The Open UniversitySkip to content

Resolving vulnerability identification errors using security requirements on business process models

Taubenberger, Stefan; Jurjens, Jan; Yu, Yijun and Nuseibeh, Bashar (2013). Resolving vulnerability identification errors using security requirements on business process models. Information Management and Computer Security, 21(3) pp. 202–223.

Full text available as:
PDF (Accepted Manuscript) - Requires a PDF viewer such as GSview, Xpdf or Adobe Acrobat Reader
Download (1MB) | Preview
DOI (Digital Object Identifier) Link:
Google Scholar: Look up in Google Scholar


Purpose - In any information security risk assessment, vulnerabilities are usually identified by information-gathering techniques. However, vulnerability identification errors - wrongly identified or unidentified vulnerabilities - can occur as uncertain data are used. Furthermore, businesses’ security needs are not considered sufficiently. Hence, security functions may not protect business assets sufficiently and cost-effectively.

Design/methodology/approach - This paper aims to resolve vulnerability errors by analysing the security requirements of information assets in business process models. Business process models have been selected for use, because there is a close relationship between business process objectives and risks. Security functions are evaluated in terms of the information flow of business processes regarding their security requirements. The claim that vulnerability errors can be resolved was validated by comparing the results of a current risk assessment approach with the proposed approach. The comparison is conducted both at three entities of an insurance company, as well as through a controlled experiment within a survey among security professionals.

Findings - Vulnerability identification errors can be resolved by explicitly evaluating security requirements in the course of business; this is not considered in current assessment methods.

Research limitations/implications - Security requirements should be explicitly evaluated in risk assessments considering the business context. Results of any evaluation of security requirements could be used to indicate the security of information. The approach was only tested in the insurance domain and therefore results may not be applicable to other business sectors.

Originality/value - It is shown that vulnerability identification errors occur in practice. With the explicit evaluation of security requirements, identification errors can be resolved. Risk assessment methods should consider the explicit evaluation of security requirements.

Item Type: Journal Item
Copyright Holders: 2013 Emerald Group Publishing Limited
ISSN: 0968-5227
Project Funding Details:
Funded Project NameProject IDFunding Body
SeconomicsNot SetEuropean Union
Adaptive Security And Privacy (ASAP)291652ERC
Keywords: security; risk assessment; business process modeling
Academic Unit/School: Faculty of Science, Technology, Engineering and Mathematics (STEM) > Computing and Communications
Faculty of Science, Technology, Engineering and Mathematics (STEM)
Research Group: Centre for Research in Computing (CRC)
Related URLs:
Item ID: 37410
Depositing User: Yijun Yu
Date Deposited: 16 Apr 2013 09:55
Last Modified: 07 Dec 2018 23:06
Share this page:


Altmetrics from Altmetric

Citations from Dimensions

Download history for this item

These details should be considered as only a guide to the number of downloads performed manually. Algorithmic methods have been applied in an attempt to remove automated downloads from the displayed statistics but no guarantee can be made as to the accuracy of the figures.

Actions (login may be required)

Policies | Disclaimer

© The Open University   contact the OU