{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2022,3,30]],"date-time":"2022-03-30T08:09:00Z","timestamp":1648627740296},"reference-count":32,"publisher":"IGI Global","issue":"2","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2013,4]]},"abstract":"<jats:p>The Business Process Modeling Notation (BPMN) has become a popular standard for expressing high level business processes as well as technical specifications for software systems. However, the specification does not contain native support to express security information, which should not be overlooked in today\u2019s world where every organization is exposed to threats and has assets to protect. Although a substantial amount of work enhancing BPMN 1.x with security related information already exists, the opportunities provided by version 2.0 have not received much attention in the security community so far. This paper gives an overview of security in BPMN and investigates several possibilities of representing threats in BPMN 2.0, in particular for design-time specification and runtime execution of composite services with dynamic behavior. Enriching BPMN with threat information enables a process-centric threat modeling approach that complements risk assessment and attack scenarios. We have included examples showing the use of error events, escalation events and text annotations for process, collaboration, choreography and conversation diagrams.<\/jats:p>","DOI":"10.4018\/jsse.2013040101","type":"journal-article","created":{"date-parts":[[2013,6,20]],"date-time":"2013-06-20T16:12:14Z","timestamp":1371744734000},"page":"1-18","source":"Crossref","is-referenced-by-count":1,"title":["Threat Representation Methods for Composite Service Process Models"],"prefix":"10.4018","volume":"4","author":[{"given":"Per H\u00e5kon","family":"Meland","sequence":"first","affiliation":[{"name":"Software Engineering, Safety and Security, SINTEF ICT, Trondheim, Norway"}]},{"given":"Erlend Andreas","family":"Gj\u00e6re","sequence":"additional","affiliation":[{"name":"Software Engineering, Safety and Security, SINTEF ICT, Trondheim, Norway"}]}],"member":"2432","reference":[{"key":"jsse.2013040101-0","unstructured":"Activiti. (2012). Activiti BPM platform. Retrieved August, 2012, from http:\/\/www.activiti.org\/"},{"key":"jsse.2013040101-1","unstructured":"Allweyer, T. (2010). BPMN 2.0 Introduction to the standard for business process modeling: BoD."},{"key":"jsse.2013040101-2","unstructured":"Altuhhova, O., & Matulevi\u010dius, R. (2011). Eliciting security requirements through security risk management using business process model notations. In Proceedings of the LNBIP Workshop, CAiSE 2012."},{"key":"jsse.2013040101-3","unstructured":"Aniketos. (2011). Deliverable 4.1: Methods and design for the response to changes and threats. European Community\u2019s Seventh Framework Programme. Retrieved January, 2013, from http:\/\/www.aniketos.eu\/"},{"key":"jsse.2013040101-4","doi-asserted-by":"crossref","unstructured":"Ciuciu, I., Zhao, G., Mulle, J., Stackelberg, S. v., Vasquez, C., & Haberecht, T. \u2026 Bohm, K. (2011). Semantic support for security-annotated business process models. In Proceedings of the 12th International Conference (BPMDS 2011) London, UK.","DOI":"10.1007\/978-3-642-21759-3_21"},{"key":"jsse.2013040101-5","doi-asserted-by":"publisher","DOI":"10.1147\/JRD.2010.2045777"},{"key":"jsse.2013040101-6","doi-asserted-by":"crossref","unstructured":"Genon, N., Heymans, P., & Amyot, D. (2011). Analysing the cognitive effectiveness of the BPMN 2.0 visual notation. Software Language Engineering, 377-396.","DOI":"10.1007\/978-3-642-19440-5_25"},{"key":"jsse.2013040101-7","doi-asserted-by":"publisher","DOI":"10.1016\/S0007-6813(05)80064-3"},{"key":"jsse.2013040101-8","author":"S.Hernan","year":"2006","journal-title":"Uncover Security Design Flaws Using the STRIDE Approach"},{"key":"jsse.2013040101-9","doi-asserted-by":"crossref","unstructured":"Kim, A., Kang, M., Meadows, C., Ioup, E., & Sample, J. (2009). A framework for automatic web service composition.","DOI":"10.21236\/ADA499917"},{"key":"jsse.2013040101-10","author":"M. S.Lund","year":"2010","journal-title":"Model-driven risk analysis: The CORAS approach"},{"key":"jsse.2013040101-11","doi-asserted-by":"crossref","unstructured":"Meland, P. H., Guerenabarrena, J. B., & Llewellyn-Jones, D. (2011). The challenges of secure and trustworthy service composition in the Future Internet. In Proceedings of the 2011 6th International Conference on System of Systems Engineering (SoSE).","DOI":"10.1109\/SYSOSE.2011.5966619"},{"key":"jsse.2013040101-12","doi-asserted-by":"crossref","unstructured":"Menzel, M., Thomas, I., & Meinel, C. (2009). Security requirements specification in service-oriented business process management. In Proceedings of the International Conference on Availability, Reliability and Security, 2009. (ARES '09).","DOI":"10.1109\/ARES.2009.90"},{"key":"jsse.2013040101-13","doi-asserted-by":"publisher","DOI":"10.1145\/997150.997156"},{"key":"jsse.2013040101-14","doi-asserted-by":"crossref","unstructured":"Monakova, G., Brucker, A. D., & Schaad, A. (2012). Security