Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models

Organizations execute daily activities to meet their objectives. The performance of these activities can be fundamental for achieving a business objective, but they also imply the assumption of certain security risks that might go against a company's security policies. A risk may be de ned as t...

Descripción completa

Detalles Bibliográficos
Autores: Varela Vaca, Ángel Jesús, Parody Núñez, María Luisa, Martínez Gasca, Rafael, Gómez López, María Teresa
Tipo de recurso: artículo
Estado:Versión enviada para evaluación y publicación
Fecha de publicación:2019
País:España
Institución:Universidad de Sevilla (US)
Repositorio:idUS. Depósito de Investigación de la Universidad de Sevilla
OAI Identifier:oai:idus.us.es:11441/97496
Acceso en línea:https://hdl.handle.net/11441/97496
https://doi.org/10.1109/ACCESS.2019.2901408
Access Level:acceso abierto
Palabra clave:Business process management
Business Process Model
Security-risk assessment
Model-based diagnosis
Constraint programming
Descripción
Sumario:Organizations execute daily activities to meet their objectives. The performance of these activities can be fundamental for achieving a business objective, but they also imply the assumption of certain security risks that might go against a company's security policies. A risk may be de ned as the effects of uncertainty on the achievement of the goals of a company, some of which can be associated with security aspects (e.g., data corruption or data leakage). The execution of the activities can be choreographed using business processes models, in which the risk of the entire business process model derives from a combination of the single activity risks (executed in an isolated manner). In this paper, a risk assessment method is proposed to enable the analysis and evaluation of a set of activities combined in a business process model to ascertain whether the model conforms to the security-risk objectives. To achieve this objective, we use a business process extension with security-risk information to: 1) de ne an algorithm to verify the level of risk of process models; 2) design an algorithm to diagnose the risk of the activities that fail to conform to the level of risk established in security-risk objectives; and 3) the implementation of a tool that supports the described proposal. In addition, a real case study is presented, and a set of scalability benchmarks of performance analysis is carried out in order to check the usefulness and suitability of automation of the algorithms.