Characterizing diagnoses and systems
Artificial Intelligence
Basic Concepts and Taxonomy of Dependable and Secure Computing
IEEE Transactions on Dependable and Secure Computing
Integration of risk identification with business process models
Systems Engineering
Using WS-BPEL to Implement Software Fault Tolerance for Web Services
EUROMICRO '06 Proceedings of the 32nd EUROMICRO Conference on Software Engineering and Advanced Applications
Defining Secure Business Processes with Respect to Multiple Objectives
ARES '08 Proceedings of the 2008 Third International Conference on Availability, Reliability and Security
Specifying and Constructing a Fault-Tolerant Composite Service
ECOWS '08 Proceedings of the 2008 Sixth European Conference on Web Services
Model-driven business process security requirement specification
Journal of Systems Architecture: the EUROMICRO Journal
Requirements Variability Support Through MDA™ and Graph Transformation
Electronic Notes in Theoretical Computer Science (ENTCS)
Automated analysis of feature models 20 years later: A literature review
Information Systems
Security requirements engineering framework for software product lines
Information and Software Technology
Incorporating risk into business process models
IBM Journal of Research and Development
Security and performance in service-oriented applications: Trading off competing objectives
Decision Support Systems
Modelling risk and identifying countermeasure in organizations
CRITIS'06 Proceedings of the First international conference on Critical Information Infrastructures Security
Towards a UML 2.0 extension for the modeling of security requirements in business processes
TrustBus'06 Proceedings of the Third international conference on Trust, Privacy, and Security in Digital Business
Automated reasoning on feature models
CAiSE'05 Proceedings of the 17th international conference on Advanced Information Systems Engineering
Feature models, grammars, and propositional formulas
SPLC'05 Proceedings of the 9th international conference on Software Product Lines
| Hi-index | 0.00 |
Context: The use of Business Process Management Systems (BPMS) has emerged in the IT arena for the automation of business processes. In the majority of cases, the issue of security is overlooked by default in these systems, and hence the potential cost and consequences of the materialization of threats could produce catastrophic loss for organizations. Therefore, the early selection of security controls that mitigate risks is a real and important necessity. Nevertheless, there exists an enormous range of IT security controls and their configuration is a human, manual, time-consuming and error-prone task. Furthermore, configurations are carried out separately from the organization perspective and involve many security stakeholders. This separation makes difficult to ensure the effectiveness of the configuration with regard to organizational requirements. Objective: In this paper, we strive to provide security stakeholders with automated tools for the optimal selection of IT security configurations in accordance with a range of business process scenarios and organizational multi-criteria. Method: An approach based on feature model analysis and constraint programming techniques is presented, which enable the automated analysis and selection of optimal security configurations. Results: A catalogue of feature models is determined by analyzing typical IT security controls for BPMSs for the enforcement of the standard goals of security: integrity, confidentiality, availability, authorization, and authentication. These feature models have been implemented through constraint programs, and Constraint Programming techniques based on optimized and non-optimized searches are used to automate the selection and generation of configurations. In order to compare the results of the determination of configuration a comparative analysis is given. Conclusion: In this paper, we present innovative tools based on feature models, Constraint Programming and multi-objective techniques that enable the agile, adaptable and automatic selection and generation of security configurations in accordance with the needs of the organization.