Motivating Scenario and Problem Statement

The scenario that motivates this work and which is used throughout this thesis is as follows. A multidisciplinary group of experts discuss IAS issues in a specific business process. The team includes experts with technical and non-technical, security and non-security backgrounds:

• Business expert (manager or business owner),

• IAS officer,

• Computer and network expert (system administrator),

• Legal adviser and

• Human Resources (HR-)expert.

The specialisation of the experts is described in Appendix A.1. Depending on the size of an organ-isation and the nature of business other experts may also be involved. The need for the involvement of a large number of experts with different backgrounds is rooted in the multi-disciplinary nature of the IAS domain as discussed in Chapter 2.

The team observes a model of a business process. The model is developed prior to the discussion usually by or with the involvement of a business expert. It is out of the scope of this thesis to

consider how the process may be improved in aspects other than security. The team discusses the IAS-related details and issues in the business process and suggest countermeasures required to overcome the issues. After the discussion and model security-annotating are completed, the approved security countermeasures and recommendations are recorded in an Information Security Policy Document in the form of security statements.

This thesis tackles two problems which arise in this scenario.

First, although the experts involved in the discussion have security-related knowledge, which is manifested by the existing research [24], there is no effective notation allowing them to express their diverse knowledge within business process models in an unambiguous way.

The lack of such notation prevents the effective communication between experts involved in the design of Secure Business Processes¹. The analysis of the existing extensions (Section 2.8) con-firms a need for a security modelling technique which embraces the complex and heterogeneous nature of the IAS domain.

Since for the experts involved in the IAS discussion security is not their primary responsibility, they have only limited time to familiarise themselves with a notation. Therefore, a notation must be easy-to-learn and easy-to-use. It is anticipated that it shall be possible to learn a notation dur-ing 30-60 minutes traindur-ing session. Ideally, an IAS modelldur-ing notation must be developed as an extension to an existing well-known business process modelling language because this will help to reduce learning time due to the fact that a large number of business and IS (and in some cases other domain experts as well) are usually familiar with business process modelling languages.

Business Process Model and Notation (BPMN) 2.0 is the de-facto industry standard business pro-cess modelling language and the first international standard in business propro-cess modelling. BPMN 2.0 allows modelling of cross-organisational collaborative business processes. Therefore, BPMN is the logical choice as the basis for the IAS modelling extension. The advantages of BPMN are further discussed in Chapter 5. A need for extending BPMN for security modelling is argued in our earlier work [26], where it is demonstrated that (1) the syntax of BPMN 2.0 is not sufficient for IAS modelling and (2) none of the existing security BPMN extensions represents IAS concepts consistently.

1Secure business process in this work refers to a business process annotated with security information [29].

Since a notation is destined for humans comprehension (and not for the automatic interpretations as it often is in the related work) its cognitive effectiveness² becomes highly critical. Graphi-cal annotations are better comprehended by humans [30, 31]. Therefore, an extension shall give preference to graphical annotations avoiding primarily machine-oriented text-based annotations.

Second, a multidisciplinary group requires an agreed-upon understanding of the IAS domain for an effective communication and meaningful annotations of business process models to take place.

The experts, whose involvement in security discussions and decision-making is beneficial, often have different perception of the IAS domain and its main concepts. This is confirmed by our experience and by the survey of IAS practitioners which was conducted as a part of this research project [32]. Therefore, prior to starting a discussion on IAS issues and the annotation of business process models, a multi-disciplinary team has to build an agreed-upon understanding of the IAS domain. Assuring a commonly agreed understanding of IAS in cross-organisational teams of experts, who represent the interests of different members of an information sharing community, is also critical as it is a stepping stone on the way to harmonising the approach to IAS between the organisations involved in information sharing. This agreed-upon understanding of the IAS domain and the terminology must be employed as a basis for the semantics of a modelling notation. An agreed understanding of the IAS domain may be expressed in the form of a conceptual model. The completeness and accuracy of the conceptual model which is used as the basis for the semantics of a notation ensures the ontological completeness of the notation.

In the search for a conceptual model of IAS, which is to be exploited as the foundation for the semantics of a security modelling notation, the existing conceptual models of IAS were exam-ined (Section 2.8) and the bases for the semantics of the existing security extensions for business process modelling languages were analysed (Section 5.4). Every examined model has some draw-backs and is not fully suitable for the purposes of this research project as in detail discussed in the above referenced sections of this thesis.

Finally, the problem addressed by this thesis may be summarised as follows:

There is a need for an easy-to-learn and easy-to-use graphical IAS modelling notation, which will be accessible by technical and non-technical, security and non-security experts alike. The semantics of a notation must be built upon a shared understanding of the IAS domain amongst the experts involved in the security discussion and decision-making.

2Cognitive effectiveness refers to the speed, ease and accuracy of the processing of a notation by people [30].