Securing business processes using security risk-oriented patterns

Computer Standards and Interfaces

Volumn 36, Issue 4, 2014, Pages 723-733

  Ahmed, Naved ^a   Matulevičius, Raimundas ^a  

^a UNIVERSITY OF TARTU   (Estonia)

Author keywords

Business process modelling; Security engineering; Security requirements; Security risk oriented patterns

Indexed keywords

EID: 84894261595     PISSN: 09205489     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.csi.2013.12.007     Document Type: Article

References (52)

1. D. Firesmith Engineering safety and security related requirements for software intensive systems Software Engineering - Companion. ICSE 2007 Companion. 29th International Conference on, IEEE Computer Society 2007 169
2. P.T. Devanbu, and S. Stubblebine Software engineering for security: a roadmap The Future of Software Engineering 2000 ACM Press 227 239
3. J. Jürjens Secure Systems Development with UML 2005 Springer
4. DCSSL EBIOS Expression of Needs and Identification of Security Objectives http://www.bsi.de/english/gshb/manual/download/index.html 2004
5. ENISA -Inventory of Risk Assessment and Risk Management Methods 2004
6. M. Schumacher, E. Fernandez-Buglioni, D. Hybertson, F. Buschmann, and P. Sommerlad Security Patterns 2006 Integrating Security and Systems Engineering
7. S. Röhrig, and K. Knorr Security analysis of electronic business processes Electron. Commer. Res. 4 1-2 2004 59 81
8. P. Herrmann, and G. Herrmann Security requirement analysis of business processes Electron. Commer. Res. 6 3-4 2006 305 335
9. G. Sindre Mal-activity diagrams for capturing attacks on business processes Proc. of REFSQ 2007 vol. 4542 2007 Springer 355 366
10. A. Rodríguez, E. Fernández-Medina, and M. Piattini A BPMN extension for the modeling of security requirements in business processes IEICE Trans. Inf. Syst. 90-D 4 2007 745 752
11. A. Rodríguez, E. Fernández-Medina, J. Trujillo, and M. Piattini Secure business process model specification through a UML 2.0 activity diagram profile Decis. Support. Syst. 51 3 2011 446 465
12. C.J. Pavlovski, and J. Zou Non-functional requirements in business process modeling Proceedings of the 5th Asia-Pacific conf. on Conceptual Modelling, APCCM 2008 Australian Computer Society, Inc. 103 112
13. E. Paja, P. Giorgini, S. Paul, and P.H. Meland Security requirements engineering for business processes Perspectives in Business Informatics Research 2011 Riga Technical University Riga, Latvia 163 170
14. O. Altuhhova, R. Matulevičius, and N. Ahmed Towards definition of secure business processes Advanced Information Systems Engineering Workshops, WISSE'12 2012 Springer 1 15
15. E. Dubois, P. Heymans, N. Mayer, and R. Matulevičius A systematic approach to define the domain of information system security risk management Intentional Perspectives on IS Eng 2010 Springer 289 306
16. N. Mayer Model-based Management of Information System Security Risk [Ph.D. thesis] 2009 University of Namur
17. N. Ahmed, and R. Matulevičius A template of security risk patterns for business processes Perspectives in Business Informatics Research 2011 Riga Technical University Riga, Latvia 123 130
18. R. Matulevičius, H. Mouratidis, N. Mayer, E. Dubois, and P. Heymans Syntactic and semantic extensions to secure Tropos to support security risk management J. UCS 18 6 2012 816 844
19. M. Chowdhury, R. Matulevičius, G. Sindre, and P. Karpati Aligning mal-activity diagrams and security risk management for security requirements definitions Proc. of REFSQ 2012 2012 Springer Berlin/Heidelberg 132 139
20. I. Soomro, and N. Ahmed Towards security risk-oriented misuse cases Proc. of BPM 2012 International Workshops 2012 Springer LNBIP
21. F. Braber, I. Hogganvik, M.S. Lund, K. Stølen, and F. Vraalsen Model-based security analysis in seven steps - a guided tour to the CORAS method BT Technol. J. 25 2007 101 117
22. A. Herrmann, A. Morali, S. Etalle, and R.J. Wieringa RiskREP: risk-based security requirements elicitation and prioritization Perspectives in Business Informatics Research 2011 Riga Technical University Riga, Latvia 155 162
23. N. Mayer, E. Dubois, and R. Matulevičius Towards a measurement framework for security risk management Proc. of MODSEC08 2008
24. N. Ahmed, R. Matulevičius, and N.H. Khan Eliciting security requirements for business processes using patterns WOSIS 2012 - Proceedings of the 9th International Workshop on Security in Information Systems 2012 SciTePress
