"Eesti Teadusfondi uurimistoetus" projekt ETF8704
ETF8704 "Raamistik äriprotsesside ja turvanõuete ühendamiseks (1.01.2011−31.12.2013)", Raimundas Matulevicius, Tartu Ülikool, Matemaatika-informaatikateaduskond.
ETF8704
Raamistik äriprotsesside ja turvanõuete ühendamiseks
A Framework for Aligning Business Processes and Security Requirements
1.01.2011
31.12.2013
Eesti Teadusfondi uurimistoetus
ValdkondAlamvaldkondCERCS erialaFrascati Manual’i erialaProtsent
4. Loodusteadused ja tehnika4.6. ArvutiteadusedP175 Informaatika, süsteemiteooria1.1. Matemaatika ja arvutiteadus (matemaatika ja teised sellega seotud teadused: arvutiteadus ja sellega seotud teadused (ainult tarkvaraarendus, riistvara arendus kuulub tehnikavaldkonda)100,0
PerioodSumma
01.01.2011−31.12.201110 200,00 EUR
01.01.2012−31.12.201210 200,00 EUR
01.01.2013−31.12.201310 200,00 EUR
30 600,00 EUR
37580,05

Tänapäeval on informatsioonisüsteemid (Information Systems - IS) nurgakivid, millele tuginedes teostatakse enamik kaasaegsete organisatsioonide missioonitundlikke äriprotsesse. Organisatsioonid püüdlevad turvalise IS poole, mis tagaks konfidentsiaalsuse, terviklikkuse ja nende elutähtsa äriteabe kättesaadavuse. IS turvalisuse aspekte käsitletakse kasutades mitmeid turvalisuse modelleerimise keeli (nt abuse frames, Secure Tropos, KAOS, misuse cases, mal-activity diagrams, Secure UML ja UMLsec). Sellegipoolest, turvanõudeid kirjeldavad keeled (security languages) ei kirjelda turvanõudeid äriprotsesside tasandil. Teiselt poolt, äriprotsesside modelleerimise keeled (nt BPMN, ECP ja YAWL) kirjeldavad organisatsioonide tööd, kuid sisaldavad vähe turvalisuse aspekte. Käesolevas projektis keskendume IS arendamise esimestele etappidele, so nõuete tehnoloogia (Requirements Engineering). Rõhutame ühtlustatud raamistiku vajadust, mis hõlbustaks äriprotsesside ja turvanõuete teabekorralduse. Võimalik ühtlustatus tooks esile semantilised vastavused äri- ja turvalisuse modelleerimise keeltes. Koos integreeritud, põhjaliku, kaasaaegse ja dokumenteeritud lähenemisviisiga nende keelte ühtlustamiseks, taotleb projekt kiirendada äri- ja turvanõuete tehnoloogiate omandamist praktikute poolt. Eeldatud pikaajalisteks tulemiteks on turvalise IS arendamise paranemine, et toetada äriettevõtete teabe terviklikkust, konfidentsiaalsust ja kättesaadavust.
Nowadays, Information Systems (IS) are the cornerstones upon which the majority of mission-critical business processes are executed in modern organizations. Organisations strive for secure IS that would ensure confidentiality, integrity and availability of their vital business information. Security aspects of IS can be captured and managed using various security modelling languages (e.g., abuse frames, Secure Tropos, KAOS, misuse cases, mal-activity diagrams, SecureUML and UMLsec). However, security languages do little to express and agree on security concerns at the business level. On another hand business processes modelling languages (e.g., BPMN, ECP, and YAWL) combine together activities describing the organisation's work. However security concerns are addressed at the limited extend. In this proposal we focus on the initial IS development stages, a.k.a. Requirements Engineering (RE). We argue for a necessity to an alignment framework that would facilitate an information management between business processes and security requirements. A possible alignment highlights semantic correspondences between business and security modelling languages. With an integrated, sound, comprehensive, and documented approach for aligning the business and security modelling languages, the project aims to accelerate the better adoption of business and security requirement techniques by practitioners. The expected long-term results are improvement of the secure IS development to support business information integrity, confidentiality and availability.

