Security requirement analysis of business processes

Electronic Commerce Research

Volumn 6, Issue 3-4, 2006, Pages 305-335

  Herrmann, Peter ^a   Herrmann, Gaby ^b  

^a NORWEGIAN UNIVERSITY OF SCIENCE AND TECHNOLOGY   (Norway)

^b UNIVERSITY OF DUISBURG ESSEN   (Germany)

Author keywords

Business process; E Commerce; Graph rewriting; MoSSBP; Object oriented security analysis

Indexed keywords

CRYPTOGRAPHY; NETWORK SECURITY;

BUSINESS PROCESS; DECENTRALISED; ECONOMIC GLOBALIZATION; GRAPH REWRITING; IT SYSTEM; OBJECT ORIENTED; OBJECT-ORIENTED SECURITY ANALYSE; REQUIREMENT ANALYSIS; SECURITY ANALYSIS; SECURITY REQUIREMENTS;

SECURITY SYSTEMS;

EID: 33749367621     PISSN: 13895753     EISSN: 15729362     Source Type: Journal    
DOI: 10.1007/s10660-006-8677-7     Document Type: Article

References (60)

1. Atluri, V., Huang, W.-K., & Bertino, E. (1997). An execution model for multilevel secure workflows. In Proceedings of the IFIP 11.3 Workshop on Database Security.
2. Bardohl, R., Taentzer, G., Minas, M., & Schürr, A. (1999). Application of graph transformation to visual languages. In Handbook on Graph Grammars and Computing by Graph Transformation, Volume 2: Applications, Languages and Tools, Chapter 1. World Scientific.
3. Baskerville, R. (1988). Designing Information Systems Security. Chichester: Wiley & Sons.
4. Baskerville, R. (1993). Information systems design methods: Implications for information systems development. ACM Computing Surveys, 25 (4), 375-414.
5. Bertino, E., Ferrari, E., & Atluri, V. (1997). A flexible model supporting the specification and enforcement of role-based authorizations in workflow management systems. In Proceedings of the 2nd ACM Workshop on Role-Based Access Control.
6. Booch, G., Rumbaugh, J., & Jacobson, I. (1999). The unified modeling language user guide. Addison-Wesley Longman.
7. Browne, P. (1979). Security: Checklist for computer center self-audits. Arlington: AFIPS Press.
8. Bui, T., & Sivasankaran, T. (1987). Cost-Effectiveness Modeling for a Decision Support System in Computer Security. Computer Security, 6 (2), 139-151.
9. Bußler, C. (1995). Access control in workflow management systems. In Proceedings of the IT Security'94 Conference (pp. 165-179), Oldenbourg-Verlag Munich.
10. Carroll, J., & Maclver, W. (1984). Towards an expert system for computer facility certification. In Computer Security A Global Challenge, (pp. 293-306). Amsterdam: North-Holland
11. CCTA. (1991). SSADM-CRAMM, Subject guide for SSADM version 3 and CRAMM version 2. London: CCTA.
12. Chisnall, W. R. (1997). Applying risk analysis methods to university systems. In Proceedings of the EUNIS 97 Congress, Grenoble.
13. Clarke, R. (1999). Identified, anonymous and pseudonymous transactions: The spectrum of choice. In IFIP WG 8.5/9.6 Working Concerence on User Identification & Privacy Protection, Stockholm.
14. Computer Security Consultants, Ridgefield. (1988). Using decision analysis to estimate computer security risk.
15. Courtney, R. (1977). Security risk assessment in electronic data processing. In AFIPS Conference Proceedings of the National Computer Conference 46 (pp. 97-104). Arlington:AFIPS.
16. Curtis, B., Kellner, M.I., & Over, J. (1992). Process modeling. Communications of the ACM, 35 (9), 75-90.
17. Data Interchange Standards Association. (2001). X12 Standard, release 4050 edition, December.
18. Demuth, T., & Rieke, A. (2003). Bilateral anonymity and prevention of abusing logged web addresses. In 2000 Military Communications International Symposium, Los Angeles.
19. Finne, T. (1996). Computer support for information security analysis in a small business environment. In Jan. H.P. Eloff, (Ed.), Proceedings of the IFIP TC11 WG 11.2 on small systems security, (pp. 73-88), Samos.
