Article Preview
TopIntroduction
Users are widely adopting business process modeling standards to express and design the functional requirements of their businesses. Business process modelling is normally performed in a modelling language such as Unified Modeling Language (UML) or Business Process Model and Notation (BPMN). These modelling languages do not support natively annotation security, which may result in significant problems regarding the comprehensibility and maintainability of these ad hoc models. BPMN was originally developed to provide a notation that was easily understandable by all business users, from technical analysts implementing an information system to business analysts to business users who manage the processes (Pullonen et al., 2019). BPMN is used as a modelling language for our work; which is an industry standard for business modelling and fulfils the requirement of visually representation (Rodriguez et al., 2007) and (Salnitri et al., 2014). Moreover, BPMN provides an extension mechanism and it is supported by a wide range of modelling tools (Zarour et al., 2019).
In addition to the functional characteristics of a business process, there also exist a number of non-functional aspects that need to be taken into consideration. Security is one of the most important of such non-functional aspects (Argyropoulos et al., 2019). Security requirements and compliance regulations are a major concern for designing and running business process driven systems due to the potential impact of its defect for organizations in terms of reputation, finances and legal compliance (Argyropoulos et al., 2019).
Security requirements have been recognized as an important concern among system developers and users. Based on these facts, the association between business process and security is inevitable. Empirical studies show that those who model the business process i.e. business domain expert is able to specify security requirements at high level of abstraction i.e. while designing the system (Rodriguez et al., 2007).
Since the consideration of security during the early design stages of systems is considered highly beneficial (Leitner et al., 2013). Business process modelling is the most appropriate layer to describe security requirements (Menzel et al., 2009). However, in practice, business domain expert mainly focuses on the functionality because business domain expert is not a security expert (Rodriguez et al., 2007) and in many software development methods often treat security, separately at later stage. Further, the main concern of developers is functionality, security is underprioritized and implemented in an ad hoc manner.
Several BPMN security extensions have been proposed to model the security requirements along the business process model. However, those approaches remain theoretical and miss many important security concepts (Maines et al., 2016). They are being constructed unsystematically, without any empirical evidence to support their choice of concepts (Leitner et al., 2013). Most security extensions are not compliant with the BPMN 2.0 standard (Braun et al., 2014).
We propose a new BPMN extension to annotate business security with security concepts. Unlike current approaches, our extension is built upon existing literature and empirical evidence. From our evaluation of existing approaches, we are able to identify the gaps and propose a new set of requirements for avoiding them. An ontology-based BPMN extension approach is proposed with a complete set of security concepts derived from cyber security ontology (Maines et al., 2015). with their graphical presentation. The security concepts are integrated into business process models to operationalize different types of security requirements (e.g. availability, confidentiality, integrity) and are expressed at an abstraction level which is generic enough to be able to be instantiated by different types of security implementing technologies.
We applied Stroppi Method (Stroppi et al., 2011), for the development of extensions to have a valid BPMN 2.0 extension. We implemented our approach as web application to facilitate collaboration between actors (business domain expert, security expert and developer). Furthermore, we defined the extension as XML Schema to be able to integrate it to existing BPMN tools.