Enabling security risk assessment and management for business process models

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
David G. Rosado , Luis E. Sánchez , Ángel Jesús Varela-Vaca , Antonio Santos-Olmo , María Teresa Gómez-López , Rafael M. Gasca , Eduardo Fernández-Medina
{"title":"Enabling security risk assessment and management for business process models","authors":"David G. Rosado ,&nbsp;Luis E. Sánchez ,&nbsp;Ángel Jesús Varela-Vaca ,&nbsp;Antonio Santos-Olmo ,&nbsp;María Teresa Gómez-López ,&nbsp;Rafael M. Gasca ,&nbsp;Eduardo Fernández-Medina","doi":"10.1016/j.jisa.2024.103829","DOIUrl":null,"url":null,"abstract":"<div><p>Business processes (BP) are considered the enterprise’s cornerstone but are increasingly in the spotlight of attacks. Therefore, the design of business processes must consider the security risks and be adequately integrated into the information and operational systems. However, security risk assessment and management are rarely considered at the level of business processes during design time, let alone considering a risk architecture that takes into account the connection and dependencies of risks at these levels of the organisation, business processes, and information systems. In general, most approaches deal with integrating new artefacts for business process models to support risk analysis, but sometimes, the notation can increase complexity, making it difficult to have a risk management tool to support the analysis. After analysing the current risk processes and frameworks, we have realised that they are often neglected when considering organisational and business process levels. In this paper, MARISMA-BP (MARISMA for Business Process) pattern is proposed, a security risk pattern to enable the assessment and management of risks for business process models. This approach is an artefact that has been validated in a real scenario following the design science methodology. Further, MARISMA-BP pattern is supported by eMARISMA, an automated infrastructure that allows the definition and reuse of each risk component, helping us to carry out the risk assessment and management process in an efficient and dynamic way. To demonstrate the applicability of the proposal, MARISMA-BP pattern is applied to a real health-based business process scenario. The findings illustrate the efficacy of MARISMA-BP within eMARISMA for comprehensive risk assessment and management, underscoring its versatility and practical relevance in any business process environment.</p></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"84 ","pages":"Article 103829"},"PeriodicalIF":3.8000,"publicationDate":"2024-07-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.sciencedirect.com/science/article/pii/S2214212624001315/pdfft?md5=79e2b72fbb70dc8c5f2f35e3717059dc&pid=1-s2.0-S2214212624001315-main.pdf","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212624001315","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Business processes (BP) are considered the enterprise’s cornerstone but are increasingly in the spotlight of attacks. Therefore, the design of business processes must consider the security risks and be adequately integrated into the information and operational systems. However, security risk assessment and management are rarely considered at the level of business processes during design time, let alone considering a risk architecture that takes into account the connection and dependencies of risks at these levels of the organisation, business processes, and information systems. In general, most approaches deal with integrating new artefacts for business process models to support risk analysis, but sometimes, the notation can increase complexity, making it difficult to have a risk management tool to support the analysis. After analysing the current risk processes and frameworks, we have realised that they are often neglected when considering organisational and business process levels. In this paper, MARISMA-BP (MARISMA for Business Process) pattern is proposed, a security risk pattern to enable the assessment and management of risks for business process models. This approach is an artefact that has been validated in a real scenario following the design science methodology. Further, MARISMA-BP pattern is supported by eMARISMA, an automated infrastructure that allows the definition and reuse of each risk component, helping us to carry out the risk assessment and management process in an efficient and dynamic way. To demonstrate the applicability of the proposal, MARISMA-BP pattern is applied to a real health-based business process scenario. The findings illustrate the efficacy of MARISMA-BP within eMARISMA for comprehensive risk assessment and management, underscoring its versatility and practical relevance in any business process environment.

实现业务流程模型的安全风险评估和管理
业务流程(BP)被视为企业的基石,但也日益成为攻击的焦点。因此,业务流程的设计必须考虑安全风险,并与信息和运营系统充分整合。然而,在设计时很少考虑业务流程层面的安全风险评估和管理,更不用说考虑风险架构,将组织、业务流程和信息系统这些层面的风险联系和依赖性考虑在内了。一般来说,大多数方法都是为业务流程模型整合新的人工制品,以支持风险分析,但有时,这种符号会增加复杂性,使风险管理工具难以支持分析。在分析了当前的风险流程和框架后,我们意识到,在考虑组织和业务流程层面时,它们往往被忽视。本文提出了 MARISMA-BP(用于业务流程的 MARISMA)模式,这是一种安全风险模式,可用于评估和管理业务流程模型的风险。这种方法是一种人工制品,已按照设计科学方法在真实场景中进行了验证。此外,MARISMA-BP 模式还得到了 eMARISMA 的支持,eMARISMA 是一种自动化基础设施,允许定义和重用每个风险组件,帮助我们以高效、动态的方式开展风险评估和管理流程。为了证明该建议的适用性,MARISMA-BP 模式被应用到一个真实的基于健康的业务流程场景中。研究结果表明,MARISMA-BP 模式在 eMARISMA 系统中能有效地进行全面风险评估和管理,突出了它在任何业务流程环境中的多功能性和实用性。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信