Presentation on how to chat with PDF using ChatGPT code interpreter
Process-oriented Security Risk Analysis and Requirements Engineering
1. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Process-oriented Security Risk
Analysis and Requirements Engineering
Raimundas Matulevičius
University of Tartu, Estonia
2. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Domain Model for
Security Risk Management
Dubois et al., 2010
3
3. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Content
4
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
4. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Content
5
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
5. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Business Process Modelling
v Objective
Ø What organisation needs to do to achieve their business
objectives?
v Advantages
Ø Reasonably intuitive
Ø Explicit declaration of business activities, processes and
sub-processes
v Disadvantages
Ø Captures only a dynamic picture
Ø Not focused on the business support by technology
6
6. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Business Process Model and Notation
7
7. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Asset Identification and
Security Objective Determination
8
8. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Asset Identification and
Security Objective Determination
9
9. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Risk Analysis and Assessment
10
10. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Requirements Definition
11
11. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-aware BPMN
12
Altuhhova et al., 2013
12. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Content
13
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
13. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Patterns
14
v A security pattern describes
Ø a particular recurring security problem
Ø that arises in a specific security context
Ø presents a well-proven generic scheme for a security solution
v Codify security knowledge in structured and understandable way
v Presentation is familiar to the audience
v Proven solutions improve the integration of security into
enterprises where needed
[Schumacher et al, 2006]
14. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
15
[Ahmed and Matulevičius, 2014]
15. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
16
[Ahmed and Matulevičius, 2014]
16. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
17
[Ahmed and Matulevičius, 2014]
17. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
18
[Ahmed and Matulevičius, 2014]
18. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
19
[Ahmed and Matulevičius, 2014]
19. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
20
[Ahmed and Matulevičius, 2014]
20. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
21
[Ahmed and Matulevičius, 2014]
21. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
22
[Ahmed and Matulevičius, 2014]
22. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Security Risk-oriented Patterns
SRP1: Secure data from unauthorized access
SRP2: Secure data transmitted between business entities
SRP3: Secure business activity after data is submitted
SRP4: Secure business services against denial of service
attacks
SRP5: Secure data stored in / retrieved from the data store
23
[Ahmed and Matulevičius, 2014]
23. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Content
24
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
24. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
25
Business Process and Compliance
25. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
ISO/IEC 27001:2013
v Requirements for managing
sensitive organisation’s information
Ø risk management
Ø risk assessment
Ø risk treatment means
v Guidance on understanding
Ø Organisation’s context
Ø Leadership
Ø Planning
Ø Operation performance
Ø Physical access
Ø …
v Checklist of objectives and controls
26
26. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
27
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
27. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
28
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
Check
compliance
Apply SRPs
Check com-
pliance again
Compare
results
Alaküla and Matulevičius, 2015
28. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
29
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
Check
compliance
Apply SRPs
Check com-
pliance again
Compare
results
Alaküla and Matulevičius, 2015
29. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Insurance Brokerage System
30
30. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Insurance Brokerage System
Accept Offer
31
31. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
ISO/IEC 27001:2013
32
A.9.4.1 Information access restriction
Ø Access to information and application system functions shall be
restricted in accordance with the access control policy
A.13.2.1 Information transfer policies and procedures
Ø Formal transfer policies, procedures and controls shall be in place to
protect the transfer of information through the use of all types of
communication facilities.
32. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
ISO/IEC 27001:2013
33
A.9.4.1 Information access restriction
Ø Access to information and application system functions shall be
restricted in accordance with the access control policy
A.13.2.1 Information transfer policies and procedures
Ø Formal transfer policies, procedures and controls shall be in place to
protect the transfer of information through the use of all types of
communication facilities.
Abstract
terminology
Multiple
requirements
Not relevant
requirements
33. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
ISO/IEC 27001:2013
34
A.9.4.1 Information access restriction
Ø Access to information and application system functions shall be
restricted in accordance with the access control policy
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant quotes, Offer status, and
Selected quotes shall be restricted in accordance with the access
control policy.
(ii) Access to Get customer contact data, Get relevant quotes,
Email offer, Cancel offer, Register customer decision, and
Register selected quotes shall be restricted in accordance with the
access control policy.
34. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
35
Check Compliance
35. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
36
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be
restricted in accordance with the access control
policy.
(ii) Access to Get customer contact data, Get
relevant quotes, Email offer, Cancel offer,
Register customer decision, and Register
selected quotes shall be restricted in
accordance with the access control policy.
Check Compliance
36. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
37
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be
restricted in accordance with the access control
policy.
(ii) Access to Get customer contact data, Get
relevant quotes, Email offer, Cancel offer,
Register customer decision, and Register
selected quotes shall be restricted in
accordance with the access control policy.