Vastutav täitja (1)

IsikKraadTöökoht ja ametCVOsalemise periood
Raimundas MatuleviciusdoktorikraadEST / ENG01.01.2011−31.12.2012

Põhitäitjad (4)

IsikKraadTöökoht ja ametCVOsalemise periood
Naved AhmeddoktorikraadDoctoral ResearcherEST / ENG01.01.2011−31.12.2013
Olga AltuhhovamagistrikraadEST / ENG01.09.2012−30.06.2013
Marlon DumasdoktorikraadEST / ENG01.01.2011−31.12.2013
Naiad Hossain KhanmagistrikraadEST / ENG01.01.2011−30.06.2012
Publikatsioonid
Publikatsioonid
Altuhhova, O.; Matulevičius, R.; Ahmed, N. (2013). An Extension of Business Process Model and Notation for Security Risk Management. International Journal of Information System Modeling and Design (IJISMD), 4 (4), 93−113.
Matulevičius, R.; Ahmed, N. (2013). Eliciting Security Requirements from the Business Process Using Security Risk-oriented Patterns. it - Information Technology, 55 (6), 225−230.10.1524/itit.2013.2002.
Accorsi, R.; Matulevičius, R. (2013). Workshop on Security in Business Processes – A workshop report. An International Journal on Enterprise Modelling and Information Systems Architecture, 8 (1), 75.
Accorsi, R.; Matulevicius, R. (2013). Joint Workshop on Security in Business Processes (SBP 2012). In: La Rosa, M.; Soffer, P. (Ed.). Lecture Notes in Business Information Processing (623−724).. Springer Heidelberg. (Business Process Management Workshops, BPM 2012 International Workshops, Revised Papers).10.1007/978-3-642-36285-9.
Soomro, Inam; Ahmed, Naved (2013). Towards Security Risk-Oriented Misuse Cases. Business Process Management Workshops, Springer Berlin Heidelberg, 132 (132), 689−700.10.1007/978-3-642-36285-9_68.
Ahmed, N.; Matulevičius, R. (2013). A Taxonomy for Assessing Security in Business Process Modelling. 2013 IEEE Seventh International Conference on Research Challenges in Information Science (RCIS): 2013 IEEE Seventh International Conference on Research Challenges in Information Science (RCIS). IEEE,.10.1109/RCIS.2013.6577700.
Ahmed, N.; Matulevičius, R. (2013). Securing Business Processes using Security Risk-oriented Patterns. Computer Standards and Interfaces, 12.10.1016/j.csi.2013.12.007 [ilmumas].
Accorsi, R.; Matulevičius, R. (2013). Second Workshop on Security in Business Processes: a workshop report. An International Journal on Enterprise Modelling and Information Systems Architecture, 8 (2), 104−106.
Matulevicius, R. (2012). Comparing Modelling Languages for Information Systems Security Risk Management. In: Seyff, N.; Koziolek, A. (Ed.). Modelling and Quality in Requirements Engineering (197−210).. Verlagshaus Monsenstein und Vannerdat. (Essays Dedicated to Martin Glinz on the Occasion of His 60th Birthday).
Ahmed, Naved; Matulevičius, Raimundas (2014). SREBP: Security Requirement Elicitation from Business Processes. 1138: 20th International Working Conference on Requirements Engineering: Foundation for Software Quality (REFSQ 2014). 145−146. (CEUR workshop proceedings).
Opdahl, Andreas L.; Berio, Giuseppe; Harzallah, Mounira; Matulevičius, Raimundas (2012). Ontology for Enterprise and Information Systems Modelling. Applied Ontology, 7 (1), 49−92.10.3233/AO-2011-0101.
Matulevičius, R.; Mouratidis, H.; Mayer, N.; Dubois, E.; Heymans, P. (2012). Syntactic and Semantic Extensions to Secure Tropos to Support Security Risk Management. Journal of Universal Computer Science, 18 (6), 816−844.
Karpati, P.; Sindre, G.; Matulevicius, R. (2012). Comparing Misuse Case and Mal-Activity Diagrams for Modelling Social Engineering Attacks. International Journal of Secure Software Engineering (IJSSE), 3 (2), 54−73.10.4018/jsse.2012040103.
Chowdhury, M. J. M.; Matulevičius, R.; Sindre, G.; Karpati, P. (2012). Aligning Mal-activity Diagrams and Security Risk Management for Security Requirements Definitions. In: Regnell B.; Damian D. (Ed.). Requirements Engineering: Foundation for Software Quality 18th International Working Conference, REFSQ 2012 (132−139).. Springer Heidelberg. (Lecture Notes in Computer Science).10.1007/978-3-642-28714-5_11.
