Abstract

A challenging task in security engineering concerns the specification and integration of security with other requirements at the top level of requirements engineering. Empirical studies show that it is common that end users are able to express their security needs at the business process level. Since many security requirements originate at this level, it is natural to try to capture and express them within the context of business models where end users feel most comfortable and where they conceptually belong. In this paper, we develop these views, present an ongoing work intended to create a UML-based and business process-driven framework for the development of security-critical systems and propose an approach to a rigorous treatment of security requirements supported by formal methods.