20. Fisher, R. (1984). Information Systems Security. Englewood Cliffs: Prentice-Hall.
21. Gavish, B., & Gerdes, J. (1998). Anonymous mechanisms in group decision support systems communication. Decision Support Systems, 23 (4), 297-328.
22. Guarro, S. (1987). Principles and Procedures of the LRAM Approach to Information Systems Risk Analysis and Management. Computer Security, 6 (6), 493-504.
23. Herrmann, G. (2002) VerläUßlichkeit von GeschäUftsprozessen - Konzeptionelle Modellbildung und Realisierungsrahmen. Logos Verlag, Published Version of Doctoral Thesis. In German.
24. Herrmann, G., & Pernul, G. (1998). Towards security semantics in workflow management. In Proceedings of the 31st Annual Hawaii International Conference on System Sciences (HICSS-31). IEEE Computer Society Press.
25. Herrmann, G., & Pernul, G. (1999). Viewing business process security from different perspectives. International Journal of Electronic Commerce, 3 (3), 89-103.
26. Herrmann, P. (2001). Information flow analysis of component-structured applications. In Proceedings of the 17th Annual Computer Security Applications Conference (ACSAC'2001) (pp. 45-54). New Orleans: ACM SIGSAC, IEEE Computer Society Press.
27. Herrmann, P., & Krumm, H. (2001). Object-oriented security analysis and modeling. In Proceedings of the 9th International Conference on Telecommunication Systems - Modelling and Analysis (pp. 21-32). Dallas: ATSMA, IFIP.
28. Herrmann, P., Wiebusch, L., & Krumm, H. (2001). Tool-assisted security assessment of distributed applications. In Proceedings of the 3rd IFIP WG 6.1 International Working Conference on Distributed Applications and Interoperable Systems (DAIS 2001) (pp. 289-294). Krakow: Kluwer.
29. Hoffman, L., Michelman, E., & Clements, D. (1978). SECURATE - Security evaluation and analysis using fuzzy metrics. In AFIPS Conference Proceedings of the National Computer Conference 47 (pp. 531-540). Arlington. AFIPS.
30. Holbein, R., Teufel, S., & Bauknecht, K. (1996). The use of business process models for security design in organizations. In S. Katsikas & D. Gritzalis (Eds.). Proceedings of the IFIP TC11 conference on information systems security (pp. 13-22). London: Chapman & Hall.
31. Hoyt, D. (1973). Computer security handbook. New York: Macmillan.
32. Hudoklin, A., & Stadler, A. (1997). Security and Privacy of Electronic Commerce. In Proceedings of the 10th International Bled Electronic Commerce Conference (pp. 523-535). Moderna Organizacija.
33. Hung, P.C.K., & Karlapalem, K. (1997). A Paradigm for Security Enforcement in CapBasED-AMS. In Proceedings of the 2nd IFCIS International Conference on Cooperative Information Systems (CoopIS'97) (pp. 79-88).
34. ISO/IEC. (1998). Common criteria for information technology security evaluation. International Standard ISO/IEC 15408.
35. Kienzle, D.M., & Wulf, W.A. (1997). A Practical Approach to Security Assessment. In Proceedings of the Workshop New Security Paradigms '97 (pp. 5-16). Lake District.
36. Krauss, L. (1972). SAFE: Security audit and field evaluation for computer facilities and information systems. New York: Amacon.
37. Kwok, L.F., & Longley, D. (1996). A security officer's workbench. Computers & Security, 15 (8), 695-705.
38. Lacoste, G. (1995). SEMPER: A Security Framework for the Global Electronic Marketplace. SEMPER document 431LG042/Draft/25 August 1997/ public.
39. Leiwo, J., Gamage, C., & Zheng, Y. (1998). Harmonizer - A Tool for Processing Information Security Requirements in Organization. In Proceedings of the 3rd Nordic Workshop on Secure Computer Systems (NORDSEC'98), Trondheim.
