Developing System Security through Business Process Modelling

Olga Altuhhova
Business process understanding and modelling is one of the major aspects in the modern information system (IS) development. Thus, there exist several modelling approaches to support this activity, and one on them is the business process modelling notations (BPMN). Although BPMN is a good approach to understand business processes, there is a limited work to understand how this language could deal with business security and security risk management for IS. This is a problem, since both business processes and security concerns should be understood in parallel to support a development of the secure IS. In this paper we analyse BPMN with respect to the domain model of the IS security risk management (ISSRM). We apply a structured approach to understand key aspects of BPMN and how modeller could express secured assets, risks and risk treatment using BPMN. Thus we align the main constructs of the BPMN language with the key concepts of the ISSRM domain model. We show applicability of our approach on a running example related to the Internet store. We believe that our proposal would allow system analysts to understand both business processes and security concerns using the same modelling language (thus, removing the necessity of learning several modelling languages). In addition we open a possibility for the business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).
Graduation Thesis language
Graduation Thesis type
Bachelor - Computer Science
Raimundas Matulevičius
Defence year