A Cross-Layer Security Analysis for Process-Aware Information Systems

TL;DR

This paper presents a methodology for comprehensive security analysis of Process-aware Information Systems, integrating business, technical, and human factors to identify vulnerabilities and improve overall security.

Contribution

It introduces a cross-layer security analysis approach that couples business, technical, and human aspects, including a methodology to track security interdependencies in PAIS.

Findings

Demonstrated applicability in a payment card industry scenario

Identified human-related vulnerabilities and threats

Supported holistic security assessment across layers

Abstract

Information security in Process-aware Information System (PAIS) relies on many factors, including security of business process and the underlying system and technologies. Moreover, humans can be the weakest link that creates pathway to vulnerabilities, or the worst enemy that compromises a well-defended system. Since a system is as secure as its weakest link, information security can only be achieved in PAIS if all factors are secure. In this paper, we address two research questions: how to conduct a cross-layer security analysis that couple security concerns at business process layer as well as at the technical layer; and how to include human factor into the security analysis for the identification of human-oriented vulnerabilities and threats. We propose a methodology that supports the tracking of security interdependencies between functional, technical, and human aspects which contribute to establish a holistic approach to information security in PAIS. We demonstrate the applicability with a scenario from the payment card industry.