and safety of assets in business processes. In Proceedings of the ACM Symposium on Applied Computing (SAC), New York, NY.","DOI":"10.1145\/2245276.2232045"},{"key":"jsse.2013040101-15","doi-asserted-by":"publisher","DOI":"10.1109\/TSE.2009.67"},{"key":"jsse.2013040101-16","doi-asserted-by":"crossref","unstructured":"M\u00fclle, J., Stackelberg, S. v., & B\u00f6hm, K. (2011). Modelling and transforming security constraints in privacy-aware business processes. In Proceedings of the IEEE International Conference on Service Oriented Computing and Applications (SOCA 2011).","DOI":"10.1109\/SOCA.2011.6166257"},{"key":"jsse.2013040101-17","first-page":"20899","year":"2006","journal-title":"FIPS publication 200: Minimum security requirements for federal information and information systems"},{"key":"jsse.2013040101-18","unstructured":"OMG. (2011). Business process model and notation (BPMN) Version 2.0. Retrieved January, 2013, from http:\/\/www.omg.org\/spec\/BPMN\/"},{"key":"jsse.2013040101-19","unstructured":"Paja, E., Giorgini, P., Paul, S., & Meland, P. H. (2011). Security requirements engineering for business processes. In Proceedings of the First International Workshop on Alignment of Business Process and Security Modelling (ABPSM 2011)."},{"key":"jsse.2013040101-20","unstructured":"Pavlovski, C. J., & Zou, J. (2008). Non-functional requirements in business process modeling. In Proceedings of the Fifth Asia-Pacific Conference on Conceptual Modelling (Vol. 79)."},{"issue":"3","key":"jsse.2013040101-21","first-page":"1","article-title":"BPMN modeling \u2013 Who, where, how and why.","volume":"5","author":"J. C.Recker","year":"2008","journal-title":"BPTrends"},{"issue":"4","key":"jsse.2013040101-22","first-page":"745","article-title":"A BPMN extension for the modeling of security requirements in business processes. IEICE \u2013 Transactions on Information Systems","volume":"90-D","author":"A.Rodriguez","year":"2007","journal-title":"E (Norwalk, Conn.)"},{"key":"jsse.2013040101-23","doi-asserted-by":"crossref","unstructured":"Schaffner, J., & Meyer, H. (2006). Mixed initiative use cases for semi-automated service composition: a survey. In Proceedings of the 2006 International Workshop on Service-Oriented Software Engineering.","DOI":"10.1145\/1138486.1138489"},{"key":"jsse.2013040101-24","unstructured":"Shostack, A. (2008). Experiences threat modeling at microsoft. In Proceedings of the Modeling Security Workshop (Models'08). Retrieved from http:\/\/blogs.msdn.com\/b\/sdl\/archive\/2008\/10\/08\/experiences-threat-modeling-at-microsoft.aspx"},{"key":"jsse.2013040101-25","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-004-0194-4"},{"key":"jsse.2013040101-26","doi-asserted-by":"crossref","unstructured":"Varela-Vaca, A. J., Gasca, R. M., & Jimenez-Ramirez, A. (2011). A model-driven engineering approach with diagnosis of non-conformance of security objectives in business process models. In Proceedings of the 2011 Fifth International Conference on Research Challenges in Information Science (RCIS).","DOI":"10.1109\/RCIS.2011.6006844"},{"key":"jsse.2013040101-27","doi-asserted-by":"publisher","DOI":"10.1111\/j.1365-2575.1993.tb00127.x"},{"key":"jsse.2013040101-28","unstructured":"White, S. A. (2004). Introduction to BPMN. Retrieved January, 2013, from http:\/\/www.bpmn.org\/Documents\/Introduction%20to%20BPMN.pdf"},{"key":"jsse.2013040101-29","doi-asserted-by":"publisher","DOI":"10.1016\/j.sysarc.2008.10.002"},{"key":"jsse.2013040101-30","doi-asserted-by":"crossref","unstructured":"zur Muehlen, M., & Ho, D. T. (2008). Service process innovation: A case study of BPMN in practice. In Proceedings of the 41st Annual Hawaii International Conference on System Sciences.","DOI":"10.1109\/HICSS.2008.388"},{"key":"jsse.2013040101-31","doi-asserted-by":"crossref","unstructured":"zur Muehlen, M., & Recker, J. (2008). How much language is enough? Theoretical and practical use of the business process modeling notation. In Proceedings of the 20th International Conference on Advanced Information Systems Engineering (CAiSE '08).","DOI":"10.1007\/978-3-540-69534-9_35"}],"container-title":["International Journal of Secure Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.igi-global.com\/viewtitle.aspx?TitleId=77914","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2019,7,15]],"date-time":"2019-07-15T23:33:26Z","timestamp":1563233606000},"score":1,"resource":{"primary":{"URL":"http:\/\/services.igi-global.com\/resolvedoi\/resolve.aspx?doi=10.4018\/jsse.2013040101"}},"subtitle":[""],"short-title":[],"issued":{"date-parts":[[2013,4]]},"references-count":32,"journal-issue":{"issue":"2"},"URL":"https:\/\/doi.org\/10.4018\/jsse.2013040101","relation":{},"ISSN":["1947-3036","1947-3044"],"issn-type":[{"value":"1947-3036","type":"print"},{"value":"1947-3044","type":"electronic"}],"subject":[],"published":{"date-parts":[[2013,4]]}}}