E-business has become the fastest growing means of conducting business in today's economy. In achieving the online B2B collaboration between e-businesses, the use of services-oriented computing, by way of Web services (WS) technology, is playing an increasingly significant role. The novel benefit is rooted in its ability to allow for seamless integration of business processes across disparate enterprises, due to the use of standardized protocols and open technologies. As WS' use expands however, securing these services becomes of utmost importance.
In an attempt to address new security challenges accompanying WS, standard-setting bodies have proposed numerous pioneering standards. As WS matures, the move from lower level security details such as standards and technologies, to higher level considerations however, is imminent. Security, irrespective of the context, is a multilayered phenomenon encompassing aspects such as practices, processes and methodologies. This factor is especially true with WS, which substantially complicates the security environment for e-businesses.
Considering this, and with special appreciation of the inter-organizational security issue now facing businesses interacting using WS, our research focuses on identifying and providing support for a novel, business-oriented approach to guide companies in achieving agreed security levels. The approach envisioned will be such that it could be used by businesses—in a joint manner—to manage the comprehensive concern that security in the WS environment has become.
Below is a list of publications that support work towards the goal of this research.
Nurse, J.R.C. and Sinclair J.E., A Case Study Analysis of an E-Business Security Negotiations Support Tool, in Electrical Engineering and Applied Computing, in Lecture Notes in Electrical Engineering, Volume 90, pp. 209-220. 2011 (url). Google Books
Abstract: Active collaboration is undoubtedly one of the most important aspects within e-business. In addition to companies collaborating on ways to increase productivity and cut costs, there is a growing need for in-depth discussion and negotiations on their individual and collective security. This paper extends previous work on a tool aimed at supporting the cross-enterprise security negotiations process. Specifically, our goal in this article is to briefly present a case study analysis and evaluation of the usage of the tool. This provides further real-world insight into the practicality of the tool and the solution model which it embodies.
Nurse, J.R.C. and Sinclair J.E., An Evaluation of BOF4WSS and the Security Negotiations Model and Tool used to Support it, in International Journal On Advances in Security, Volume 3, Number 3&4, pp. 184-201. 2011 (url).
Abstract: As online collaboration between businesses increases, securing these interactions becomes of utmost importance. Not only must entities protect themselves and their electronic collaborations, but they must also ensure compliance to a plethora of security-related laws and industry standards. Our research has focused in detail on the cross-enterprise security problems faced by collaborating businesses. Apart from our most recent work which investigates a novel model and tool to support e-businesses’ security negotiations, we previously defined a comprehensive development methodology to aid companies in creating secure and trusted interactions. This paper aims to advance those proposals by presenting and discussing a key stage of their evaluation. This stage uses interviews with industry-based security professionals from the field, to gather critical, objective feedback on the use and suitability of the proposals in fulfilling their aims.
Nurse, J.R.C. and Sinclair J.E., A Thorough Evaluation of the Compatibility of an E-Business Security Negotiations Support Tool, in IAENG International Journal of Computer Science, Volume 37, Issue 4, pp. 376-387. November 2010 (url).
Abstract: For the benefits of e-business to be fully realized, there are numerous challenges to be overcome particularly with respect to security. Some of the most significant of these difficulties is incurred even before businesses fully enter the joint e-business interactions. A key example is the challenge faced as partnering e-businesses come together initially to share, compare and negotiate on their individual security needs. In previous work, we have proposed a support tool to assist in this activity and streamline several of the difficult security negotiation tasks which arise. This paper aims to advance the research of that tool by engaging in a very detailed evaluation of its compatibility with existing security needs determination methods (commonly, risk management and assessment techniques). Compatibility forms a crucial requirement as it evidences feasibility and yields worthwhile initial feedback on the ultimate usefulness and practicality of the tool.
Nurse, J.R.C. and Sinclair J.E., Securing e-Businesses that use Web Services - A Guided Tour Through BOF4WSS, in International Journal On Advances in Internet Technology, Volume 2, Number 4, pp. 253-276. 2009 (url).
