Defining secure business processes with respect to multiple objectives

ARES 2008 - 3rd International Conference on Availability, Security, and Reliability, Proceedings

Volumn , Issue , 2008, Pages 187-194

  Neubauer, Thomas ^a   Heurix, Johannes ^a  

^a Secure Business Austria ^*

Author keywords

Multiobjective decision support; Risk assessment; Secure business processes; Security

Indexed keywords

BUSINESS ACTIVITIES; BUSINESS ENVIRONMENTS; BUSINESS PROCESSES; DECISION MAKERS; INTERNATIONAL CONFERENCES; MULTIOBJECTIVE DECISION SUPPORT; MULTIPLE OBJECTIVES; RISK ASSESSMENT; SECURE BUSINESS PROCESSES; SECURITY; SECURITY ISSUES; SECURITY MEASURES; SECURITY REQUIREMENTS; THREATS AND VULNERABILITIES;

DECENTRALIZED CONTROL;

EID: 49049104639     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/ARES.2008.174     Document Type: Conference Paper

References (57)

1. C. Hastedt-Marckwardt, "Workflow Management Systeme: Ein Beitrag der IT zur Geschäftsprozess-Orientierung & -Optimierang - Grundlagen, Standards und Trends," in Informatik Spektrum. Springer, 1999, vol. 22, pp. 99-109.
2. M. Zairi, "Business process management: a boundaryless approach to modern competitiveness," Business Process Management, vol. 3, no. 1. pp. 64-80, 1997.
3. C. H. Han, R. H. Westen, A. Hodgson, and K. H. Lee, "The complementary use of idef and uml modelling approaches," Computers in Industry, vol. 50, pp. 35-56, 2003.
4. T Neubauer, M. Klemen, and S. Biffl, "Secure business process management: a roadmap," in Procs. The First International Conference on Availability, Reliability and Security, 2006. ARES 2006., 20-22 April 2006, p. 8.
5. P. Kedrosky, "Hackers prey on our insecurities," The Wall Street Journal. The Wall Street Journal, February 2000.
6. Computer economics. [Online]. Available: www.computereconomics.com
7. M. Bishop, "What is computer security?" IEEE Sec. Priv. Mag., vol. 1, no, 1, pp. 67-69, Jan.-Feb. 2003.
8. IBM, "Ibm data security support programs," 1984,
9. C. Kobryn, "Uml 2001: a standardization odyssey," Commun. ACM, vol. 42, no. 10, pp. 29-37, 1999.
10. A. W. Scheer, Architecture, of integrated information systems. Springer, 1992.
11. J. Jürjens, "Umlsec: Extending uml for secure systems development," in UML 2002. Springer, 2002.
12. A. Rodriguez, E. Fernandez-Medina, and M. Piattini, "Security requirements with a uml 2 profile," in Procs. First International Conference on Availability, Reliability and Security, ARES'06, 2006.
13. M. zur Muehlen and M. Rosemann, "Integrating risks in business process models," in Procs. 16th Australasian Conference on Information Systems, 2005,
14. G. Herrmann, "Security and integrity requirements of business processes - analysis and approach to support their realisation," in Consortium on Advanced Information Systems Engineering, 1999, pp. 36-47.
15. C. Pfleeger, "The fundamentals of information security," IEEE Softw., vol. 14, no, 1, pp. 15-16,60, Jan.-Feb. 1997.
16. H. A. Gartner and P. Konrad, "Nutzung von Methoden und Instrumenten - Details zur KES Sicherheitsstudie 1994," KES - Zeitschrift für Kommunikationsund EDV Sicherheit, vol. 2, 1995.
17. FIPS Publication (65), National Institute of Standards and Technologies Std., 1979.
18. T. Neubauer, C. Stummer, and E. Weippl, "Workshop-based multiobjective security safeguard selection," in Procs. The First International Conference on Availability, Reliability and Security, 2006. ARES 2006., 20-22 April 2006, p. 8.
19. K. J. SooHoo, "How much is enough? A risk-management approach to computer security," Consortium for Research on Information Security and Policy (CRISP), Tech. Rep., June 2000,
