Fundamentals of Secure System Modelling Springer, 2017 Chapter 5: Security Risk-Oriented BPMN Raimundas Matulevičius University of Tartu, Estonia, rma@ut.ee Goal Explain how security risks are managed at the organisational business processes Understand how security risk management could be performed using business process model and notation 2
Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 3 Outline Business process model and notation Security risk management Abstract and Concrete syntax Semantics Example Further reading 4
Business Process Model and Notation 5 Business Process Model and Notation Approach What organisation needs to do to achieve their business objectives? Advantages Reasonably intuitive Explicit declaration of business activities, processes and sub-processes Disadvantages Captures only a dynamic picture Not focussed on the business support by technology 6
Outline Business process model and notation Security risk management Abstract and Concrete syntax Semantics Example Further reading 7 Abstract and Concrete syntax Concept classification 8
Abstract and Concrete syntax Concept classification 9 Abstract and Concrete syntax Concept classification 10
Abstract and Concrete syntax Concept classification 11 Abstract and Concrete syntax Concept classification 12
Abstract and Concrete syntax Concept classification 13 Abstract and Concrete syntax Concept classification 14
Abstract and Concrete syntax Concept classification 15 Abstract and Concrete syntax Relationships 16
Abstract and Concrete syntax Relationships 17 Abstract and Concrete syntax Relationships 18
Abstract and Concrete syntax Relationships 19 Abstract and Concrete syntax Relationships 20
Abstract and Concrete syntax Relationships 21 Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 22
Asset-related concepts 23 Risk-related concepts 24
Risk treatment-related concepts 25 Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 26
Security risk management process 27 Asset identification // Security objectives determination 28 28
Risk Analysis 29 29 Risk Treatment Decisions Risk treatment decisions Avoiding risk Transferring risk Retaining risk Reducing risk Definition Decision not to be involved in, or to withdraw from a risk Sharing with another party the burden of loss for a risk Accepting the burden of loss from a risk Action to lessen the probability, negative consequences, or both, associated with a risk 30 30
Security Requirements Definition Security requirements - security solutions to mitigate the risks 31 If security requirements are unsatisfactory Revise the risk treatment step Revise all of the preceding steps 31 Control Selection and Implementation 32 32
Outline Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 33 Further reading Risk handling [Marcinkowski and Kuciapski, 2012] Ø Risk, risk factor, occurrence probability and impact Ø Risk type and risk handler concepts Modelling of secure business processes through security requirements [Rodriguez et al., 2007] Ø Nonreputation, attack harm detection, integrity, privacy, access control, security role, and security permission Security constraints and security-specific user involvement [Mülle et al., 2011] Ø Security units are represented as structured text annotations 34
Further reading Enhancements towards trust modelling [Menzel et al, 2009] Ø Annotating trustworthy interactions, organisational trust, and security intensions Information assurance and security modelling capabilities [Cherdantseva et al., 2012] Compliance to restrict certain areas of a business process [Schleicher et al., 2010] Security and compliance requirements [Brucker et al., 2012] Ø Access control, separation of duty, binding of duty and need to know principles 35 Summary Business process model and notation Security risk management using BPMN Abstract and Concrete syntax Semantics Example Further reading 36