Security Requirements Engineering for Secure Business Processes

Traditional approaches to business process modelling deal with security only after the business process has been defined, namely without considering security needs as input for the definition. This may require very costly corrections if new security issues are discovered. Moreover, security concerns are mainly considered at the system level without providing the rationale for their existence, that is, without taking into account the social or organizational perspective, which is essential for business processes related to considerably large organizations. In this paper, we introduce a framework for engineering secure business processes. We propose a security requirements engineering approach to model and analyze participants' objectives and interactions, and then derive from them a set of security requirements that are used to annotate business processes. We capture security requirements through the notion of social commitment, that is a promise with contractual validity between participants. We illustrate the framework by means of an Air Traffic Management scenario.