Joint Keynote
Trustworthy Information Systems: Modelling Security, Privacy and Forensics in Business Processes
Abstract:
The broad application of information systems requires that the communicated information be reliable, secured, private and used according to the intended purpose. Thus, the need for trustworthy information systems where information
creation, communication and storage are done reliably and securely is more than an option. Security-by-design and privacy-by-design methods support the development of secure, private and reliable information systems. However, one can’t achieve system security and reliability to the full extent. The trustworthy information systems should be designed so that it would be possible to eventual dispute occurrences of incidents.
Business process model and notation (BPMN) has become a de-facto standard for presenting and analysing business processes. Recent extensions suggest various means to create security- and privacy-aware business process models. It also helps develop the forensics controls to explore the security and reliability incidents within business processes. This talk will focus on three business process modelling aspects: (1) security risk management, (2) private information leakage management, and (3) forensic-ready business process modelling.
Security risk management allows us to explain protected organisations’ assets, their potential security risks, and countermeasures to mitigate these risks. The talk will illustrate how one can apply BPMN to capture and explain security risk management concepts in business processes.
Although BPMN is well suited for explaining stakeholder collaboration and its support by the information system, managing the sensitive information and decreasing its leakages remain important system design activities. The talk will present how one can use BPMN and introduce privacy-enhancing technology to mitigate information leakages to third parties.
However, it is not possible to entirely mitigate incidents happening through the business processes. This nature necessitates designing forensic-ready information systems and providing a rationale for security and privacy countermeasure design. The talk will present the forensic-oriented constructs and how one can use them to create forensic-aware business processes. The forensic-based extensions introduced to BPMN are done based on the analysis of the security risks and estimates of information leakages. Forensics controls can produce pieces of
evidence while investigating information breaches.
Short Bio:
Raimundas Matulevičius received his Ph.D. diploma from the Norwegian University of Science and Technology. Currently, he is a Professor of Information
Security position at the University of Tartu (Estonia). His research interests include security and privacy of information, security risk management, and modeldriven security. His publication record includes more than 100 articles published
in peer-reviewed journals, conferences, and workshops. Matulevičius is a principal researcher in the SPARTA H2020 project (task: Privacy-by-Design) and
several the Erasmus+ projects, including Safeguarding against Phishing in the
age of 4 Industrial Revolution (CyberPhish) and A Blueprint for Sectoral Cooperation on Blockchain Skill Development (CHAISE).