20. K. Buzzard, "Computer security - what should you spend your money on?" Computers and Security, vol. 18, pp. 322-334, 1999.
21. R. Sandhu, "Good-enough security," IEEE Internet Comput., vol. 7, no. 1, pp. 66-68, 2003.
22. T. R. Peltier, Information Security' Risk Analysis, 2nd ed. Auerbach Publications, 2005,
23. V. Atluri and W.-K. Huang, "An authorization model for workflows," in Proceedings of the Fifth European Symposium on Research in Computer Security, Rome, Italy, 1996, pp. 44-64.
24. S. Chaari, F. Biennier, C. Ben Amar, and J. Favrel, "An authorization and access control model for workflow," in IEEE Procs. First International Symposium on Control, Communications and Signal Processing, 2004., 2004, pp. 141-148.
25. J. Zhang, J. Sun, N. Li, and C. Hu, "A conditioned secure access control model based on multi-weighted roles in workflow systems," in International Conference on Control and Automation (ICCA2005), Budapest, Hungary, 27-29 June 2005.
26. T. Neubauer and C. Stummer, "Interactive decision support for multi-objective cots selection," in Procs. 40th Annual Hawaii International Conference on System Sciences, 2007. HICSS 2007, 2007.
27. T. Neubauer, M. Klemen, and S. Biffl, "Business process-based valuation of it-security," in Procs. The seventh international workshop on Economics-driven software engineering research, 2005. EDSER 2005. New York, NY, USA: ACM Press, 2005, pp. 1-5.
28. M. D. Abrams and S. Jajodia, Information Security: An Integrated Collection of Essays, H. J. Podell, Ed. IEEE Computer Society Press, 1995.
29. A. Avizienis, J.-C. Laprie, B. Randell, and C. Landwehr, "Basic concepts and taxonomy of dependable and secure computing," IEEE Transactions on Dependable and Secure Computing, vol. 01, no. 1, pp. 11-33, 2004.
30. B. Blakley, E. McDermott, and D. Geer, "Information security is information risk management," in NSPW '01: Proceedings of the 2001 workshop on New security paradigms. New York, NY, USA: ACM Press, 2001, pp. 97-104.
31. T. Finne, "Information systems risk management: Key concepts and business processes," Computers and Security, vol. 19, pp. 234-242, 2000.
32. L. A. Gordon and M. P. Loeb, "The economics of information security investment," ACM Transactions on Information Systems Security, vol. 5, no, 4, pp. 438-457, 2002,
33. C. Landwehr, "Computer security," International Journal of Information Security, vol. 1, no. 1, pp. 3-13, 2001.
34. S. Vidalis, "Critical discussion of risk and threat analysis methods and methodologies," University of Glamorgan, SoC Technical Report, July 2004.
35. S. Rohrig, "Using process models to analyze security requirements," Ph.D. dissertation, Wirtschaftswissenschaftliche Fakultät der Universität Zürich, Mar, 2003.
36. L. D. Bodin, L. A. Gordon, and M. P. Loeb, "Evaluating information security investments using the analytic hierarchy process," Commun. ACM, vol. 48, no. 2, pp. 78-83, 2005,
37. V. Atluri and W.-K. Huang, "Enforcing mandatory and discretionary security in workflow management systems," Journal of Computer Security, vol. 5, no. 4, pp. 303-339, 1997.
38. E. Bertino, B. Catania, E. Ferrari, and P. Perlasca, "A logical framework for reasoning about access control models," ACM Trans. Inf. Syst. Secur., vol. 6, no. 1, pp. 71-127, 2003,
39. E. Bertino, E. Ferrari, and V. Atluri, "The specification and enforcement of authorization constraints in workflow management systems," ACM Trans. Inf. Syst. Secur., vol. 2, no. 1, pp. 65-104, 1999.
