A Cross-Layer Security Analysis for Process-Aware Information Systems
This work addresses security vulnerabilities in PAIS for industries like payment processing, but it appears incremental as it builds on existing cross-layer and human-factor security concepts.
The paper tackles the problem of achieving comprehensive information security in Process-aware Information Systems (PAIS) by addressing security interdependencies across business process, technical, and human layers, and demonstrates its methodology with a scenario from the payment card industry.
Information security in Process-aware Information System (PAIS) relies on many factors, including security of business process and the underlying system and technologies. Moreover, humans can be the weakest link that creates pathway to vulnerabilities, or the worst enemy that compromises a well-defended system. Since a system is as secure as its weakest link, information security can only be achieved in PAIS if all factors are secure. In this paper, we address two research questions: how to conduct a cross-layer security analysis that couple security concerns at business process layer as well as at the technical layer; and how to include human factor into the security analysis for the identification of human-oriented vulnerabilities and threats. We propose a methodology that supports the tracking of security interdependencies between functional, technical, and human aspects which contribute to establish a holistic approach to information security in PAIS. We demonstrate the applicability with a scenario from the payment card industry.