To read this content please select one of the options below:

Resolving vulnerability identification errors using security requirements on business process models

Stefan Taubenberger (Computing Department, The Open University, Milton Keynes, UK)
Jan Jürjens (Department of Computer Science, Technical University Dortmund, Dortmund, Germany and Fraunhofer Institute for Software and Systems Engineering ISST, Dortmund, Germany)
Yijun Yu (Computing Department, The Open University, Milton Keynes, UK)
Bashar Nuseibeh (Lero – The Irish Software Engineering Research Centre; and Computing Department, University of Limerick, Limerick, Ireland and The Open University, Milton Keynes, UK)

Information Management & Computer Security

ISSN: 0968-5227

Article publication date: 12 July 2013

999

Abstract

Purpose

In any information security risk assessment, vulnerabilities are usually identified by information‐gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses' security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost‐effectively. This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models.

Design/methodology/approach

Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Findings

Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

Originality/value

It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Keywords

Citation

Taubenberger, S., Jürjens, J., Yu, Y. and Nuseibeh, B. (2013), "Resolving vulnerability identification errors using security requirements on business process models", Information Management & Computer Security, Vol. 21 No. 3, pp. 202-223. https://doi.org/10.1108/IMCS-09-2012-0054

Publisher

:

Emerald Group Publishing Limited

Copyright © 2013, Emerald Group Publishing Limited

Related articles