Security-Oriented Refinement of Business Processes

Peter Herrmann

Universität Dortmund, FB Informatik, LS IV, D-44221 Dortmund

Gaby Herrmann

Universität Essen, FB 5, Information Systems, D-45141 Essen


Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems. The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic applications and the inclusion of a higher number of - potentially unknown - persons, the business processes are more vulnerable against malicious attacks than traditional processes. Thus, a business should undergo a security analysis. Here, the vulnerabilities of the business process are recognized, the risks resulting from the vulnerabilities are calculated, and suitable safeguards reducing the vulnerabilities are selected. Unfortunately, a security analysis tends to be complex and affords expensive security expert support. In order to reduce the expense and to enable domain experts with in-depth insight in business processes but with limited knowledge about security to develop secure business processes, we developed the framework MoSS_BP facilitating the handling of business process security requirements from their specification to their realization. In particular, MoSS_BP provides graphical concepts to specify security requirements, repositories of various mechanisms enforcing the security requirements, and a collection of reference models and case studies enabling the modification of the business processes. In this paper, the MoSS_BP framework is presented. Additionally, we introduce a tool supporting the MoSS_BP-related security analysis of business processes and the incorporation of safeguards. This tool is based on object-oriented process models and acts with graph rewrite systems.

Key Words

E-Commerce, Business Process, MoSS_BP, Object-Oriented Security Analysis, Graph Rewriting

Published in

To appear in Proceedings of the 5th International Conference on Electronic Commerce Research (ICECR-5), ATSMA, IFIP, Montreal, October 2002.

Obtaining the paper

Due to the copyright agreement between the publisher and the authors we are not allowed to make the paper available online. If you have problems to obtain it, please call us.

Peter Herrmann, September 6, 2002 -- digital media copyright