Recent progress integrates security requirements into BPMN, enhancing its framework. Extensions aim to seamlessly embed security concepts, yet the inherent ambiguity of security terms may lead to misinterpretations and vulnerabilities. Unfortunately, many business process experts lack the expertise to accurately interpret and integrate vital security concepts. In this study, we present an innovative automated methodology tailored to assist business process experts in identifying security threats and conducting risk assessments, particularly in the context of e-Government processes. Our approach streamlines the process, requiring only a business specialist to annotate BPMN entities with high-level, non-security-related information. Based on these annotations, potential threats to the system can be automatically identified. To develop our methodology, we leverage the standard BPMN annotation mechanism. From the annotated BPMN, the methodology utilises the ENISA Threat Landscape knowledge base for threat identification and employs the OWASP Risk Rating Methodology for risk assessment. To demonstrate the effectiveness of our approach, we applied it to a straightforward case study within the e-Government domain. Through this example, we illustrate how our methodology can be employed to ensure compliance with the General Data Protection Regulation and meet the mandatory Data Protection Impact Assessment requirements.

Automated threat modelling and risk analysis in e-Government using BPMN / Granata, D.; Rak, M.; Salzillo, G.; Di Guida, G.; Petrillo, S.. - In: CONNECTION SCIENCE. - ISSN 0954-0091. - 35:1(2023). [10.1080/09540091.2023.2284645]

Automated threat modelling and risk analysis in e-Government using BPMN

Granata D.;Rak M.;
2023

Abstract

Recent progress integrates security requirements into BPMN, enhancing its framework. Extensions aim to seamlessly embed security concepts, yet the inherent ambiguity of security terms may lead to misinterpretations and vulnerabilities. Unfortunately, many business process experts lack the expertise to accurately interpret and integrate vital security concepts. In this study, we present an innovative automated methodology tailored to assist business process experts in identifying security threats and conducting risk assessments, particularly in the context of e-Government processes. Our approach streamlines the process, requiring only a business specialist to annotate BPMN entities with high-level, non-security-related information. Based on these annotations, potential threats to the system can be automatically identified. To develop our methodology, we leverage the standard BPMN annotation mechanism. From the annotated BPMN, the methodology utilises the ENISA Threat Landscape knowledge base for threat identification and employs the OWASP Risk Rating Methodology for risk assessment. To demonstrate the effectiveness of our approach, we applied it to a straightforward case study within the e-Government domain. Through this example, we illustrate how our methodology can be employed to ensure compliance with the General Data Protection Regulation and meet the mandatory Data Protection Impact Assessment requirements.
2023
Automated threat modelling and risk analysis in e-Government using BPMN / Granata, D.; Rak, M.; Salzillo, G.; Di Guida, G.; Petrillo, S.. - In: CONNECTION SCIENCE. - ISSN 0954-0091. - 35:1(2023). [10.1080/09540091.2023.2284645]
File in questo prodotto:
File Dimensione Formato  
Automated threat modelling and risk analysis in e-Government using BPMN.pdf

non disponibili

Licenza: Non specificato
Dimensione 2.84 MB
Formato Adobe PDF
2.84 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11588/986084
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact