Secure activity resource coordination: empirical evidence of enhanced security awareness in designing secure business processes

Systems development methodologies incorporate security requirements as an afterthought in the non–functional requirements of systems. The lack of appropriate access control on information exchange among business activities can leave organizations vulnerable to information assurance threats. The gap between systems development and systems security leads to software development efforts that lack an understanding of security risks. We address the research question: how can we incorporate security as a functional requirement in the analysis and modeling of business processes? This study extends the Semantic approach to Secure Collaborative Inter–Organizational eBusiness Processes in D'Aubeterre et al. (2008). In this study, we develop the secure activity resource coordination (SARC) artifact for a real–world business process. We show how SARC can be used to create business process models characterized by the secure exchange of information within and across organizational boundaries. We present an empirical evaluation of the SARC artifact against the Enriched–Use Case (Siponen et al., 2006) and standard UML–Activity Diagram to demonstrate the utility of the proposed design method.