A Framework for the Visualisation of Cyber Security Requirements and Its Application in BPMN

Abstract

Security requirements is the fundamental component in designing and defending IT systems against cyber attacks. Still in reality they are every so often to be overlooked due to the lack of expertise and technical approach to capture and model these requirements in an effective way. It is not helped by the fact that many companies, especially SMEs, tend to focus on the functionality of their business processes first, before considering security as an afterthought. New extensions for modelling cyber security requirements in Business Process Model and Notation (BPMN) Business Process Model and Notation (BPMN) have been proposed in the past to address this issue. In this chapter, we analyse existing extensions and identify the notational issues present within each of them. We discuss how there is yet no single extension which represents a comprehensive range of cyber security concepts. Consequently, a new framework is proposed that can be used to extend, visualise and verify cyber security requirements in not only BPMN, but any other existing modelling language. We investigate a new approach to modelling security and propose a solution that overcomes current issues whilst still providing functionality to include all concepts potentially modellable in BPMN related to cyber security. The framework utilises a “what you see is what you get” approach to allow intuitive modelling of rather complicated security concepts. It increases human understanding of the security requirements whilst minimising the cognitive load. We detail how we implemented our solution along with the novel approach our application takes to current challenges.