Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes

Abstract

Systems development methodologies incorporate security requirements as an afterthought in the non-functional requirements of systems. The lack of appropriate access control on information exchange among business activities can leave organizations vulnerable to information assurance threats. The gap between systems development and systems security leads to software development efforts that lack an understanding of security risks. We address the research question: how can we incorporate security as a functional requirement in the analysis and modeling of business processes? This study extends the Semantic approach to Secure Collaborative Inter-Organizational eBusiness Processes in D'Aubeterre et al. (2008). In this study, we develop the secure activity resource coordination (SARC) artifact for a real-world business process. We show how SARC can be used to create business process models characterized by the secure exchange of information within and across organizational boundaries. We present an empirical evaluation of the SARC artifact against the Enriched-Use Case (Siponen et al., 2006) and standard UML-Activity Diagram to demonstrate the utility of the proposed design method.

Keywords:

• secure business process
• role-based access control
• activity–resource coordination
• security awareness
• secure systems design

Acknowledgements

We would like to thank the anonymous reviewers and session participants at the 2008 International Conference on Design Science Research in Information Systems Technology (DESRIST) and 2007 International Conference on Information Systems (ICIS) for their constructive comments.

Additional information

Notes on contributors

Fergle D'Aubeterre

About the authors

Fergle D’Aubeterre is the Application Services and Architecture Team Leader at Flint Transfield Services Ltd (FT-SERVICES), Canada. He obtained his Ph.D. in Information Systems from The University of North Carolina at Greensboro and his M.B.A. from Central Michigan University. His research interests include electronic commerce, business processes, Semantic Web, IT security and privacy, and global IT management. He has published papers in journals such as Journal of the Association for Information Systems, Information Systems Journal, Electronic Government: An International Journal, International Journal of Electronic Commerce Research, Encyclopedia of E-Commerce, E-Government, and Mobile Commerce; the Proceedings of the International Conference on Information Systems, Proceedings of Americas Conference on Information Systems, Proceedings of Global Information Technology Management, Proceedings of the Design Science Research in Information Systems and Technology, and Proceedings of the Decision Sciences Institute.

Rahul Singh

Rahul Singh is an associate professor in the Department of Information Systems and Operations Management, Bryan School of Business and Economics at The University of North Carolina at Greensboro. He obtained his Ph.D. in Business from Virginia Commonwealth University. His research interests include semantic eBusiness, security of systems, secure business process design, knowledge management, intelligent agents, data mining, and machine learning. He is the Editor-In-Chief for the Journal of Information Science and Technology (JIST). He is a member of the editorial board for the International Journal of Semantic Web and Information Systems, International Journal for Intelligent Information Technologies, Journal of Information Technology Theory and Applications, and International Journal of Information Security and Privacy. His research work has been published in leading IS Journals including Journal of the Association for Information Systems, IEEE Transactions on Systems, Man and Cybernetics, Communications of the ACM, Information Systems Management, eService Journal, International Journal of Semantic Web and Information Systems, International Journal of Intelligent Information Technologies, Information Resources Management Journal, International Journal of Production Engineering, and Socio-Economic Planning Sciences.

Lakshmi Iyer

Lakshmi Iyer is an associate professor in the Information Systems and Operations Management Department at The University of North Carolina at Greensboro. She obtained her Ph.D. from the University of Georgia, Athens. Her research interests are in the area of e-business processes, e-commerce issues, IS privacy and security, intelligent agents, decision support systems, and knowledge management. Her research work has been published or accepted for publication in Journal of the Association for Information Systems, Communications of the ACM, eService Journal, Annals of OR, Decision Support Systems, Information Systems Management, International Journal of Semantic Web and Information Systems, Electronic Government, Journal of Global Information Technology Management, and others. She has served as a Guest Editor for Communications of the ACM and the Journal of Electronic Commerce Research. She is a Board member of Teradata University Network and AIS SIG on Semantic Web and Information Systems (SIGSEMIS) and serves on the editorial board for the International Journal of Information Security and Privacy.