1st International Workshop on Business Processes Security
As business-process automation started to take hold in the early 1990s, organizations began to replace people with mainframe applications and EDI transfers to perform mundane tasks including data entry and processing. However, for crucial business processes such as wire transfers, customer database queries, supply chain management and purchase orders, organizations continued to use human intervention, believing that auditor supervision was required to ensure accurate money transfers and appropriate access controls to sensitive information.
Today, no division of labor exists between the tasks for which applications and people are responsible. Conversely, human auditors and applications work together in concert to manage business processes and the Web servers, databases, and middleware on which they depend. However, many of these applications, especially Web-based ones, are rife with vulnerabilities, ranging from SQL injection to cross-site scripting. Even the Service Oriented Architectures they run on are far more vulnerable than their predecessors—mainframes and leased-line transfers. As a result, although SOA-based applications help expedite business processes, they at the same time expose organizations to a considerable amount of security risk.
Ensuring the secure functioning of SOAs and, by extension, the business processes they support, has become crucial to an enterprise’s success and managing application vulnerabilities has thereby grown vastly in importance.
The workshop on Business Processes Security invites the submission of papers.
Researchers and practitioners are encouraged to submit papers on all aspects of security and privacy concerning business processes including management processes, operational processes and supporting processes.
Paper submissions can be either research papers, or industry reports. Submissions from companies, practitioners and vendors are encouraged.
Invited Talk: Exploring the benefits of information security process invariants
Speaker: George A Fodor, ABB AB Sweden
Business process security is normally orthogonal to value of the secured information, that is, the flow of information and repositories of information designed via process composition, runtime servers and front-end interfaces are independent of the information type. Although information classification labels routinely used in firms (“public”, “internal”, “confidential”, “strictly confidential”) are based on a measure of the potential damage a disclosure could cause to the firm’s activity, these qualifications have coarse granularity, are assigned manually and thus business processes are not actively secured to the actual value of the damage the information disclosure could cause.
This situation is noticeable for example in cases of limited-time coalitions. Industrial firms that normally act as competitors might be bound into a coalition, for instance being suppliers for a common customer’s project or being partners in a pre-competitive research work. The coalition can achieve its goals only if infrastructure ownership, personnel information security and compliance security levels are modified appropriately. Although a dynamically configured business process using adaptable security levels could be conceived e.g. by using coalition game theoretical models, it is very difficult to impose in organizations processes that change their structure depending on some hard to perceived risks. It is rather desirable that some regularities, expressed as invariant properties of the security architecture are preserved, such that appropriate processes can be established.
The talk presents requirements related to flexible security information systems and describe the benefits of the proposed invariants.
About the Speaker
George A. Fodor holds a PhD in Computer Science from Linkoeping University. He is with ABB AB in Sweden, working as manager for System Development department, Force Measurement. George Fodor is adjunct professor at Orebro University, Sweden and Western Michigan University, USA. George is founding Editor-in-Chief for the IEEE Transactions on Industrial Informatics and member in the organizing committees of several technical conferences in Automation, Intelligent Control and FDI. His current research interests are in information economics and intelligent decision systems. Earlier publications are in the field of Automation, Intelligent Systems, Discrete Fault Detection and Isolation, Fuzzy Systems and Ontological Control.
BPS 2009 invites research submissions on all topics related to all aspects of security and privacy concerning business processes, but are not limited to those listed below:
Paper Submission Details
Authors are invited to submit original research contributions or experience reports in English.
For paper registration and electronic submission see DEXA website.
Submitted papers will be carefully evaluated based on originality, significance, technical soundness, and clarity of exposition. Authors are requested to submit their paper electronically before February 28, 2009.
Duplicate submissions are not allowed and will automatically be rejected without further review. A submission is considered to be a duplicate submission if, at any time during the time when the submission is under consideration, there is another paper with the following properties:
Authors do at with their submission automatically agree to the following terms:
"I understand that the paper being submitted must not overlap substantially with any other paper that I am a sole author or co-author of and that is currently submitted elsewhere. Furthermore, previously published papers with any overlap are cited prominently in this submission."
All accepted conference papers will be published in IEEE DEXA'09 workshop proceedings.