40. Y. Sun and P. Pan, "Pres: a practical flexible rbac workflow system," in Proceedings of the 7th international conference on Electronic commerce, ICEC '05. New York, NY, USA: ACM Press, 2005, pp. 653-658.
41. J. Wainer, P. Barthelmess, and A. Kumar, "W-rbac: A workflow security model incorporating controlled overriding of constraints," International Journal of Cooperative Information Systems, vol. 12, no. 4, pp. 455-485, 2003.
42. B. Wang, S. Zhang, and X. Xiawa, Grid and Cooperative Computing, ser LNCS. Springer Berlin/Heidelberg, 2004, ch. The Application Research of Role-Based Access Control Model in Workflow Management System, pp. 1034-1037.
43. H.-K. Kim, "Frameworks for secured business process management systems," in Procs. Fourth International Conference on Software Engineering Research, Management and Applications (SERAS06). IEEE, 2006.
44. K. Knorr and H. Weidner, "Integration von Public-Key-Mechanismen in Petri-Netz-Workflows," in Sicherheit in Informationssysteme SIS 2000, K. Bauknecht and S. Teufel, Eds., Oct. 2000, pp. 202-220.
45. _, "Analyzing separation of duties in petri net workflows," in Proceedings of the International Workshop on Information Assurance in Computer Networks, MMM-ACNS '01. London, UK: Springer-Verlag, 2001, pp. 102-114,
46. S. A. Butler, "Security attribute evaluation method: a cost-benefit approach," in Proceedings of the 24th International Conference on Software Engineering, ICSE '02. New York, NY, USA: ACM Press, 2002, pp. 232-240,
47. S. A. Butler and P. Fischbeck, "Multi-attribute risk assessment," in Second Symposium on Requirements Engineering for Information Security, SREIS 2002, Raleigh, NC, Oct. 2002.
48. C. Alberts and A. Dorofee. An introduction to the OCTAVE method. Software Engineering Institute, Carnegie Mellon University, [Online]. Available: http://www.cert.org/octave/methodintro.html
49. B. Suh and I. Han, "The is risk analysis based on a business model," Inf. Manage., vol. 41, no. 2, pp. 149-158, 2003.
50. F. den Braber, I. Hogganvik, M. S. Lund, K. Stolen, and F. Vraalsen, "Model-based security analysis in seven steps - a guided tour to the CORAS method," BT Technology Journal, vol. 25, no. 1, pp. 101-117, Jan. 2007.
51. D. Basin, J. Doser, and T. Lodderstedt, "Model driven security: From uml models to access control infrastructures," ACM Trans. Softw. Eng. Methodol., vol. 15, no. 1, pp. 39-91, January 2006.
52. J. McDermott and C. Fox, "Using abuse case models for security requirements analysis," in Procs. 15th Annual Computer Security Applications Conference, 1999. (ACSAC '99), 6-10 Dec, 1999, pp. 55-64.
53. G. Sindre and A. Opdahl, "Eliciting security requirements by misuse cases," in Procs. 37th International Conference onTechnology of Object-Oriented Languages and Systems, 2000. TOOLS-Pacific 2000., 20-23 Nov. 2000, pp. 120-131.
54. P. Herrmann and G. Herrmann, "Security requirement analysis of business processes," Electronic Commerce Research, vol. 6, no. 3-4, pp. 305-335, 2006.
55. A. Ekelhart, S. Fenz, T. Neubauer, and E. Weippl, "Formal threat descriptions for enhancing governmental risk assessment," in Proceedings of the First International Conference on Theory and Practice of Electronic Governance. ACM Press, 2007.
56. P. Pidd, Tools for Thinking: Modelling in Management Science, 2nd ed. John Wiley & Sons, 2003,
57. P. Gruenbacher, "Collaborative requirements negotiation with easywin-win," in Procs. 11th International Workshop on Database and Expert Systems Applications DEXA '00. Washington, DC, USA: IEEE Computer Society, 2000, p. 954.