Abstract
Security risk management is an important part of system development. Given that a majority of modern organizations rely heavily on information systems, security plays a big part in ensuring smooth operations of business processes. For example, many people rely on e-services offered by banks and medical establishments. Inadequate security measures in information systems have unwanted effects on an organization’s reputation and on people’s lives. This case study paper targets the secure system development problem by suggesting the application of security requirements elicitation from business processes (SREBP). This approach provides business analysts with means to elicit and introduce security requirements to business processes through the application of the security risk-oriented patterns (SRPs). These patterns help find security risk occurrences in business processes and present mitigations for these risks. At the same time, they reduce the efforts needed for risk analysis. In this paper, the authors report their experience to derive security requirements for mitigating security risks in the distributed airline turnaround systems.
Similar content being viewed by others
Notes
Captured using check-in process description, such as: https://www.airbaltic.com/en/online check in conditions.
In comparison to SRP1, which defines permissions to execute system activities (i.e., functions, operations), the SRP5 pattern takes into account permissions and access control constraints defined regarding the access of the data storage (e.g., database and its separate tables). Such a security model defines the access policy and contributes to the monitoring controls for the data access.
References
Ahmed N (2014) Deriving security requirements from business process models. PhD thesis, University of Tartu
Ahmed N, Matulevičius R (2014) Securing business process using security risk-oriented patterns. Comput Stand Interfaces 36:723–733
Ahmed N, Matulevičius R (2015) Presentation and validation of method for security requirements elicitation from business processes. In: Information systems engineering in complex environments, selected extended papers from CAiSE Forum 2014
Altuhhova O, Matulevičius R, Ahmed N (2013) An extension of business process model and notification for security risk management. Int J Inf Syst Model Des 4(4):93–113
Anderson R (2008) Security engineering: a guide to building dependable distributed systems, 2nd edn. Wiley, New York
Balzarotti D, Cova M, Felmetsger V, Jovanovic N, Kirda E, Kruegel C, Vigna G (2008) Saner: composing static and dynamic analysis to validate sanitization in web applications. In: Security and privacy, pp 387–401. IEEE
Bartelt C, Rausch A, Rehfeldt K (2015) Quo vadis cyber-physical systems: research areas of cyber-physical ecosystems: a position paper. In: Proceedings of the 1st international workshop on control theory for software engineering, pp 22–25, New York. ACM
Belobaba P, Odoni A, Barnhart C (2015) The global airline industry. Wiley, New York
Brucker AD, Hang I, Lückemeyer G, Ruparel R (2012) SecureBPMN: modeling and enforcing access control requirements in business processes. In: Proceedings of the 17th ACM symposium on access control models and technologies, pp 123–126. ACM
CC (2015) Common criteria for information technology security evaluation, CC v3.1. Release 4. https://www.commoncriteriaportal.org/cc/. Accessed 2 Feb 2016
Cherdantseva Y, Hilton J, Rana O (2012) Towards SecureBPMN: aligning BPMN with the information assurance and security domain. In: Business process model and notation, LNBIP, pp 107–115. Springer
Clarke J, Fowler K, Oftedal E, Alvarez RM, Hartley D, Kornbrust A, O’Leary-Steele G, Revelli A, Siddharth S, Slaviero M (2012) SQL injection attacks and defense, 2nd edn. Syngress, Burlington
Dalpiaz F, Paja E, Giorgini P (2016) Security requirements engineering: designing secure socio-technical systems. MITT Press, Cambridge
Dubois E, Heymans P, Mayer N, Matulevičius R (2010) A systematic approach to define the domain of information system security risk management. Springer, Berlin, pp 289–306
Fabian B, Gürses S, Heisel M, Santen T, Schmidt H (2010) A comparison of security requirements engineering methods. Req Eng 15(1):7–40
Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005a) Modeling security requirements through ownership, permission and delegation. In: Proceedings of the 13th IEEE international conference on requirements engineering (RE’05). IEEE Computer Society
Giorgini P, Massacci F, Mylopoulos J, Zannone N (2005b) Modelling social and individual trust in requirements engineering methodologies. In: Proceedings of the 3nd international conference on trust management, LNCS, pp 161–176. Springer
Jürjens J (2005) Secure system development with UML. Springer, Heidelberg
Kutvonen L, Norta A, Ruohomaa S (2012) Inter-enterprise business transaction management in open service ecosystems. In: Enterprise distributed object computing conference (EDOC), 2012 IEEE 16th International, pp 31–40. IEEE