40. Lund, M. S., den Braber, F., & Stølen, K. (2003). Maintaining Results from Security Assessments. In Proceedings of the 7th European Conference on Software Maintenance and Reengineering (CSMR'2003) (pp. 341-350). IEEE Computer Society Press.
41. OBI Consortium. (1999). OBI Technical Specifications - Open Buying on the Internet, draft release v2.1 edition.
42. Ozier, W. (1989). Risk Quantification Problems and Bayesian Decision Support System Solutions. Information Age, 11 (4), 229-234.
43. Parker, D. (1981). Computer security management, Reston.
44. Pfitzmann, A. (1999). Technologies for Multilateral Security. In G. Müller, & K. Rannenberg, (Eds.), Multilateral security in communications, vol. 3: Technology, Infrastructure, Economy (pp. 85-91). Munich: Addison-Wesley.
45. Pfitzmann, A. & Köhntopp, M. (2001). Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology. In H. Federrath, (Ed.), Anonymity 2000, LNCS 2009, pages 1-9.
46. Pfitzmann, A., Pfitzmann, B., & Waidner, M. (1991). ISDN-MIXes: Untraceable Communication with Small Bandwidth Overhead. In Kommunikation in Verteilten Systemen (KIVS'91), pages 451-463.
47. Quatrani, T. (2000). Visual Modeling with Rational Rose 2000 and UML. Addison-Wesley, 2 edition.
48. Roessler, T. (1999). Anonymization in data networks - extensive overview of anonymization services on the internet. In D. Fox, & H. Reimer, (Eds.), Datenschutz und Datensicherheit 1999. Vieweg.
49. Röhm, A., Herrmann, G., & Pernul, G. (1999). A Language for Modelling Secure Business Transactions. In Proceedings of the 15th Annual Computer Security Applications Conference (ACSAC'99), (pp. 22-31). IEEE Computer Society Press.
50. Röhm, A. & Pernul, G. (2000). COPS: A Model and Infrastructure for Secure and Fair Electronic Markets. Decision Support Systems Journal, 29 (4), 343-355.
51. Röhm, A., Pernul, G., & Herrmann, G. (1998). Modelling Secure and Fair Electronic Commerce. In Proceedings of the 14th Annual Computer Security Application Conference (ACSAC'98), (pp. 155-164). IEEE Computer Society Press.
52. Rubert, M. (1999). Anonymitat als Sicherheitsmerkmal von Geschäftsprozessen. Diploma thesis, Department of Business Administration, University of Essen. In German.
53. Shen, H., & Dewan, P. (1992). Access Control for Collaborative Environments. In Proceedings of the CSCW'92 Conference. ACM Press, New York.
54. Smith, S. & Lim, J. (1984). An Automated Method for Assessing the Effectiveness of Computer Security Safeguards. In Computer Security A Global Challenge, pages 321-328. North-Holland, Amsterdam.
55. Starke, G. (1994). Business Models and their Description. In G. Chroust & A. Benczur (Eds.), Workflow Management: Challenges, Paradigms, and Products (CON'94), of Schriftenreihe der österreichischen Computer Gesellschaft, vol. 76, pages 134-147. Oldenbourg-Verlag Wien.
56. Syverson, P. F., Reed, M. G., & Goldschlag, D. M. (2000). Onion Routing Access Configurations. In DISCEX 2000: Proceedings of the DARPA Information Survivability Conference and Exposition, vol. 1, pages 34-40, Hilton Head, SC. IEEE Computer Society Press.
57. Thoben, W. (2000). Wissensbasierte Bedrohungs-und Risikoanalyse Workflow-basierter Anwendungssysteme. Reihe Wirtschaftsinformatik. B.G. Teubner-Verlag, Stuttgart. Published Version of Doctoral Thesis. In German.
58. Thomas, R. & Sandhu, R. (1997). Task-Based Authorization Controls (TBAC): A Family of Models for Active and Enterprise-Oriented Authorization Management. In Proceedings of the IFIP WG11.3 Workshop on Database Security. London: Chapman & Hall.
59. Tigris. (2000). ArgoUML Vision. argouml.tigris.org/vision.html.
60. Zviran, M., Hoge, J., & Micucci, V. (1990). SPAN - a DSS for Security Plan Analysis. Computer Security, 9 (2), 153-160.