25. C. van Aart, and V. Tamma Agent mediated provision of insurance services: two case studies: fraud and repairs Proceedings of the 10th International Conference on Electronic Commerce, ICEC'08 2008 ACM New York, NY, USA 20:1 20:8
26. K. Tsipenyuk, B. Chess, and G. McGraw Seven pernicious kingdoms: a taxonomy of software security errors IEEE Secur. Priv. 3 6 2005 81 84
27. Common attack pattern enumeration and classification http://capec.mitre. org/data/definitions/94.html
28. CWE Man in the Middle (MITM) https://www.owasp.org/index.php/Man-in-the- middleattack
29. M. Scholl, K. Stine, J. Hash, P. Bowen, C.D.S. Arnold Johnson, and D.I. Steinberg An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, Nist Special Publication 800-66 Revision 1 2008 National Institute of Standards and Technology (NIST)
30. J. Garcia-Alfaro, and G. Navarro-Arribas A survey on detection techniques to tpprevent cross-site scripting attacks on current web applications Critical Information Infrastructures Security 2008 Springer Berlin/Heidelberg 287 298
31. S. Fogie, J. Grossman, R. Hansen, A. Rager, and P.D. Petkov XSS Attacks: Cross Site Scripting Exploits and Defense 2007 Syngress Publishing
32. J. Clarke SQL Injection Attacks and Defense First ed. 2009 Syngress Publ.
33. G. Loukas, and G. Öke Protection against denial of service attacks Comput. J. 53 7 2010 1020 1037
34. R. Chang Defending against flooding-based distributed denial-of-service attacks: a tutorial Commun. Mag. IEEE 40 10 2002 42 51
35. K. Hemenway, and T. Calishain Spidering Hacks 2003 O'Reilly & Associates, Inc. Sebastopol, CA, USA
36. S. Noh, C. Lee, K. Choi, and G. Jung Detecting distributed denial of service (DDoS) attacks through inductive learning Intelligent Data Engineering and Automated Learning vol. 2690 2003 Springer Berlin Heidelberg 286 295
37. G. Öke, and G. Loukas A denial of service detector based on maximum likelihood detection and the random neural network Comput. J. 50 6 2007 717 727
38. S.S. Kim, and A.L.N. Reddy Statistical techniques for detecting traffic anomalies through packet header data IEEE/ACM Trans. Networking 3 2008 562 575
39. R. Thomas, B. Mark, T. Johnson, and J. Croall NetBouncer: client-legitimacy-based high-performance DDoS filtering DARPA Information Survivability Conference and Exposition, 2003. Proceedings vol. 1 2003 14 25
40. R. Mahajan, S.M. Bellovin, S. Floyd, J. Ioannidis, V. Paxson, and S. Shenker Controlling high bandwidth aggregates in the network SIGCOMM Comput. Commun. Rev. 32 3 2002 62 73
41. R.E. Smith Multilevel security Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management Third ed. 2006 Wiley 972 986
42. D.E. Bell, and L.J. Lapadula Secure Computer System: Unified Exposition and MULTICS Interpretation, Tech. Rep. ESD-TR-75-306, The MITRE Corporation http://csrc.nist.gov/publications/history/bell76.pdf
43. D.R. Kuhn Role based access control on MLS systems without kernel changes ACM Workshop on Role-Based Access, Control 1998 25 32
44. M. Jakobsson Cryptographic privacy protection techniques Handbook of Information Security, Threats, Vulnerabilities, Prevention, Detection, and Management Third ed. 2006 Wiley 300 310
45. A. Herzberg, S. Jarecki, H. Krawczyk, and M. Yung Proactive secret sharing or: how to cope with perpetual leakage Proc. of CRYPTO'95 1995 339 352
46. N. Yoshioka, H. Washizaki, and K. Maruyama A survey on security patterns Prog. Inform. 5 2008 33 47
47. S. Renault, O. Mendez-Bonilla, X. Franch, and C. Quer Pabre: pattern-based requirements elicitation Proc. of RCIS 2009 2009 81 92
48. M. zur Muehlen, and M. Rosemann Integrating risks in business process models Proceedings of the 2005 Australasian Conference on Information Systems (ACIS 2005), Sydney, Australia 2005 6272
49. E. S. Cope, J. M. Küster, D. Etzweiler, L. A. Deleris, B. Ray, Incorporating risk into business process models, IBM J. Res. Dev. 54 (3).
50. A. Varela-Vaca, R. Gasca, and A. Jimenez-Ramirez A model-driven engineering approach with diagnosis of non-conformance of security objectives in business process models Proc. of RCIS 2011 2011 1 6
51. K. Khanmohammadi, and S.H. Houmb Business process-based information security risk assessment NSS-4 2010 IEEE Computer Society Australia 199 206
52. S. Jakoubi, T. Neubauer, and S. Tjoa A roadmap to risk-aware business process management IEEE APSCC-4, Singapore, Proc., IEEE 2009 23 27