Implementing Security Requirements through Automatic Generation of Secure Workflows

Modern software-intensive information systems are enormously large and complex. Prior to the design process of such systems, designers and architects need to know what kinds of stakeholder needs the system is supposed to support. This is particularly true for security requirements which must be captured and analyzed alongside all other requirements rather than treated as an afterthought. Hence, many researchers have proposed different modelling frameworks in different domain fields to address security and privacy patterns. However, most of these frameworks focus on comprehensive representation and analysis of requirements, without indicating how such requirements can be implemented within the context of a business process. Users are often at loss with regards to what security technologies they should adopt and incorporate in their workflows to reach secure business processes. In this thesis, we propose a framework for enriching goal-oriented requirements models with security controls necessitated by specified security requirements. A set of patterns are designed by security experts that associate abstract domain-independent user goals/tasks with alternative workflows that achieve those goals with various levels of security. Such translation of information is performed with the aid of an AI planner, SHOP2. Consequently, system analysts with no deep experience in security technologies can acquire a view of what steps and technologies are involved in making their designs more secure and implement accordingly.