The Need for Compliance Verification in Collaborative Business Processes

Compliance constrains processes to adhere to rules, standards, laws and regulations. Non-compliance subjects enterprises to litigation and financial fines. Collaborative business processes cross organizational and regional borders implying that internal and cross regional regulations must be complied with. To protect customs’ data, European enterprises must comply with the EU data privacy regulation (general data protection regulation - GDPR) and each member state’s data protection laws. An example of non-compliance with GDPR is Facebook, it is accused for breaching subscriber trust. Compliance verification is thus essential to deploy and implement collaborative business process systems. It ensures that processes are checked for conformance to compliance requirements throughout their life cycle. In this paper we take a proactive approach aiming to discuss the need for design time preventative compliance verification as opposed to after effect runtime detective approach. We use a real-world case to show how compliance needs to be analyzed and show the benefits of applying compliance check at the process design stag

The Need for Compliance Verification in Collaborative Business Processes

Compliance constrains processes to adhere to rules, standards, laws and regulations. Non-compliance subjects enterprises to litigation and financial fines. Collaborative business processes cross organizational and regional borders implying that internal and cross regional regulations must be complied with. To protect customs’ data, European enterprises must comply with the EU data privacy regulation (general data protection regulation - GDPR) and each member state’s data protection laws. An example of non-compliance with GDPR is Facebook, it is accused for breaching subscriber trust. Compliance verification is thus essential to deploy and implement collaborative business process systems. It ensures that processes are checked for conformance to compliance requirements throughout their life cycle. In this paper we take a proactive approach aiming to discuss the need for design time preventative compliance verification as opposed to after effect runtime detective approach. We use a real-world case to show how compliance needs to be analyzed and show the benefits of applying compliance check at the process design stag

From Secure Business Process Models to Secure Artifact-Centric Specifications

Making today's systems secure is an extremely difficult and challenging problem. Socio and technical issues interplay and contribute in creating vulnerabilities that cannot be easily prevented without a comprehensive engineering method. This paper presents a novel approach to support process-aware secure systems modeling and automated generation of secure artifact-centric implementations. It combines social and technical perspectives in developing secure complex systems. This work is the result of an academic and industrial collaboration, where SecBPMN2, a research prototype, has been integrated with SAP River, an industrial artifact-centric language

Verification and Compliance in Collaborative Processes

Evidently, COVID-19 has changed our lives and is likely to make a lasting impact on our economic development and our industry and services. With the ongoing process of digital transformation in industry and services, Collaborative Networks (CNs) is required to be more efficient, productive, flexible, resilient and sustainable according to change of situations and related rules applied afterwards. Although the CN area is relatively young, it requires the previous research to be extended, i.e. business process management from dealing with processes within a single organization into processes across different organizations. In this paper, we review current business process verification and compliance research. Different tools approaches and limitations of them are compared. The further research issues and potential solutions of business process verification and compliance check are discussed in the context of CNs

Verifying for Compliance to Data Constraints in Collaborative Business Processes.

Production processes are nowadays fragmented across different companies and organized in global collaborative networks. This is the result of the first wave of globalization that, among the various factors, was enabled by the diffusion of Internet-based Information and Communication Technologies (ICTs) at the beginning of the years 2000. The recent wave of new technologies possibly leading to the fourth industrial revolution – the so-called Industry 4.0 – is further multiplying opportunities. Accessing global customers opens great opportunities for organizations, including small and medium enterprises (SMEs), but it requires the ability to adapt to different requirements and conditions, volatile demand patterns and fast-changing technologies. Regardless of the industrial sector, the processes used in an organization must be compliant to rules, standards, laws and regulations. Non-compliance subjects enterprises to litigation and financial fines. Thus, compliance verification is a major concern, not only to keep pace with changing regulations but also to address the rising concerns of security, product and service quality and data privacy. The software, in particular process automation, used must be designed accordingly. In relation to process management, we propose a new way to pro-actively check the compliance of current running business processes using Descriptive Logic and Linear Temporal Logic to describe the constraints related to data. Related algorithms are presented to detect the potential violations

