Formalization of security patterns as a means to infer security controls in business processes

The growing trend towards the automation and externalization of business processes by means of Technology Infrastructure (TI), such as Business Process Management Systems, has increased the security risks in the organizations. In the majority of cases, the issue of security is overlooked by default...

Descripción completa

Detalles Bibliográficos
Autores: Varela Vaca, Ángel Jesús, Martínez Gasca, Rafael
Tipo de recurso: artículo
Estado:Versión enviada para evaluación y publicación
Fecha de publicación:2015
País:España
Institución:Universidad de Sevilla (US)
Repositorio:idUS. Depósito de Investigación de la Universidad de Sevilla
OAI Identifier:oai:idus.us.es:11441/139505
Acceso en línea:https://hdl.handle.net/11441/139505
https://doi.org/10.1093/jigpal/jzu042
Access Level:acceso abierto
Palabra clave:Business process
Security patterns
Feature model
Constraint programming
Optimization
Descripción
Sumario:The growing trend towards the automation and externalization of business processes by means of Technology Infrastructure (TI), such as Business Process Management Systems, has increased the security risks in the organizations. In the majority of cases, the issue of security is overlooked by default in these systems. Therefore, the early selection and implementation of security controls that mitigate risks is a real and crucial need. Nevertheless, there exists an enormous range of IT security controls and their configuration is a human, manual, time-consuming and error-prone task. In addition, security controls are implemented out separately from the organization perspective and involve many stakeholders. This separation makes difficult to ensure the effectiveness of these controls with regard to organizational requirements. In this article, we propose a formalization of security controls based on security pattern templates and feature models. This formalization allows applying feature domain-oriented analysis and constraint programming techniques for the automatic inference, selection and generation of optimal security controls with regard to single and multiple business objectives