Thursday, 23 December 2010

Annotated Bib.: Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes



[1] A. Rodr ́ıguez, E. Ferna ́ndez-Medina, and M. Piattini. Towards a uml 2.0 extension for the modeling of security requirements in business processes. In S. Fischer-Hu ̈bner, S. Furnell, and C. Lambrinoudakis, editors, TrustBus, volume 4083 of Lecture Notes in Computer Science, pages 51–61. Springer, 2006.

This paper presents an extension to UML 2.0 that can integrate security recruitments in the business process model. The paper started with showing the importance of security and the growth of BPM, then showed that security is usually neglected at the beginning and how that might lead to security complications. Moreover it explained the reason of choosing UML among all modelling languages.
On the second section the paper went into showing how important is security to BPM, and showed that there are two problems in this field; first that modelling has not been adequate yet, and the second that security usually not considered till actual implementation process. Moreover it compeered this work to other works related to security and BPM. In section 3 it briefly presented an overview of UML 2.0 and extensions.
Section 4 proposed the extension to represent security requirements in the model; the extension made use of the stereotypes by adding «SecureActivity» and «SecurityRequirement» which need to be followed by latter to represent the requirement (NR, AD, I, P or AC). also added «SecurityRole» and «SecurityPermissions». Then gave a table explaining all the new data type stereotypes definitions. Finally gave the notation and constrains for each new stereotype. Section 5 presented an example of "admission of patients in a health-care institution" and used this case study to present the new extension and to show how it could help in presenting security requirement in the process model.
The paper concluded that the new extension allowed for considering security requirements from the beginning and to include them in the model.

Relation to research in hand, this paper presented a methodology that can be used to integrate security requirements in the business process model. it provided an actual tool that can be used. The paper gave a solution to part of the research problem by integrating security in modelling, but it was limited to one toll (UML 2.0), the idea can be useful to extend and be generic that can be used on any other toll.

Annotated Bib.:Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes



[1] F. D’Aubeterre, R. Singh, and L. Iyer. Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes. European Journal of Information Systems, 17(5):528 – 542, 2008.

This paper addresses the question: "how can we integrate security as a functional requirement in the analysis and modelling of business processes?"
The paper start with showing the importance of considering the security requirements from the beginning and considering them as functional requirements as that will make analysts have greater security awareness in their analysis of the requirements of secure business processes". The Authors of this paper developed "secure activity resource coordination (SARC)" conceptualization, which is designed to view security as a functional requirement in the analysis and modelling of the activities in a business process.
The paper then gave the 5 rules that are considered the "modelling concepts, and grammar for SARC secure business processes:
1. Actors fulfil organizational roles.
2. Organizational roles are authorized to perform business activities.
3. Business activities are permitted to read, write, delete, or create information resources.
4. Dependencies do not exist directly between business activities. Business activities cannot directly produce or consume another business activity. 
5. Business activities have a sharing, fit or flow coordination dependency with an information resource”. 
Then it gave an experimental example to show how "business process models developed using SARC generates higher awareness of security constraints in modelling the secure exchange of information resources in coordinated business processes". The paper focused on "non-repudiation", "access control", and "segregation of duties" as an example for security requirements.
The paper concludes that SARC can be used by business analysts to analyse and model secure business processes, and that it effectively incorporate security requirements in the conceptualization of business processes.

Relation to research in hand; this paper provides a methodology (SARC) to integrating security requirements in Business processes, which is an important part of the literature review for the research. The idea of this paper, and the output is closely related to the idea of the research in hand, and it might form a small part of the big picture of the research idea.

Annotated Bib.: Security in Business Process Engineering



[1] M. Backes, B. Pfitzmann, and M. Waidner. Security in business process engineering. In W. M. P. van der Aalst, A. H. M. ter Hofstede, and M. Weske, editors, Business Process Management, volume 2678 of Lecture Notes in Computer Science, pages 168–183. Springer, 2003. 

The paper starts by showing that security is usually neglected in the modelling phase and only integrated in an ad-hoc manner later on, then it goes on showing how problematic this approach is, and how that security should be considered earlier as it will make it clearer, easier, and will produce less errors.
The paper then discusses the trust models, and how they can be applied to BPM, it also give an example to illustrate the need of integrating security (specially cryptography) in early stagiest of BPM. The example used was "Certified Mail System". The paper then went in to technical details in showing what security requirements are needed in such example; it was focusing more on the cryptographic requirements, and little on Trust.
Then it goes on showing in detailed technical way how would considering security requirements from the beginning help in building butter system.
It finally ends with comparing this work with other works done by others, and showing how considering cryptography from the beginning was useful in this example.