Altuhhova, O.; Matulevičius, R.; Ahmed, N. (2012). Towards Definition of Secure Business Process. Lecture Notes in Business Information Research, 112: CAiSE 2012 International Workshops, Workshop on Information Systems Security Engineering. Ed. Bajec, M.; Eder, J. Springer Heidelberg, 1−15. (Lecture Notes in Business Information Research).10.1007/978-3-642-31069-0.
Ahmed, N.; Matulevicius, R.; Khan, N. H. (2012). Eliciting Security Requirements for Business Processes using Patterns. In: Rosado, D. G.; Crespo, L. E. S.; Blanco, C.; Jurjens, J. (Ed.). Security in Information Systems (49−58). SciTePress. (Proceedings of WOSIS 2012, 9th International Workshop on Security in Information Systems, in conjunction with ICEIS 2012).
Ahmed, N.; Matulevičius, R. (2011). Towards Transformation Guidelines from Secure Tropos to Misuse Cases (position paper). Proceeding of the 7th international workshop on Software engineering for secure systems. Ed. Jürjens, J.; Lee S-W.; Monga M. New York, NY, USA: ACM, 36−42.10.1145/1988630.1988638.
Ahmed, N.; Matulevičius, R.; Mouratidis, H. (2012). A Model Transformation from Misuse Cases to Secure Tropos. In: Kirikova, M.; Stirna, J. (Ed.). Proceedings of the CAiSE'12 Forum (7−14).. CEUR-WS.org. (CEUR workshop proceedings).
Matulevičius, R.; Sindre, G. (2011). 1st International Workshop on Alignment of Business Process and Security Modelling (ABPSM 2011). Local Proceedings of the 10th International Conference, BIR 2011, Associated Workshops and Doctorial Consortium. JUMI Publishing House Ltd.MI, 97−170.
Ahmed, N.; Matulevičius, R. (2011). A Template of Security Risk Patterns for Business Processes. Local Proceedings of the 10th International Conference BIR2011, Associated Workshops and Doctoral Consortium: BIR 2011 : 10th International Conference on Perspectives in Business Informatics Research; Riga, Latvia; Oct 6, 2011 - Oct 8, 2011. Riga, Latvia: JUMI Publishing House Ltd, 123−130.
Matulevičius, R.; Sindre, G. (2012). First International Workshop on Alignment of Business Process and Security Modeling (ABPSM 2011). In: Niedrite, L.; Strazdina, R.; Wangler, B. (Ed.). Workshops on Business Informatics Research, BIR 2011 International Workshops and Doctoral Consortium Riga, Latvia, October 6, 2011 Revised Selected Papers (51−89).. Springer Heidelberg. (Lecture Notes in Business Information Processing).10.1007/978-3-642-29231-6.
Ahmed, N.; Matulevičius, R. (2014). Securing Business Processes using Security Risk-oriented Patterns. Computer Standards and Interfaces, 36 (4), 723−733.10.1016/j.csi.2013.12.007.
Juhendamised
Juhendamised
Olga Altuhhova, magistrikraad, 2013, (juh) Raimundas Matulevicius, An Extension of Business Process Model and Notation for Security Risk Management (Modelleerimiskeele laienduste väljatöötamine turvalisuse riskide juhtimiskeks äriprotsesside analüüsimisel), Tartu Ülikool.
Anastasiia Onchukova, magistrikraad, 2013, (juh) Raimundas Matulevicius, Security Risk Management using Misuse Cases and Mal-activities (Turvalisuse riskihaldus kasutades väärkasutamise juhtumeid ja pahatahtliku tegevuse diagramme), Tartu Ülikool.
Naiad Hossain Khan, magistrikraad, 2012, (juh) Raimundas Matulevicius; Naved Ahmed, A Pattern-Based Development of Secure Business Processes (Turvaliste äriprotsesside mustritel põhinev arendamine), Tartu Ülikool.
Inam Ullah Soomro, magistrikraad, 2012, (juh) Raimundas Matulevicius, Alignment of Misuse Cases to ISSRM (Väärkasutusjuhtude paigutamine ISSRM mudelisse), Tartu Ülikool.
Yenal Turan, magistrikraad, 2012, (juh) Raimundas Matulevicius, Extension and Application of Event- driven Process Chain for Information System Security Risk Management (Event-driven Process Chaini laiendused ja rakendus Infosüsteemi Turberiskihalduseks), Tartu Ülikool.
Mohammad Jabed Morshed Chowdhury, magistrikraad, 2011, (juh) Raimundas Matulevicius; Guttorm Sindre; Peter Karpati, Modeling Security Risks at the System Design Stage: Alignment of Mal-activity Diagrams and SecureUML to the ISSRM Domain Model (Turvariskide modelleerimine süsteemi disaini etapis. Secure UML-i vastavusse viimine ISSRM domeenimudeliga), Tartu Ülikool.