{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:42:47Z","timestamp":1767339767574},"reference-count":36,"publisher":"IGI Global","issue":"4","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,10,1]]},"abstract":"<p>Business process modelling is one of the major aspects in the modern information system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Typically the BPMN notations are used to understand enterprise's business processes. However, limited work exists regarding how security concerns are addressed during the management of the business processes. This is a problem, since both business processes and security should be understood in parallel to support a development of the secure information systems. In the previous work we have analysed BPMN with respect to the domain model of the IS security risk management (ISSRM) and showed how the language constructs could be aligned to the concepts of the ISSRM domain model. In this paper the authors propose the BPMN extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We illustrate how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store regarding the asset confidentiality, integrity and availability. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. The paper opens the possibility for business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).<\/p>","DOI":"10.4018\/ijismd.2013100105","type":"journal-article","created":{"date-parts":[[2014,3,13]],"date-time":"2014-03-13T15:10:52Z","timestamp":1394723452000},"page":"93-113","source":"Crossref","is-referenced-by-count":40,"title":["An Extension of Business Process Model and Notation for Security Risk Management"],"prefix":"10.4018","volume":"4","author":[{"given":"Olga","family":"Altuhhov","sequence":"first","affiliation":[{"name":"Institute of Computer Science, University of Tartu, Tartu, Estonia"}]},{"given":"Raimundas","family":"Matulevi\u010dius","sequence":"additional","affiliation":[{"name":"Institute of Computer Science, University of Tartu, Tartu, Estonia"}]},{"given":"Naved","family":"Ahmed","sequence":"additional","affiliation":[{"name":"Institute of Computer Science, University of Tartu, Tartu, Estonia"}]}],"member":"2432","reference":[{"key":"ijismd.2013100105-0","doi-asserted-by":"crossref","unstructured":"Ahmed, N., & Matulevi\u010dius, R. (2013, in press). Securing business processes using security risk-oriented patterns. Journal of Computer Standards & Interfaces. Elsevier.","DOI":"10.1524\/itit.2013.2002"},{"key":"ijismd.2013100105-1","unstructured":"Ahmed, N., Matulevi\u010dius, R., & Khan, N. H. (2012). Eliciting security requirements for business processes using patterns. In Proceedings of the 9th International Workshop on Security in Information Systems (pp 49-58). SciTePress"},{"key":"ijismd.2013100105-2","doi-asserted-by":"crossref","DOI":"10.21236\/ADA634140","author":"C. J.Alberts","year":"2001","journal-title":"OCTAVE method implementation guide version 2.0"},{"key":"ijismd.2013100105-3","doi-asserted-by":"crossref","unstructured":"Altuhhova, O., Matulevi\u010dius, R., & Ahmed, N. (2012). Towards definition of secure business process. In M. Bajec, & J. Eder (Eds.), Lecture Notes in Business Information Research: CAiSE 2012 International Workshops, Workshop on Information Systems Security Engineering (pp. 1-15). Springer Heidelberg, LNBIP.","DOI":"10.1007\/978-3-642-31069-0_1"},{"key":"ijismd.2013100105-4","first-page":"19","article-title":"From trust to dependability through risk analysis.","volume":"2007","author":"Y.Asnar","year":"2007","journal-title":"Proceedings of ARES"},{"key":"ijismd.2013100105-5","unstructured":"AS\/NZS 4360. (2004). Risk management. SAI Global."