Automated threat modelling and risk analysis in e-Government using BPMN

Abstract

Recent progress integrates security requirements into BPMN, enhancing its framework. Extensions aim to seamlessly embed security concepts, yet the inherent ambiguity of security terms may lead to misinterpretations and vulnerabilities. Unfortunately, many business process experts lack the expertise to accurately interpret and integrate vital security concepts. In this study, we present an innovative automated methodology tailored to assist business process experts in identifying security threats and conducting risk assessments, particularly in the context of e-Government processes. Our approach streamlines the process, requiring only a business specialist to annotate BPMN entities with high-level, non-security-related information. Based on these annotations, potential threats to the system can be automatically identified. To develop our methodology, we leverage the standard BPMN annotation mechanism. From the annotated BPMN, the methodology utilises the ENISA Threat Landscape knowledge base for threat identification and employs the OWASP Risk Rating Methodology for risk assessment. To demonstrate the effectiveness of our approach, we applied it to a straightforward case study within the e-Government domain. Through this example, we illustrate how our methodology can be employed to ensure compliance with the General Data Protection Regulation and meet the mandatory Data Protection Impact Assessment requirements.

Keywords:

• Automated risk analysis
• BPMN
• cybersecurity
• e-Government
• GDPR
• threat modelling

Acknowledgements

This work received partial support from the University of Campania through the VALERE 2020 programme under the project SSeCeGOV, as well as from the Cleopatra Project funded by the University of Campania ”Luigi Vanvitelli” under the VALERE 2019 research programme.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Notes

1 https://github.com/VSecLab/eGovRA-v3.0

2 The access can be requested to the authors

3 https://www.omg.org/spec/BPMN/2.0/

4 https://github.com/VSecLab/eGovRA-v3.0

5 This information cannot be reported as an annotation because they refer to the full system and not to a single task, data object and/or process

6 2018 reform of EU data protection rules

7 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/

8 https://www.cnil.fr/en/privacy-impact-assessment-pia

9 Full report is available on request

Additional information

Funding

This work has been partially supported by RASTA project funded by the Italian Ministry of Research PNR 2015-2020 under Grant [number ARS01-00540]; Cleopatra under Grant [number B68D19001880005]; and SSeCeGOV under Grant [number B68D19001880005].