Obtaining secure business process models from an enterprise architecture considering security requirements

Purpose Security requirements play an important role in software development. These can be specified both in enterprise architecture models and in business processes. Enterprises increasingly carry out larger amounts of business processes where security plays a major role. Business processes including security can be automatically obtained from enterprise architecture models by applying a model-driven architecture approach, through a CIM to CIM transformation. The aim of this article is to present the specification of transformation rules for the correspondence between enterprise architecture and business process model elements focusing on security. Design/methodology/approach This work utilizes motivational aspects of the ArchiMate language to model security in the business layer of enterprise architectures. Next, a set of transformation rules defined with the Atlas Transformation Language are utilized to obtain the correspondence of the enterprise architecture elements in a business process, modelled with a security extension of BPMN. Findings A total of 19 transformation rules have been defined. These rules are more complex than element to element relations, as they take into consideration the context of the elements for establishing the correspondence. Additionally, the prototype of a tool that allows the automatic transformation between both models has been developed. Originality/value The results of this work demonstrate the possibility to tackle complex transformations between both models, as previous literature focuses on semantic correspondences. Moreover, the obtained models can be of use for software developers applying the model-driven approach.