},{"issue":"1","key":"ijismd.2013100105-6","doi-asserted-by":"crossref","first-page":"101","DOI":"10.1007\/s10550-007-0013-9","article-title":"Model-based security analysis in seven steps\u2014a guided tour to the CORAS method.","volume":"25","author":"F.Braber","year":"2007","journal-title":"BT Technology Journal"},{"key":"ijismd.2013100105-7","doi-asserted-by":"crossref","unstructured":"Cherdantseva, Y., Hilton, J., & Rana, O. (2012). Towards SecureBPMN \u2013 Aligning BPMN with the information assurance and security domain. In Proceedings of the 4th International Workshop, BPMN 2012 (pp. 107-115). Springer Heidelberg, LNBIP.","DOI":"10.1007\/978-3-642-33155-8_9"},{"key":"ijismd.2013100105-8","doi-asserted-by":"crossref","unstructured":"Chowdhury, M. J. M., Matulevi\u010dius, R., Sindre, G., & Karpati, P. (2012). Aligning mal-activity diagrams and security risk management for security requirements definitions. In Proceedings of REFSQ 2012 (pp 135-139). Springer Heidelberg, LNCS 7195.","DOI":"10.1007\/978-3-642-28714-5_11"},{"key":"ijismd.2013100105-9","unstructured":"Common Criteria. (2005). Common criteria for information technology security evaluation, version 2.3, CCMB-2005-08-002. Retrieved March 7, 2013, from http:\/\/www.commoncriteriaportal.org\/"},{"key":"ijismd.2013100105-10","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1007\/978-3-642-12544-7_16","article-title":"A systematic approach to define the domain of information system security risk management","author":"E.Dubois","year":"2010","journal-title":"Intentional Perspectives on Information Systems Engineering"},{"key":"ijismd.2013100105-11","doi-asserted-by":"crossref","unstructured":"Firesmith, D. G. (2007). Engineering safety and security related requirements for software intensive systems. In Companion to the Proceedings of the 29th International Conference on Software Engineering (COMPANION '07) (p.169). IEEE Computer Society.","DOI":"10.1109\/ICSECOMPANION.2007.35"},{"key":"ijismd.2013100105-12","doi-asserted-by":"crossref","unstructured":"Haley, C. B., Laney, R. C., Moffett, J. D., & Nuseibeh, B. (2008). Security requirements engineering: A framework for representation and analysis. In Transactions on Software Engineering, 34, 133-153. IEEE.","DOI":"10.1109\/TSE.2007.70754"},{"key":"ijismd.2013100105-13","doi-asserted-by":"crossref","unstructured":"Herrmann, A., Morali, A., Etalle, S., & Wieringa, R. (2012). Risk and business goal based security requirement and countermeasure prioritization. In Proceedings of the Selected Papers from Workshops and Doctoral Consortium of the 10th International Conference BIR 2011. Springer Heidelberg LNBIP.","DOI":"10.1007\/978-3-642-29231-6_6"},{"key":"ijismd.2013100105-14","unstructured":"ISO\/IEC Guide 73. (2002). Risk management - Vocabulary - Guidelines for use in standards. International Organization for Standardization, Geneva."},{"key":"ijismd.2013100105-15","author":"J.Jurjens","year":"2005","journal-title":"Secure systems development with UML"},{"key":"ijismd.2013100105-16","unstructured":"Khan, H. K. (2012). A pattern-based development of secure business processes. McS thesis, University of Tartu."},{"issue":"7","key":"ijismd.2013100105-17","doi-asserted-by":"crossref","first-page":"1020","DOI":"10.1093\/comjnl\/bxp078","article-title":"Protection against denial of service attacks.","volume":"53","author":"G.Loukas","year":"2010","journal-title":"The Computer Journal"},{"key":"ijismd.2013100105-18","first-page":"1397","article-title":"Alignment of misuse cases with security risk management.","volume":"08","author":"R.Matulevi\u010dius","year":"2008","journal-title":"Proceedings of ARES"},{"key":"ijismd.2013100105-19","first-page":"541","article-title":"Adapting secure tropos for security risk management during early phases of the information systems development.","volume":"08","author":"R.Matulevi\u010dius","year":"2008","journal-title":"Proceedings of CAiSE"},{"issue":"6","key":"ijismd.2013100105-20","first-page":"816","article-title":"Syntactic and semantic extensions to secure tropos to support security risk management.","volume":"18","author":"R.Matulevi\u010dius","year":"2012","journal-title":"Journal of Universal Computer Science"},{"key":"ijismd.2013100105-21","unstructured":"Mayer, N. (2009). Model-based management of information system security risk. Doctoral Thesis. University of Namur"},{"key":"ijismd.2013100105-22","first-page":"41","article-title":"Security requirements specification in service-oriented business process management.","volume":"2009","author":"M.Menzel","year":"2009","journal-title":"Proceedings of ARES"},{"issue":"6","key":"ijismd.2013100105-23","doi-asserted-by":"crossref","first-page":"756","DOI":"10.1109\/TSE.2009.67","article-title":"The \u201cphysics\u201d of notations: Towards a scientific basis of constructing visual notations in software engineering.","volume":"35","author":"D.Moody","year":"2009","journal-title":"IEEE Transactions on Software Engineering"},{"key":"ijismd.2013100105-24","first-page":"9","article-title":"A security language for BPMN process models.","volume":"2011","author":"J.M\u00fclle","year":"2011","journal-title":"Karlsruhe Reports in Informatics"},{"key":"ijismd.2013100105-25","first-page":"277","author":"A. L.Opdahl","year":"2005","journal-title":"A unified modelling language without referential redundancy. Data and Knowledge Engineering (DKE)"},{"key":"ijismd.2013100105-26","doi-asserted-by":"crossref","unstructured":"Paja, E., Giorgini, P., Paul, S., & Meland, P. H. (2012). Security requirements engineering for secure business processes. In Proceedings of the Selected Papers from Workshops and Doctoral Consortium of the 10th International Conference BIR 2011. Springer Heidelberg LNBIP.","DOI":"10.1007\/978-3-642-29231-6_7"},{"key":"ijismd.2013100105-27","author":"M.Remco","year":"2007","journal-title":"Formal semantics and analysis of BPMN process models using petri nets. Journal Information and Software Technology"},{"key":"ijismd.2013100105-28","doi-asserted-by":"crossref","first-page":"745","DOI":"10.1093\/ietisy\/e90-d.4.745","article-title":"A BPMN extension for the modeling of security requirements in business processes.","volume":"4","author":"A.Rodr\u00edguez","year":"2007","journal-title":"Transactions on Information and Systems"},{"key":"ijismd.2013100105-29","doi-asserted-by":"crossref","unstructured":"Rodr\u00edguez, A., Fernandez-Medina, E., & Piattini, M. (2007b). Towards CIM to PIM transformation: From secure business processes defined in BPMN to use-cases. In Proceeding of the 5th International Conference on Business Process Management (pp. 408-415). Springer Heidelberg LNCS.","DOI":"10.1007\/978-3-540-75183-0_30"},{"key":"ijismd.2013100105-30","author":"B.Silver","year":"2009","journal-title":"BPMN method and style: A levels-based methodology for BPMN process modeling and improvement using BPMN 2.0"},{"key":"ijismd.2013100105-31","unstructured":"Soomro, I., & Ahmed, N. (2012). Towards security risk-oriented misuse cases. In Proceedings of the of Business Management Workshops, BPM 2012 workshops (pp. 673-684). Springer Heidelberg LNBIP."},{"key":"ijismd.2013100105-32","author":"G.Stoneburner","year":"2002","journal-title":"NIST special publication 800-30: Risk management guide for information technology systems"},{"key":"ijismd.2013100105-33","unstructured":"Trendowicz, A. (2005). Tutorial: CoBRA - Cost estimation, benchmarking and risk analysis method. Retrieved March 7, 2013, from http:\/\/www.dasma.org\/metrikon2005\/tutorial_cobra.pdf"},{"key":"ijismd.2013100105-34","doi-asserted-by":"crossref","first-page":"217","DOI":"10.1111\/j.1365-2575.1993.tb00127.x","article-title":"On the ontological expressiveness of information systems analysis and design grammars.","volume":"3","author":"Y.Wand","year":"1993","journal-title":"Journal of Information Systems"},{"key":"ijismd.2013100105-35","unstructured":"White, S. A. (2004). Introduction to BPMN, IBM. Retrieved March 7, 2013, from http:\/\/www.bpmn.org\/Documents\/Introduction_to_BPMN.pdf"}],"container-title":["International Journal of Information System Modeling and Design"],"original-title":[],"language":"ng","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=103319","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,6,1]],"date-time":"2022-06-01T19:22:55Z","timestamp":1654111375000},"score":1,"resource":{"primary":{"URL":"https:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/ijismd.2013100105"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2013,10,1]]},"references-count":36,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2013,10]]}},"URL":"https:\/\/doi.org\/10.4018\/ijismd.2013100105","relation":{},"ISSN":["1947-8186","1947-8194"],"issn-type":[{"value":"1947-8186","type":"print"},{"value":"1947-8194","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,10,1]]}}}