Skip to main content
SpringerLink
Log in

Security Analysis of Electronic Business Processes

  • Published:
Electronic Commerce Research Aims and scope Submit manuscript

Abstract

This article introduces POSeM, a method that uses business process descriptions to derive appropriate security safeguards. This is achieved by assigning security levels to the components of a business process such as actors, artefacts, and activities with a specially developed description language. These levels are checked for consistency, and security measures are derived using a configurable rule base that maps security objectives to safeguards. POSeM in practice is illustrated by an application to electronic business, i.e., the publication process of information for a company's web-site. Both the advantages of POSeM and its possible refinements are discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. Abrams, M.D., S. Jajodia, and H.J. Podell (eds.). (1995). Information Security: An Integrated Collection of Essays. IEEE Computer Society Press.

  2. Barthelmess, P. (2000). “Security in Workflow Systems.” University of Colorado at Boulder, http://ugrad-www.cs.Colorado.edu/~barthelm/security/, accessed 11/9/2000.

  3. Bell, D.E. and L.J. LaPadula. (1974). “Secure Computer Systems: Mathematical Foundations and Model.” Technical Report, The Mitre Corporation.

  4. Biba, K. (1977). “Integrity Considerations for Secure Computer Systems.” Technical Report TR-3153, MITRE Corp., Bedford, MA.

    Google Scholar 

  5. BSI. (1999). “Information Security Management-Part 1: Code of Practice for Information Security Management.” BSI: British Standards Institute.

  6. BSI. (2000). “IT-Grundschutzhandbuch: Maßnahmenempfehlungen für den mittleren Schutzbedarf.” Bundesamt für die Sicherheit in der Informationstechnik (BSI), Bonn.

    Google Scholar 

  7. Chung, L. (1993). “Dealing with Security Requirements During the Development of Information Systems.” In C. Rolland, F. Bodart, and C. Cauvet (eds.), Advanced Information Systems Engineering, CAiSE'93 Lecture Notes in Computer Science, Vol. 685. Paris, France: Springer, pp. 234–251.

    Google Scholar 

  8. Curtis, B., M.I. Kellner, and J. Over. (1992). “Process Modeling.” Communications of the ACM 35(9), 75–90.

    Google Scholar 

  9. Davenport, T. (1993). Process Innovation-Reengineering Work through Information Technology. Boston: Harvard Business School Press.

    Google Scholar 

  10. FIPS80. (1980). “Guidelines for Security of Computer Application, Federal Information Processing Standards Publication 73.” Department of Commerce, National Bureau of Standards.

  11. Hammer, M. and J. Champy. (1994). Reengineering the Cororation-A Manifest for Business Revolution. London: Nicholas Brealey.

    Google Scholar 

  12. Herrmann, G. (1999). “Security and Integrity Requirements of Business Processes-Analysis and Approach to Support their Realisation.” In Proc. of CAiSE'99, 6th Doctoral Consortium on Advanced Information Systems Engineering Heidelberg, pp. 36-47.

  13. Holbein, R. (1996). “Secure Information Exchange in Organisations-An Approach for Solving the Information Misuse Problem.” Ph.D. thesis, Universität Zürich.

  14. Jansen, H. (1998). “Integration von Bedrohungs-und Risikoanalyse in ein Vorgehens-modell für Geschäftsprozeßmodellierung und Workflow-Management.” Master's thesis, Fachbereich Informatik der Carl von Ossietzky, Universität Oldenburg.

  15. Karagiannis, D. and M. Heidenfeld. (1998). “Modellierung, Analyse und Evaluation sicherer Geschäftsprozesse: Ein Implementierungsansatz für Security Workflows.” In K. Bauknecht, A. Büllesbach, H. Pohl, and S. Teufel (eds.), Sicherheit in Informationssystemen-SIS'98. vdf Hochschulverlag AG, pp. 223-246.