Abstract: Security in Web services technology itself is a complex and very current issue. When considering the use of this technology suite to support interacting e-businesses, literature has shown that the challenge of achieving security becomes even more elusive. This is particularly true with regard to achieving a level of security beyond just technologies, that is trusted, endorsed and practiced by all businesses involved. In an attempt to address these problems, our research has previously introduced BOF4WSS, a business-oriented development methodology, specifically geared to guide e-businesses in defining, and achieving agreed security levels across collaborating enterprises. As that work was only an introduction, the aim of this paper is to provide detailed insight into what exactly BOF4WSS advocates and how these activities and processes aid in building security and trust.
Refereed Conference Publications
Nurse, J.R.C. and Sinclair J.E., Evaluating the Compatibility of a Tool to Support E-Businesses' Security Negotiations , in The International Conference of Information Security and Internet Engineering, under World Congress on Engineering (WCE) 2010 (WCE 2010). London, UK, 30 June - 2 July 2010 Best Student Paper Award
Abstract: As e-businesses partner to engage in online business scenarios, they face numerous challenges when considering the sharing, comparison, and negotiation on their individual security needs. To aid companies in this task, in previous work we have presented a security negotiations support tool, which acts as a bridge between businesses and streamlines various negotiation tasks. The paper continues the research of that tool by evaluating its compatibility with existing security needs determination methods. Compatibility forms a key requirement as it demonstrates feasibility and gives valuable initial feedback on the ultimate usefulness of the tool.
Nurse, J.R.C. and Sinclair J.E., A Solution Model and Tool for Supporting the Negotiation of Security Decisions in E-Business Collaborations, in The Fifth International Conference on Internet and Web Applications and Services (ICIW 2010). Barcelona, Spain, 9-15 May 2010 [acceptance rate: 31%] Best Paper Award
Abstract: Sharing, comparing and negotiating security-related actions and requirements across businesses has always been a complicated matter. Issues arise due to semantic gaps, disparity in security documentation and formats, and incomplete security-related information during negotiations, to say the least. As collaborations amongst e-businesses in particular increase, there is a growing, implicit need to address these issues and ease companies' deliberations on security. Our research has investigated this topic in substantial detail, and in this paper we present a novel solution model and tool for supporting businesses through these tasks. Initial evaluation results and feedback from interviewed security professionals affirm the use and suitability of our proposals in supporting the security actions negotiation process.
Nurse, J.R.C. and Sinclair J.E., Supporting the Comparison of Business-Level Security Requirements within Cross-Enterprise Service Development, in The 12th International Conference on Business Information Systems (BIS 2009). Poznan, Poland, 27-29 April 2009 [acceptance rate: 29%] Google Books
Abstract: For businesses planning interactions online, particularly those using Web services, managing risks and accommodating each other's varying business-level security requirements is a complex but critical issue during development. Literature suggests numerous reasons that prohibit the simplistic adoption, or even comparison of requirements; examples apparent in the format used to express them, and processes employed to determine them. This paper presents the initial steps of an approach to ease this process, specially within the context of our cross-enterprise development methodology, BOF4WSS. Specifically, we focus on the design of an ontology to model key factors which influence requirement determination. This ontology will act as the basis for a future tool to state requirements and factors which influenced them, in a common, formal format, to allow for easier analysis and comparison across enterprises.
Nurse, J.R.C. and Sinclair J.E., BOF4WSS: A Business-Oriented Framework for Enhancing Web Services Security for e-Business, in The Fourth International Conference on Internet and Web Applications and Services (ICIW 2009). Venice/Mestre, Italy, 24-28 May 2009 [acceptance rate: 33%] Best Papers Award
Abstract: When considering Web services’ (WS) use for online business-to-business (B2B) collaboration between companies, security is a complicated and very topical issue. This is especially true with regard to reaching a level of security beyond the technological layer, that is supported and trusted by all businesses involved. With appreciation of this fact, our research draws from established development methodologies to develop a new, business-oriented framework (BOF4WSS) to guide e-businesses in defining, and achieving agreed security levels across these collaborating enterprises. The approach envisioned is such that it can be used by businesses—in a joint manner—to manage the comprehensive concern that security in the WS environment has become.