, Maggi FM, Montali M, Rinderle-Ma S, van der Aalst WM (2013) A framework for the systematic comparison and evaluation of compliance monitoring approaches. In: 2013 17th IEEE international enterprise distributed object computing conference, IEEE, p 7–16 https://doi.org/10.1109/EDOC.2013.11
Mahalle A, Yong J, Tao X, Shen J (2018) Data privacy and system security for banking and financial services industry based on cloud computing infrastructure. In: 2018 IEEE 22nd International conference on computer supported cooperative work in design (CSCWD), IEEE, p 407–413 https://doi.org/10.1109/CSCWD.2018.8465318
Mandal S, Gandhi R, Siy H (2015) Semantic web representations for reasoning about applicability and satisfiability of federal regulations for information security. In: 2015 IEEE 8th International workshop on requirements engineering and law (RELAW), IEEE, p 1–9 https://doi.org/10.1109/RELAW.2015.7330205
Mustapha AM, Arogundade OT, Vincent OR, Adeniran OJ (2018) Towards a compliance requirement management for SMEs: a model and architecture. IseB 16(1):155–185. https://doi.org/10.1007/s10257-017-0354-y
Mustapha AM, Arogundade OT, Misra S, Damasevicius R, Maskeliunas R (2020a) A systematic literature review on compliance requirements management of business processes. Int J Syst Assur Eng Manag 11(3):561–576. https://doi.org/10.1007/s13198-020-00985-w
Mustapha AM, Arogundade OT, Vincent OR, Adeniran OJ, Chen X (2017) A model-based business process compliance management architecture for SMSE towards effective adoption of cloud computing. In: 2017 International conference on computing networking and informatics (ICCNI), IEEE, p 1–6 https://doi.org/10.1109/ICCNI.2017.8123820
Mustapha AM, Abayomi-Alli A, Adeniran OJ, Adesemowo K, Alonge CY (2020b) A systematic method for extracting and analyzing cloud-based compliance requirements. In: 2020 International conference in mathematics, computer engineering and computer science (ICMCECS), IEEE, p 1–7 https://doi.org/10.1109/ICMCECS47690.2020.240839
Papazoglou MP (2011) Making business processes compliant to standards and regulations. In: Enterprise Distributed object computing conference (EDOC), 2011 15th IEEE International, p 3–13
Pereira JL, Varajão J (2019) The temporal dimension of business processes: requirements and challenges. Int J Comput Appl Technol 59(1):74–81. https://doi.org/10.1504/IJCAT.2019.097120
Revina A, Aksu Ü (2023) An approach for analyzing business process execution complexity based on textual data and event log. Inf Syst 114:102184
Rojas MAT, Redígolo FF, Gonzalez NM, Sbampato FV, de Brito Carvalho TCM, Ullah KW, Ahmed AS (2018) Managing the lifecycle of security SLA requirements in cloud computing. In: Developments and advances in intelligent systems and applications, Springer, Cham p 119–140 https://doi.org/10.1007/978-3-319-58965-7_9
Root V (2019) The compliance process. Ind LJ 94:203
Sadiq S, Governatori G (2015) Managing regulatory compliance in business processes. In: Handbook on business process management, Springer, Heidelberg, p 265–288 https://doi.org/10.1007/978-3-642-45103-4_11
Saralaya S, Saralaya V, D’Souza R (2019) Compliance management in business processes. In: Digital business, Springer, Cham, p 53–91 https://doi.org/10.1007/978-3-319-93940-7_3
Saunders MNK, Lewis P, Thornhill A (2019) Understanding research philosophy and approaches to theory development. In: Research methods for business students, Pearson, Harlow, p 128–170
Schindler K, White AP (2019) Compliance as a service: utilising the power of the cloud. J Secur Oper Custody 11(2):168–177
Singh S, Sidhu J (2017) Compliance-based multi-dimensional trust evaluation system for determining trustworthiness of cloud service providers. Futur Gener Comput Syst 67:109–132
Sunyaev A (2020) Cloud computing. In: Internet computing, Springer, Cham, p. 195–236 https://doi.org/10.1007/978-3-030-34957-8_7
Tabrizchi H, Rafsanjani MK (2020) A survey on security challenges in cloud computing: issues, threats, and solutions. J Supercomput 76(12):9493–9532. https://doi.org/10.1007/s11227-020-03213-1
Wenzhong S (2012) Design and implementation of a BPMN to PROMELA translator. MSc Dissertation in advanced computer science. School of Computing Science, Newcastle University
Zeni N, Kiyavitskaya N, Mich L, Cordy JR, Mylopoulos J (2015) GaiusT: supporting the extraction of rights and obligations for regulatory compliance. Requir Eng 20(1):1–22. https://doi.org/10.1007/s00766-013-0181-8
Acknowledgements
The authors appreciate the reviewers for the immense work put into making this work come out in the best form.
Funding
The present work is self-funded.
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflicts of interest
No conflict of interest exists among the authors concerning the paper’s publication.
Ethical approval
This research article complies fully with the ethical standards of writing and publishing
Human or animal rights
No kind of testing has to do with humans or animals.
Informed consent
The authors are informed and agree to the terms of publication for this research work.
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Mustapha, A.M., Arogundade, O.‘., Abayomi-Alli, A. et al. An improved cloud-based business process compliance management system using a user-centered approach. Int J Syst Assur Eng Manag 15, 5111–5138 (2024). https://doi.org/10.1007/s13198-024-02494-6
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-024-02494-6