  16. Knorr, K. (2000). “Dynamic Access Control through Petri Net Workflows.” In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC) New Orleans, pp. 159-167.

  17. Knorr, K. and S. Röhrig. (2001). “Security Requirements for E-Commerce Processes.” In B. Schmid, K. Stanoevska-Slabeva, and V. Tschammer (eds.), Towards the E-Society: E-Commerce, E-Business and E-Government. Zurich, Switzerland: Kluwer Academic Publishers, pp. 73–86.

    Google Scholar 

  18. Knorr, K. and H. Stormer. (2001). “Modeling and Analyzing Separation of Duties in Workflow Environments.” In Proceedings of 16th International Conference on Information Security (IFIP/Sec) Paris, France, pp. 199-212.

  19. Long, D.L., J. Baker, and F. Fung. (1999). “A Prototype Secure Workflow Server.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona.

  20. McDermott, J. and C. Fox. (1999). “Using Abuse Case Models for Security Requirements Analysis.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona, http://www.acsac.org/1999/abstracts/wed-b-1030-john.html.

  21. Meier, A. and S. Röhrig. (2001). “Sicherheitsanforderungen für elektronische Verträge: Ein prozessbasierter Ansatz.” In P. Horster (ed.), Elektronische Geschäftsprozesse-Grundlagen, Sicherheitsaspekte, Realisierungen, Anwendungen IT-Verlag für Informationstechnik, pp. 242-253.

  22. NCSC. (1992). NCSC-TG-010: A Guide to Understanding Modeling in Trusted Systems (Acqua Book). National Computer Security Center.

  23. Pfitzmann, A. and G.Wolf. (1999). “Empowering Users to Set Their Protection Goals.” In G. Müller and K. Rannenberg (eds.), Multilateral Security in Communications Informationssicherheit. München: Addison-Wesley.

    Google Scholar 

  24. Röhm, A.W., G. Herrmann, and G. Pernul. (1999). “A Language for Modelling Secure Business Transactions.” In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC) Phoenix, Arizona.

  25. Röhrig, S., K. Knorr, and H. Noser. (2000). “Sicherheit von E-Business-Anwendungen-Struktur und Quantifizierung.” Wirtschaftsinformatik 42(6), 499–507.

    Google Scholar 

  26. Shirey, R. (2000). “Internet Security Glossary.” Request for Comments 2828.

  27. Thoben, W. (1998). “Sicherheit für Workflow-basierte Anwendungen.” In K. Bauknecht, A. Büllesbach, H. Pohl, and S. Teufel (eds.), Sicherheit in Informationssystemen SIS' 98. Stuttgart: vdf Hochschulverlag AG, pp. 201–222.

    Google Scholar 

  28. Walker, W.E. (2001). “Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0.” National Security Agency. Version 1.2, http://www.nsa.gov.

  29. WFMC. (1996). “Terminology and Glossary.” Workflow Management Coalition, http://www.aiim. org/wfmc/. Document Number TC-1011.

  30. WFMC. (1998). “Interface 1: Process Definition Interchange-Process Model.” Workflow Management Coalition, Document Number TC-1016-P.

Download references

Author information

Authors and Affiliations

  1. secunet SwissIT AG, Hauptbahnhofstrasse 12, CH-4501, Solothurn, Switzerland

    Susanne Röhrig

  2. Siemens CT IC CERT, MCH P 10 377, Otto-Hahn-Ring 6, 81730, Munich, Germany

    Konstantin Knorr

Authors
  1. Susanne Röhrig
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantin Knorr
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

About this article

Cite this article

Röhrig, S., Knorr, K. Security Analysis of Electronic Business Processes. Electronic Commerce Research 4, 59–81 (2004). https://doi.org/10.1023/B:ELEC.0000009282.06809.c5

Download citation

  • Issue Date:

  • DOI: https://doi.org/10.1023/B:ELEC.0000009282.06809.c5

Search

Navigation