Despite the growing demand for compliant business processes, security and privacy incidents caused by erroneous workflow specifications are still omnipresent. In fact, often business process management and security issues stand out as separate silos, and are seldom addressed together towards the development of trustworthy, compliant business processes.

By combining the successful, past experiences of the First International Workshop on Alignment of the Business Process and Security Modelling (ABPSM'11) and WfSAC - BPM Workshop on Workflow Security Audit and Certification, this Joint Workshop on Security in Business Processes (SBP'12) wants to bring together researchers and practitioners interested in security management of business process models in process-aware information systems.

In particular, SBP'12 encourages innovative methods for workflow security audit and control along the entire business process lifecycle: from design time verification to online operational support and post-mortem analysis. Furthermore, it welcomes contributions beyond the strictly technical character, for instance those considering economic, legal and standardization issues.

Topics of interest include:

  • Alignment
  • Authorization
  • Accountability
  • Audit reduction
  • Business provenance
  • Case studies
  • Conformance/compliance checking
  • Continuous audit
  • Cost-benefit analysis
  • Data-centric process mining
  • Formal reasoning
  • Fraud detection
  • Economics of audit
  • Experience reports
  • Information flow control
  • Log formats
  • Meta-models for analysis
  • Modelling
  • Operational decision support
  • Privacy-aware process discovery
  • Requirements elicitation
  • Requirements formalization
  • Risk Measurement
  • Runtime verification and monitoring
  • Security testing
  • Trace clustering
  • Usage control
  • Workflow forensics
  • Workflow simulation


9:15-9:30 Workshop opening
9:30-11:00 SESSION 1: Perspectives of Secure Business Processes
Chair: Raimundas Matulevicius
9:30-10:25 Keynote A. Opdahl, Identifying and Visualising Dependability Concerns- Applications to Business Process Management
10:25-11:00 P1 A. Goldstein, U. Frank, A Language for Multi-Perspective Modelling of IT Security: Objectives and Analysis of Requirements
Discussants: authors of P5 and P2
11:00-11:30 Break
11:30-13:00 SESSION 2: Security and Compliance
Chair: Wil van der Aalst
11:30-12:05 P2 D. Knuplesch, M. Reichert, J. Mangler, S. Rinderle-Ma, W. Fdhila, Towards Compliance of Cross-Organizational Processes and their Changes
Discussants: authors of P4 and P3
12:05-12:40 P3 A. D. Brucker, I. Hang, Secure and Compliant Implementation of Business Process-driven Systems Discussants: authors of P1 and P5
12:40-13:00 P6 B. Depaire, J. Swinnen, M. Jans, K. Vanhoof, A Process Deviation Analysis Framework
Discussants: authors of P7
13:00-14:00 Lunch
14:00-15:30 SESSION 3: Security and Internet Services
Chair: Niels Lohmann
14:00-14:50 Keynote S. Heiberg, New Technologies for Democratic Elections
14:50-15:10 P7 D. Martinho, D. R. Ferreira, Securely Storing and Executing Business Processes in the Cloud
Discussants: authors of P9
15:10-15:30 P8 M. Fonda, S. Moinard, C. Toinard, Advanced Protection of Workflow Sessions with SEWebSessions
Discussants: authors of P6
15:30-16:00 Break
16:00-17:30 SESSION 4: Engineering Secure Business Processes
Chair: Rafael Accorsi
16:00-16:35 P4 A. Lehmann, N, Lohmann, Modeling Wizard for Confidential Business Processes
Discussants: authors of P3 and P1
16:35-17:10 P5 I. Soomro, N. Ahmed, Towards Security Risk-oriented Misuse Cases
Discussants: authors of P2 and P4
17:10-17:30 P9 M. Leitner, A. Baumgrass, S. Schefer-Wenzl, S. Rinderle- Ma, M. Strembeck, A Case Study on the Suitability of Process Mining to Produce Current-State RBAC Models
Discussants: authors of P8
17:30-17:45 Workshop closing


The workshop will host two keynotes.

