Maintaining secure business processes in light of socio-technical systems' evolution

Today's systems are socio-technical, they are composed of social (humans and organizations) and technical components that interact with one another to achieve objectives they cannot achieve on their own. Security is a central issue in socio-technical systems and cannot be tackled through technical mechanisms alone. Instead, it requires enforcing security policies over the procedures that specify how components of these systems operate and interact (i.e., business processes). The continuous evolution of socio-technical systems, to adapt to external changes, may result in business processes that do not enforce security. Thus, it is important to preserve security through a constant update of business processes and/or security policies, to avoid security issues that may result in loss of reputation or monetary sanctions. To this end, in this paper we propose a framework to assist security engineers in maintaining secure business processes during socio-technical systems evolution. The framework is composed of: (i) SecBPMN2-ml, a modeling language for business processes, (ii) SecBPMN2-Q, a modeling language for security policies, and (iii) a software engine that verifies if security policies are enforced in business processes. The framework is applied to a case from the air traffic management domain.