Requirements are inherently prone to conflicts. Security, data-minimization, and fairness requirements are no exception. Importantly, undetected conflicts between such requirements can lead to severe effects, including privacy infringement and legal sanctions. Detecting conflicts between security, data-minimization, and fairness requirements is a challenging task, as such conflicts are context-specific and their detection requires a thorough understanding of the underlying business processes. For example, a process may require anonymous execution of a task that writes data into a secure data storage, where the identity of the writer is needed for the purpose of accountability. Moreover, conflicts not arise from trade-offs between requirements elicited from the stakeholders, but also from misinterpretation of elicited requirements while implementing them in business processes, leading to a non-alignment between the data subjects’ requirements and their specifications. Both types of conflicts are substantial challenges for conflict detection. To address these challenges, we propose a BPMN-based framework that supports: (i) the design of business processes considering security, data-minimization and fairness requirements, (ii) the encoding of such requirements as reusable, domain-specific patterns, (iii) the checking of alignment between the encoded requirements and annotated BPMN models based on these patterns, and (iv) the detection of conflicts between the specified requirements in the BPMN models based on a catalog of domain-independent anti-patterns. The security requirements were reused from SecBPMN2, a security-oriented BPMN 2.0 extension, while the fairness and data-minimization parts are new. For formulating our patterns and anti-patterns, we extended a graphical query language called SecBPMN2-Q. We report on the feasibility and the usability of our approach based on a case study featuring a healthcare management system, and an experimental user study.

中文翻译：

---

一个基于BPMN的半自动化框架，用于检测安全性，数据最小化和公平要求之间的冲突

需求天生就容易发生冲突。安全性，数据最小化和公平性要求也不例外。重要的是，此类要求之间未发现的冲突可能导致严重后果，包括侵犯隐私权和法律制裁。检测安全性，数据最小化和公平性要求之间的冲突是一项具有挑战性的任务，因为此类冲突是特定于上下文的，并且检测到这些冲突需要对基础业务流程有透彻的了解。例如，一个过程可能需要匿名执行将数据写入安全数据存储的任务，其中出于问责的目的需要写入者的身份。此外，利益相关者所提出的需求之间的权衡并不会产生冲突，但这还源于在业务流程中实施需求时对提出的需求的误解，从而导致数据主体的需求与其规范之间不一致。两种类型的冲突都是检测冲突的重大挑战。为了应对这些挑战，我们提出了一个基于BPMN的框架，该框架支持：（i）考虑安全性，数据最小化和公平性要求的业务流程设计，（ii）将此类要求编码为可重用的，特定于域的模式，（ iii）根据这些模式检查编码的需求和带注释的BPMN模型之间的对齐方式，以及（iv）根据以下内容的目录来检测BPMN模型中指定需求之间的冲突：导致数据主体的要求与其规范之间不一致。两种类型的冲突都是检测冲突的重大挑战。为了应对这些挑战，我们提出了一个基于BPMN的框架，该框架支持：（i）考虑安全性，数据最小化和公平性要求的业务流程设计，（ii）将此类要求编码为可重用的，特定于域的模式，（ iii）根据这些模式检查编码的需求和带注释的BPMN模型之间的对齐方式，以及（iv）根据以下内容的目录来检测BPMN模型中指定需求之间的冲突：导致数据主体的要求与其规范之间不一致。两种类型的冲突都是检测冲突的重大挑战。为了应对这些挑战，我们提出了一个基于BPMN的框架，该框架支持：（i）考虑安全性，数据最小化和公平性要求的业务流程设计，（ii）将此类要求编码为可重用的，特定于域的模式，（ iii）根据这些模式检查编码的需求和带注释的BPMN模型之间的对齐方式，以及（iv）根据以下内容的目录来检测BPMN模型中指定需求之间的冲突：域无关的反模式。安全性要求已从面向安全性的BPMN 2.0扩展SecBPMN2中重新使用，而公平性和数据最小化部分是新的。为了制定我们的模式和反模式，我们扩展了一种称为SecBPMN2-Q的图形查询语言。我们基于一个以医疗保健管理系统为特色的案例研究和一个实验性用户研究，报告了我们方法的可行性和可用性。