Check Compliance
37. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
38
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
Check
compliance
Apply SRPs
Check com-
pliance again
Compare
results
Alaküla and Matulevičius, 2015
38. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Identify Pattern Occurrences
39
39. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Derive Security Model
40
1. Identify resource
2. Identify roles
3. (Assign users)
4. Identify secured operations
5. Assign permissions
40. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
41
41. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
42
SReq.1.1: Only Broker should update offer’s Customer data and Relevant quotes.
SReq.1.1.1: Broker should perform Get customer contact data.
SReq.1.1.2: Broker should perform Get relevant quotes.
SReq.1.2: Only Broker should read offer’s Offer status.
SReq.1.2.1: Broker should view Offer status after operation Email offer.
SReq.1.2.2: Broker should view Offer status after operation Cancel offer.
SReq.1.2.3: Broker should view Offer status after operation
Register customer decision
SReq.1.3: Customer should read offer’s Customer data and Relevant quotes after
operation Email offer
SReq.1.4: Only Customer should update offer’s Offer status and Select quotes.
SReq.1.4.1: By performing Send response task, Customer should invoke
Register customer decision.
SReq.1.4.2: By performing Send response task, Customer should invoke
Register selected quote if Offer status is “Accepted”.
42. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Introduction of Security Constraints
43
43. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
44
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
Check
compliance
Apply SRPs
Check com-
pliance again
Compare
results
Alaküla and Matulevičius, 2015
44. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Check Compliance Again
45
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant quotes,
Offer status, and Selected quotes shall be
restricted in accordance with the access
control policy.
(ii) Access to Get customer contact data, Get
relevant quotes, Email offer, Cancel offer,
Register customer decision, and Register
selected quotes shall be restricted in
accordance with the access control policy.
45. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
v Business process management
Ø Instrument to manage enterprise activities
Ø Ensure consistent outcomes to bring value to
customers
v Compliance
Ø A set of activities an organisation does to ensure that
its core business does not violate the regulations
ü ISO/IEC 27001, NIST SP 800-39, Base III, IT-Grundschutz, ISKE, etc.
46
To achieve business process compliance
with regulations remains rather labour
intensive activity
Business Process and Compliance
Check
compliance
Apply SRPs
Check com-
pliance again
Compare
results
Alaküla and Matulevičius, 2015
46. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
47
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant
quotes, Offer status, and Selected
quotes shall be restricted in accordance
with the access control policy.
(ii) Access to Get customer contact data,
Get relevant quotes, Email offer, Cancel
offer, Register customer decision, and
Register selected quotes shall be
restricted in accordance with the access
control policy.
A.13.2.1 Information transfer policies
and procedures
(i) Formal transfer policies shall be in place
to protect the transfer of Offer request,
Offer, Request email offer, Offer status,
and Decision on offer through the use of
all types of communication facilities.
(ii) Formal transfer procedures shall be in
place to protect the transfer of Offer
request, Offer, Request email offer,
Offer status, and Decision on offer
through the use of all types of
communication facilities.
(iii) Formal transfer controls shall be in place
to protect the transfer of Offer request,
Offer, Request email offer, Offer status,
and Decision on offer through the use of
all types of communication facilities.
A.9.4.1 Information access restriction
(i) Access to Customer data, Relevant
quotes, Offer status, and Selected
quotes shall be restricted in accordance
with the access control policy.
(ii) Access to Get customer contact data,
Get relevant quotes, Email offer, Cancel
offer, Register customer decision, and
Register selected quotes shall be
restricted in accordance with the access
control policy.
A.13.2.1 Information transfer policies
and procedures
(i) Formal transfer policies shall be in place
to protect the transfer of Offer request,
Offer, Request email offer, Offer status,
and Decision on offer through the use of
all types of communication facilities.
(ii) Formal transfer procedures shall be in
place to protect the transfer of Offer
request, Offer, Request email offer,
Offer status, and Decision on offer
through the use of all types of
communication facilities.
(iii) Formal transfer controls shall be in place
to protect the transfer of Offer request,
Offer, Request email offer, Offer status,
and Decision on offer through the use of
all types of communication facilities.
47. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Lessons Learnt
v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work
Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and
environmental security, equipment and other
48
48. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Lessons Learnt
v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work
Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and
environmental security, equipment and other
49
49. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Lessons Learnt
v Patterns could systematically guide the compliance
manager to achieve compliance
v Future Work
Ø Patterns does not deal with
ü (physical) human resource security, media handling, physical and
environmental security, equipment and other
50
50. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Process-oriented Security Risk Analysis and
Requirements Engineering
51
Security Risk-aware BPMN
Security Risk-oriented Patterns
Business Processes and Compliance
51. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
52
52. Cyber-Physical Security of Critical Processes for Crucial Functions in Society
Copenhagen, 02.05.2016
Limitations
v Formal compliance
checking is not performed
v Future work
v Business process model
is not enriched with
security-related activities
53
Compliance checking –
“a relationship between the formal
representation of a business model
and the formal representation of a
relevant regulation”
[Governatori and Shek, 2012]
[Sadiq and Governatori, 2015]