Relation to the research on hand, this paper shows the importance of early consideration of security, instead of an ad-hoc way. It also add to the review on what work is done in integrating security in to BPM. Also it gave a brief discussion about trust and trust-models, and showed that this might be important to BPM and it need to be integrated.

Tuesday, 21 December 2010

Annotated Bib.: Towards a Comprehensive Framework for Secure Systems Development



[1] H. Mouratidis, J. Ju ̈rjens, and J. Fox. Towards a comprehensive framework for secure systems develop- ment. In E. Dubois and K. Pohl, editors, CAiSE, volume 4001 of Lecture Notes in Computer Science, pages 48–62. Springer, 2006.

This paper is present a new framework that can be used to get a security-aware process. The paper is based on the idea that security involves technical and social parts. the paper state that all work done in the field is either focusing on the technical or on the social part, and that they all work to a cretin level. The authors claims that this approach consider both parts (technical and social), and it consider all stages in the process, starting form the early stage of data collection till the implementation stage.

The framework is integration between two security-aware methodologies; Secure Tropos and UMLsec; since secure Tropos focuses more on the social challenges, and on early stages of a process, where UMLsec focuses more on technical challenges and the late stages. so the new frame work will focus on both type of challenges and all stages.

The aim of the framework is to present an approach for modelling secure information systems; which is done through 4 stages:
1-Early Requirements Analysis; which uses Secure Tropos to analyse the security needs and goals of stakeholders.
2-Late Requirements Analysis; which also uses Secure Tropos to determine the security requirements of the system.
3-Architectural Design; in which the mapping of Secure Tropos to the UMLsec is performed. Secure Tropos is used to determine the general architecture and the components of the system. Then UMLsec is used to model the security protocols and properties.
4-Detailed design; which uses UMLsec to specify in details the components of the system and model the secure interaction of the system components.

The real challenge in this paper and probably the biggest contribution is providing an integration and mapping from Secure Tropos to UMLsec, the paper provided guide lines to do so:
1- Map the secure Tropos analysis module to UMLsec class diagram; which contains 5 steps.
2- Map the secure Tropos analysis module to UMLsec Deployment diagram; which contains 3 steps.
Finally, to show the effectiveness of the new framework, it was applied on an ecommerce case study, which showed that the framework actually discovered a new security requirement that was ignored initially.

The paper conclude that it is important today to consider security in process and system design the new framework, consider all security challenges and all process stages, and it is easy to understand since it is using popular methodologies.

Relation to research on hand, this paper is a big contribution to the literature review and on showing what have been done yet on the field on integrating security in to BPM. This paper presented a new framework that can be used to consider security recruitments from the beginning all the way till implementation. Although the framework in hand is aimed to system buildings but it can be used to generate a new framework that would be used in integrating security into BPM.

Annotated Bib.: Secure Information Systems Engineering: Experiences and Lessons Learned from Two Health Care Projects


[1] H. Mouratidis, A. Sunyaev, and J. Ju ̈rjens. Secure information systems engineering: Experiences and lessons learned from two health care projects. In P. van Eck, J. Gordijn, and R. Wieringa, editors, CAiSE, volume 5565 of Lecture Notes in Computer Science, pages 231–245. Springer, 2009.

This paper used a framework that was developed and published earlier in 2006 that is called "model based security engineering framework", this paper is not aimed to explaining the framework, rather, it is about using the framework in two different health care cases, and discussing the outputs of the case study.
This paper started with a brief explanation for the framework for those who did not read the original paper to be able to understand the rest of the paper, but did not go in to details. The framework is basically integrating two security-aware approaches; Secure Tropos and UMLsec.; the framework have 4 stages: Security Analysis of System Environment, Security Analysis of System, Secure System Design, and Secure Components Definition. The paper applied the framework using these 4 stages on 2 health care examples, but due to a space issue it only explained one of the cases.
The paper explained the case it self, and then went into showing how did the framework stages were applied. The next section was about the reflection or what would be called the results of the study, which was discussed in three subsections: challenges faced during the framework development, lessons learned, and improvements that can be done.
The paper conclude that this framework was helpful, and gave nice results for a first time real life application; giving how complicated the health cases are; and also shows that the fretwork was easy to understand, but might require basic knowledge in security terminology. The paper also showed that there was a problem faced in translating from the Secure Tropos to the UMLsec. but was solved by changing the guidelines.

Relation to the research in hand, this paper shows that a security-aware framework was successfully used in real life examples. Although it needed some enhancements, and some problems were faced, but it also showed that people were able to adapt to such framework, and it helped analyst and designers to take security requirements in consideration from the beginning all the way till the implementation phase.

Friday, 17 December 2010

Annotated Bib.: IT Security Management and Business Process Automation: Challenges, Approaches, and Rewards.


[1] R. P. Tracy. It security management and business process automation: Challenges, approaches, and rewards. Information Systems Security, 16(2):114–122, 2007.

This paper focuses on security polices and how to enforce them in an organization, it makes use of the business process automation idea to enforce security polices.
The paper start of with showing the importance of including security in the business to give security priority. Then discussed the challenges in enforcing security polices. after that it explain how to make use of Business process automation (BPA) concept to enforce security polices; first by making security polices in to process requirements, and then the authors made use of the BPA concept by creating and automating a process to enforce the security requirements: Inventory, Asses, Notify, Remediate, Validate, and report.
The paper conclude that with a good security polices, a platform that support automation of security polices, and a process automation solution in place an organization can be as secure as possible.

Relation to the research in hand; will be that this paper shows the importance of including security from the beginning and that security and business need each other and should be more integrated than ever.

Thursday, 16 December 2010

Annotated Bib.: An Empirical Evaluation of Information Security Awareness Levels in Designing Secure Business Processes



[1] F. D’Aubeterre, L. S. Iyer, and R. Singh. An empirical evaluation of information security awareness levels in designing secure business processes. In V. Vaishanvi and S. Purao, editors, DESRIST. ACM, 2009.


This paper demonstrate that "Secure Activity Resource Coordination (SARC)" is the best way to get analyst and designer of processes to be aware of the security requirements in the processess; SARC is not explained in this paper, another paper was published earlier does explain SARC in details, this paper focuses only on proving that it is the best way to increase the awareness level of security requirements in a process. To show how good is SARC, the paper compare based on a method called situational Awareness (SA); which place awareness on 3 levels: awareness of the existence, comprehension, prediction. SA was used as the measuring criteria to compare SARC to "Enriched-Use Case and UML-Active diagrams".
So the study was about proving if SARC can increase awareness in Security requirements for analysts and designers within these 3 levels. The study was preformed on different groups of students and the results showed that SARC mad the students more aware of the security requirements in the processes more than the "Enriched-Use Case and UML-Active diagrams".
The papers conclude that, considering security requirements from the beginning and treating them as functional requirements will increase the awareness of them for the analyst, and using SARC is the best way to do so.

If this paper would be related to the research on hand in anyway, it would be showing the importance of early consideration of security requirements; from the data collection phase. It might also be related in the form that SARC is worth looking at as a method, and it might be a good method to follow in integrating other security requirements; such as trust; since it is proven to be a good way to increase the awareness of security requirements.

Wednesday, 15 December 2010

nice qutes

An Empirical Evaluation of Information Security Awareness Levels in Designing Secure Business Process. 2009
by Fergle D’Aubeterre, Lakshmi S. Iyer, and Rahul Singh:
 
"Information Security is critical to ensuring the integrity and credibility of digitally exchanged information in business    processes".

BPM "development methodology that considers security requirements in the early phases (modeling, and requirments collecting) of systems development is essential" for information security.

"information security awareness should be present in the requirements gathering phase, so that analysts become more aware of security constraints and possible violations resulting into secure business processes".

the 2006 CSI/FBI Computer Crime and Security Survey identified that authorization violations are the second largest cause of economic losses (Gordon et al., 2006).

security should be embedded into the overall information systems development and not added as an afterthought (Mouratidis et al. 2009).

Existing work is mainly focused either on the technical or the social aspect of considering security, and approaches are usually applicable only to certain development stages (Mouratidis et al. 2009).