Leonardi M, Piracci E, Galati G (2014) ADS-B vulnerability to low cost jammers: risk assessment and possible solutions. In: Tyrrhenian international workshop on digital communications-enhanced surveillance of aircraft and vehicles, pp 41–46. IEEE
Long S (2013) Socioanalytic methods: discovering the hidden in organisations and social systems. Karnac, London
Maiden N, Ncube C, Lockerbie J (2008) Inventing requirements: experiences with an airport operations system. In: Paech B, Rolland C (eds) Proceedings of REFSQ 2008. Springer, Heidelberg, pp 58–72
Massacci F, Paci F, Tedeschi A (2014) Assessing a requirements evolution approach: empirical studies in the air traffic management domain. J Syst Softw 95:70–88
Matulevičius R, Norta A, Udokwu C, Nõukas R (2016) Security risk management in the aviation turnaround sector. In: Proceeding of FDSE 2016, pp 119–140
Mayer N (2009) Model-based management of information system security risk. PhD thesis, University of Namur
Mead NR, Stehney T (2005) Security quality requirements engineering (SQUARE) methodology. In: Software Engineering for Secure Systems (SESS05)
Mead NR, Hough ED, Stehney II TR (2005) Security quality requirements engineering (SQUARE) methodology. Technical Report CMU/SEI-2005-TR-009, ESC-TR-2005-009, Software Engineering Institute
Mellado D, Fernández-Medina E, Piattini M (2007) A common criteria based security requirements engineering process for the development of secure information systems. Comput Stand Interfaces 29(2):244–253
Mellado D, Fernández-Medina E, Piattini M (2008) Towards security requirements management for software product lines: a security domain requirements engineering process. Comput Stand Interfaces 30(6):361–371
Mellado D, Blanco C, Sánchez LE, Fernández-Medina E (2010a) A systematic review of security requirements engineering. Comput Stand Interfaces 32:153–165
Menzel M, Thomas I, Meinel C (2009) Security requirements specification in service-oriented business process management. In: International conference on availability, reliability and security, pp 41–49
Mülle J, Stackelberg S, Bohm K (2011) A security language for BPMN process models. Technical Report 9, Karlsruhe Reports in Informatics
Nõukas R (2015) Service brokering environment for an airline. Master’s thesis, Tallinn University of Technology
Norta A, Grefen P, Narendra NC (2014) A reference architecture for managing dynamic inter-organizational business processes. Data Knowl Eng 91:52–89
Norta A, Ma L, Duan Y, Rull A, Kõlvart M, Taveter K (2015) eContractual choreography-language properties towards cross-organizational business collaboration. J Int Serv Appl 6(1):1–23
Rodriguez A, Fernandez-Medina E, Piattini M (2007) A BPMN extension for the modeling of security requirements in business processes. IEICE Trans Inf Syst 90(4):745–752
Runeson P, Höst M, Rainer A, Regnell B (2012) Case study research in software engineering: guidelines and examples. Wiley, New York
Samarütel S (2016) Revision of security risk-oriented patterns for distributed systems. Master’s thesis, University of Tartu
Samarütel S, Matulevičius R, Norta A, Nõukas R (2016) Securing airline-turnaround processes using security risk-oriented patterns. In Proceedings of PoEM 2016, pp 209–224
Sampigethaya K, Poovendran R (2013) Aviation cyber-physical systems: foundations for future aircraft and air transport. Proc IEEE 101(8):1834–1855
Sandkuhl K, Matulevičius R, Ahmed N, Kirikova M (2015) Refining security requirement elicitation from business process using method engineering. In: Joint proceedings of the BIR 2015 workshops and doctoral consortium
Schleicher D, Leymann F, Schumm D, Weidmann M (2010) Compliance scopes: extending the BPMN 2.0 meta model to specify compliance requirements. In: IEEE international conference on service-oriented computing and applications, pp 1–8. IEEE
Schumacher M, Fernandez E, Hybertson D, Buschmann F (2005) Security patterns: integrating security and systems engineering. Wiley, New York
Shim W, Massacci F, Tedeschi A, Pollini A (2014) A relative cost-benefit approach for evaluating alternative airport security policies. In: 9th international conference on availability, reliability and security, pp 514–522. IEEE
Sindre G, Opdahl AL (2005) Eliciting security requirements with misuse cases. Requir Eng J 10(1):34–44
Acknowledgements
This research was funded by the Estonia Research Council (Grant IUT20-55).
Author information
Authors and Affiliations
Corresponding author
Additional information
Accepted after two revisions by the editors of the special issue.
Rights and permissions
About this article
Cite this article
Matulevičius, R., Norta, A. & Samarütel, S. Security Requirements Elicitation from Airline Turnaround Processes. Bus Inf Syst Eng 60, 3–20 (2018). https://doi.org/10.1007/s12599-018-0518-4
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12599-018-0518-4