Impact map for designing secure socio-technical systems with cultural dimensions

This repository contains a table that specifies the detailed impact map for the identification of impacts of cultural dimensions on security requirements, for socio-technical systems. The impact map has been created analysing the semantic of each cub-cultural dimensions and each security requirements and using the experience of the authors as security experts and behavioural cyber psychologists. Some cells of the table are marked with the following symbols:~ “++”: a strong positive impact of the cultural dimensions to the security requirement. The cultural dimension will promote behaviours that enforce the security requirements. For example, high level of “UA” has a strong positive impact on the availability security requirement, since planning (behaviour associated with high levels of UA) will increase chances that a service/resource is fulfilled every time it is requested.~ “+”: a positive impact of the cultural dimension. The cultural dimension has a mild positive impact that may promote certain behaviours that help enforcement security requirements. It likely not promotes behaviours against the security requirements. For example, high levels of the “indulgence/restrained” dimension will help enforce confidentiality, since this dimension is associated with freedom of speech and speaking freely, therefore high values will encourage to accept constraints (that are derived from confidentiality requirements) that limit the information reveal to unauthorised people.~ “-”: a negative impact of the cultural dimension. The cultural dimension has a limited negative impact on the security requirements that may promote some behaviours that prevent the fulfilment of security requirements. For example, a high level of “Power distance” has a negative impact on confidentiality, since people that occupy the higher ranks of the hierarchy will not (or less) be subjected to rules allowing them to avoid following access control rules. ~ “- -”: a strong negative impact of the cultural dimension. In this case the cultural dimension will lead to behaviours that may create security breaches and violate the security requirements. For example, high level of collectivism has a negative impact on separation of duties since a strong group identity may lead to task sharing, a behaviour that directly violates the security requirements. Moreover, people might easily fall victim to social engineering attacks.If a cell is marked, a short rational behind the choice is provided. For cells that are not marked, no impact relation has been identified.THIS DATASET IS ARCHIVED AT DANS/EASY, BUT NOT ACCESSIBLE HERE. TO VIEW A LIST OF FILES AND ACCESS THE FILES IN THIS DATASET CLICK ON THE DOI-LINK ABOV

SecBPMN2BC evaluation

This repository contains two datasets. "Survey results" contains the raw and aggregated results of the empirical experiment and the survey completed by the subjects. "Case studies" contains the original diagrams of three case studies, defined using SecBPMN2, and the result diagram created using SecBPMN2BC modelling language. For each case study we provide a small description, the original diagram and the final result. Birth certificate This case study is about the release of a birth certificate by a municipality in a Greek city. The busines process is executed when a citizen applies for the creation of a copy of the birth certificate to the municipality. The municipality examines the request and release to the citizen its birth certificate. We slightly modified the business process by adding security and privity annotations and by correcting some incoherencies. Teleconsultation This case study is about a teleconsultation of a pediatric patient, i.e., an interview of a patient in a remote location. In particular, this is the case of a teleconsultation between an Italian and Spanish hospital. The family of the pediatric patient asks for the availability of the doctor that, if it is available, ask the consent to the pediatric patient. After that the doctor interviews the patient, consults his/her health record and give him a report. In this case we modify the business process adding few privity annotations, and correcting incoherencies. Televisit This case study is about a televisit, i.e., a visit of a pediatric patient by a specialized group, that is external to the patient’s hospital, in a remote location. The process starts with the pediatric patient that ask and sets and appointment. The hospital staff request the consent to the family, interviews the patient and ask for a consultation to an external specialized group. The group checks its availability, visits the patients and send a report to the hospital staff. The hospital staff compiles a final report that send to the pediatric patient. We slighthly modify the process adding privity annotations and security annotation where needed. We solved incoherencies and refined the consent management

Visual Privacy Management: Design and applications of a privacy-enabling platform - Evaluation Results

This dataset is used for the empirical evaluation Chapter of the Book "Visual Privacy Management: Design and applications of a privacy-enabling platform".The dataset is divided in three folders each of them is extensively described by a chapter in the book. The content of the dataset is partially in Italian but can be easily translated in English.THIS DATASET IS ARCHIVED AT DANS/EASY, BUT NOT ACCESSIBLE HERE. TO VIEW A LIST OF FILES AND ACCESS THE FILES IN THIS DATASET CLICK ON THE DOI-LINK ABOV

Efficient Data as a Service in Fog Computing: An Adaptive Multi-Agent Based Approach

Data as a Service (DaaS) offers an effective provisioning model able to exploit the advantages of cloud computing in terms of accessibility and scalability when data providers need to make their data available to different data consumers. Nevertheless, in settings where data are generated at the edge and they need to be propagated (e.g., Industry 4.0, Smart Cities), DaaS model suffers of some limitations: data transfer from the edge to the cloud – and viceversa – could require a significant time and privacy issues could hamper the possibility to move the data. Goal of this paper is to propose a DaaS model based on the Fog Computing paradigm, which combines the advantages of both cloud and edge computing. The proposed solution implements an adaptive multi-agent system where each agent autonomously manages the placement of data in the most convenient location considering the quality of service requirements of the user that it is serving. To guarantee the collaboration of the agents without imposing a centralized control, a reinforcement learning algorithm will be enacted to balance between the local optimum for the single data consumers and the satisfaction of the global requirements of all consumers

Which Security Requirements Engineering Methodology Should I Choose?: Towards a Requirements Engineering-based Evaluation Approach

International audienceSince many decades, requirements engineering domain has seen significant enhancements towards adapting the security and risk analysis concepts. In this regard, there exist numerous security requirements engineering methodologies that support elicitation and evaluation of the security requirements. However, selecting a security requirements engineering methodology (SRE) for a given context of use often depends on a set of ad hoc criteria. In this paper, we propose a methodological evaluation methodology that helps in identifying the characteristics of a good SRE methodology