A Cyber Security Ontology for BPMN-Security Extensions

Every so often a paper is published presenting a new extension for modelling cyber security requirements in Business Process Model and Notation (BPMN). The frequent production of new extensions by experts belies the need for a richer and more expressive representation of security requirements in BPMN processes. One reason for this is that current extensions focus on only specific areas and so fail to provide adequate coverage of the cyber security domain. In this paper, we present our work considering an analysis of existing extensions and identify the security concepts used within each of them. We discuss how there is as yet no single extension which covers a comprehensive range of cyber security concepts. Consequently there is no adequate solution for accurately specifying cyber security requirements within BPMN. In order to address this, we propose a new comprehensive ontology which includes all concepts potentially modellable in BPMN related to cyber security. We explain how this ontology can be used as the basis for developing future BPMN-security extensions, and explore the challenges that must be overcome in order to develop a representation that is both effective and with adequate coverage of security requirements.