Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models
Organizations execute daily activities to meet their objectives. The performance of these activities can be fundamental for achieving a business objective, but they also imply the assumption of certain security risks that might go against a company's security policies. A risk may be de ned as t...
| Autores: | , , , |
|---|---|
| Tipo de recurso: | artículo |
| Estado: | Versión enviada para evaluación y publicación |
| Fecha de publicación: | 2019 |
| País: | España |
| Institución: | Universidad de Sevilla (US) |
| Repositorio: | idUS. Depósito de Investigación de la Universidad de Sevilla |
| OAI Identifier: | oai:idus.us.es:11441/97496 |
| Acceso en línea: | https://hdl.handle.net/11441/97496 https://doi.org/10.1109/ACCESS.2019.2901408 |
| Access Level: | acceso abierto |
| Palabra clave: | Business process management Business Process Model Security-risk assessment Model-based diagnosis Constraint programming |
| id |
ES_d39a9ce141c927d2cde13d4e4dc92c27 |
|---|---|
| oai_identifier_str |
oai:idus.us.es:11441/97496 |
| network_acronym_str |
ES |
| network_name_str |
España |
| repository_id_str |
|
| spelling |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process ModelsVarela Vaca, Ángel JesúsParody Núñez, María LuisaMartínez Gasca, RafaelGómez López, María TeresaBusiness process managementBusiness Process ModelSecurity-risk assessmentModel-based diagnosisConstraint programmingOrganizations execute daily activities to meet their objectives. The performance of these activities can be fundamental for achieving a business objective, but they also imply the assumption of certain security risks that might go against a company's security policies. A risk may be de ned as the effects of uncertainty on the achievement of the goals of a company, some of which can be associated with security aspects (e.g., data corruption or data leakage). The execution of the activities can be choreographed using business processes models, in which the risk of the entire business process model derives from a combination of the single activity risks (executed in an isolated manner). In this paper, a risk assessment method is proposed to enable the analysis and evaluation of a set of activities combined in a business process model to ascertain whether the model conforms to the security-risk objectives. To achieve this objective, we use a business process extension with security-risk information to: 1) de ne an algorithm to verify the level of risk of process models; 2) design an algorithm to diagnose the risk of the activities that fail to conform to the level of risk established in security-risk objectives; and 3) the implementation of a tool that supports the described proposal. In addition, a real case study is presented, and a set of scalability benchmarks of performance analysis is carried out in order to check the usefulness and suitability of automation of the algorithms.Ministerio de Ciencia y Tecnología TIN2015-63502-C3-2-RIEEE Computer SocietyLenguajes y Sistemas InformáticosMinisterio de Ciencia Y Tecnología (MCYT). España2019info:eu-repo/semantics/articleinfo:eu-repo/semantics/submittedVersionapplication/pdfapplication/pdfhttps://hdl.handle.net/11441/97496https://doi.org/10.1109/ACCESS.2019.2901408reponame:idUS. Depósito de Investigación de la Universidad de Sevillainstname:Universidad de Sevilla (US)InglésIEEE Access, 7, 26448-26465.TIN2015-63502-C3-2-Rhttps://ieeexplore.ieee.org/document/8651587info:eu-repo/semantics/openAccessoai:idus.us.es:11441/974962026-06-17T12:51:07Z |
| dc.title.none.fl_str_mv |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| title |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| spellingShingle |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models Varela Vaca, Ángel Jesús Business process management Business Process Model Security-risk assessment Model-based diagnosis Constraint programming |
| title_short |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| title_full |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| title_fullStr |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| title_full_unstemmed |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| title_sort |
Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models |
| dc.creator.none.fl_str_mv |
Varela Vaca, Ángel Jesús Parody Núñez, María Luisa Martínez Gasca, Rafael Gómez López, María Teresa |
| author |
Varela Vaca, Ángel Jesús |
| author_facet |
Varela Vaca, Ángel Jesús Parody Núñez, María Luisa Martínez Gasca, Rafael Gómez López, María Teresa |
| author_role |
author |
| author2 |
Parody Núñez, María Luisa Martínez Gasca, Rafael Gómez López, María Teresa |
| author2_role |
author author author |
| dc.contributor.none.fl_str_mv |
Lenguajes y Sistemas Informáticos Ministerio de Ciencia Y Tecnología (MCYT). España |
| dc.subject.none.fl_str_mv |
Business process management Business Process Model Security-risk assessment Model-based diagnosis Constraint programming |
| topic |
Business process management Business Process Model Security-risk assessment Model-based diagnosis Constraint programming |
| description |
Organizations execute daily activities to meet their objectives. The performance of these activities can be fundamental for achieving a business objective, but they also imply the assumption of certain security risks that might go against a company's security policies. A risk may be de ned as the effects of uncertainty on the achievement of the goals of a company, some of which can be associated with security aspects (e.g., data corruption or data leakage). The execution of the activities can be choreographed using business processes models, in which the risk of the entire business process model derives from a combination of the single activity risks (executed in an isolated manner). In this paper, a risk assessment method is proposed to enable the analysis and evaluation of a set of activities combined in a business process model to ascertain whether the model conforms to the security-risk objectives. To achieve this objective, we use a business process extension with security-risk information to: 1) de ne an algorithm to verify the level of risk of process models; 2) design an algorithm to diagnose the risk of the activities that fail to conform to the level of risk established in security-risk objectives; and 3) the implementation of a tool that supports the described proposal. In addition, a real case study is presented, and a set of scalability benchmarks of performance analysis is carried out in order to check the usefulness and suitability of automation of the algorithms. |
| publishDate |
2019 |
| dc.date.none.fl_str_mv |
2019 |
| dc.type.none.fl_str_mv |
info:eu-repo/semantics/article info:eu-repo/semantics/submittedVersion |
| format |
article |
| status_str |
submittedVersion |
| dc.identifier.none.fl_str_mv |
https://hdl.handle.net/11441/97496 https://doi.org/10.1109/ACCESS.2019.2901408 |
| url |
https://hdl.handle.net/11441/97496 https://doi.org/10.1109/ACCESS.2019.2901408 |
| dc.language.none.fl_str_mv |
Inglés |
| language_invalid_str_mv |
Inglés |
| dc.relation.none.fl_str_mv |
IEEE Access, 7, 26448-26465. TIN2015-63502-C3-2-R https://ieeexplore.ieee.org/document/8651587 |
| dc.rights.none.fl_str_mv |
info:eu-repo/semantics/openAccess |
| eu_rights_str_mv |
openAccess |
| dc.format.none.fl_str_mv |
application/pdf application/pdf |
| dc.publisher.none.fl_str_mv |
IEEE Computer Society |
| publisher.none.fl_str_mv |
IEEE Computer Society |
| dc.source.none.fl_str_mv |
reponame:idUS. Depósito de Investigación de la Universidad de Sevilla instname:Universidad de Sevilla (US) |
| instname_str |
Universidad de Sevilla (US) |
| reponame_str |
idUS. Depósito de Investigación de la Universidad de Sevilla |
| collection |
idUS. Depósito de Investigación de la Universidad de Sevilla |
| repository.name.fl_str_mv |
|
| repository.mail.fl_str_mv |
|
| _version_ |
1869420474271793152 |
| score |
15,301603 |