Speaker  Prof. Andreas Opdahl, University of Bergen (Norway)
Title Identifying and visualising dependability concerns - applications to business process management
Abstract The project RecSeq - Requirements for Security (2009-2012) developed and evaluated techniques that can be used visualise security and other dependability concerns, such as safety, early in the planning of new information systems. A central concern was to allow inclusion of a variety of stakeholders, including non-ICT/non-security experts, in the requirements process. The talk will review the dependability requirements work done in ReqSec and highlight its relevance for the security of business processes.
Bio Andreas L. Opdahl is Professor of Information Systems Development at the University of Bergen, Norway. He received his Ph.D. from the Norwegian University of Science and Technology in 1992. Opdahl is the author, co-author or co-editor of more than a hundred journal articles, book chapters, refereed archival conference papers and books. His research interests center around enterprise and IS modelling, requirements determination and software security. In the past, he has been the Organizer and/or Program Chair of conferences and workshops such as CAiSE, REFSQ, PoEM, FP-UML and RTEE. He is a member of IFIP WG5.8 on Enterprise Interoperability and WG8.1 on Design and Evaluation of Information Systems and of ACM, AIS and IEEE CS. He serves on the editorial/editorial review boards of journals such as J Database Management, Int J Interoperability of Business Information Systems, Int J Information System Modeling and Design and The Open Software Engineering J; as a reviewer for premier international journals, such as CACM, ISR, JAIS and ACM/IEEE transactions; and on the program committees of renowned international conferences and workshops.
Speaker  Sven Heiberg, Cybernetica (Estonia)
Title New Technologies for Democratic Elections
Abstract Estonia has implemented a specific form of electronic voting - internet voting - as a method to participate in various types of legally binding elections since 2005. In parliamentary elections held in 2011 the percentage of internet voters among all the voters was as high as 24.3%. In parallel to the rise of popularity, the amount of attempts to question the security or suitability of the internet voting increased. Today internet voting is not a niche-method anymore. Successful attacks against the method might have significant influence on the election results. In this evolved situation we have performed threat modeling and risk analysis of Estonian internet voting method.
Bio Sven Heiberg is software architect from Cybernetica AS, Estonia and also works as a research fellow for the Software Technology and Applications Competence Centre. He has been one of the key developers of Estonian i-voting solution since 2003, he also has participated in projects to design i-voting solution for other governments. He and his colleagues were rewarded by the Estonian Academy of Sciences for their work to enable i-voting in Estonia in 2005. He received his MSc. in Computer Science from University of Tartu in 2002.

Submission guidelines  

Submitted manuscripts must be written in English and be no longer than 12 pages. They must be formatted using the LNBIP format and submitted as a PDF document to EasyChair website.

Submissions will be reviewed by at least three PC members based on their originality, significance, technical soundness and clarity of exposition. Submitted manuscripts must not substantially overlap manuscripts that have been published or that are simultaneously submitted to a conference with proceedings or a journal.

The workshop papers will be published by Springer as a post-workshop proceedings volume in the series Lecture Notes in Business Information Processing (LNBIP).

Important Dates  

Paper submission:
Paper notification:
Camera-ready version:
June 1, 2012 June 4, 2012
July 2, 2012
July 27, 2012
September 3, 2012


PC Chairs
Rafael Accorsi, University of Freiburg, Germany
Raimundas Matulevicius, University of Tartu, Estonia

Organization Chairs
Peter Karpati, Norwegian University of Science and Technology, Norway
Marco Montali, Free University of Bozen-Bolzano, Italy

Steering Chairs
Wil van der Aalst, Eindhoven University of Technology, the Netherlands
Guttorm Sindre, Norwegian University of Science and Technology, Norway

Program Committee  

  • Federico Chesani (Univ. of Bologna, Italy)
  • Jason Crampton (Univ. of London, UK)
  • Chiara Difrancescomarino (FBK-IRST, Italy)
  • Eduardo B. Fernández (Florida Atlantic Univ., USA)
  • Khaled Gaaloul (CRP Henri Tudor, Luxembourg)
  • Aditya Ghose (Univ. of Wollongong, Australia)
  • Paolo Giorgini (Univ. of Trento, Italy)
  • Michael Huth (Imperial College, UK)
  • Dieter Hutter (DFKI GmbH, Germany)
  • Mieke Jans (Hasselt Univ., Belgium)
  • Jan Jürjens (TU Dortmund, Germany)
  • Seok-Won Lee (Ajou Univ., Korea)
  • Niels Lohmann (Univ. of Rostock, Germany)
  • Heiko Ludwig (IBM Almaden, USA)
  • Fabrizio M. Maggi (TU/e, the Netherlands)
  • Per H. Meland (SINTEF ICT, Norway)
  • Haralambos Mouratidis (Univ. of East London, UK)
  • Andreas L. Opdahl (Univ. of Bergen, Norway)
  • Günther Pernul (Univ. of Regensburg, Germany)
  • Silvio Ranise (FBK-IRST, Italy)
  • Stefanie Rinderle-Ma (Univ. of Vienna, Austria)
  • David G. Rosado (Univ. of Castilla-La Mancha, Spain)
  • Shazia Sadiq (Univ. of Queensland, Australia)
  • Mark Strembeck (WU Vienna, Austria)
  • Uldis Sukovskis (Riga Technical Univ., Latvia)
  • Jan M. van der Werf (TU/e, the Netherlands)
  • Barbara Weber (Univ. of Innsbruck, Austria)