Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign

Arif Djunaidy; Eva Hariyanti; Daniel Siahaan

doi:10.12688/f1000research.132780.1

Home Browse Adaptive modeling for security vulnerability propagation to predict...

ALL Metrics

-

Views

-

Downloads

Get PDF

Get XML

Export

▬

✚

Method Article

Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign

[version 1; peer review: 1 not approved]

Arif Djunaidy ¹, Eva Hariyanti², Daniel Siahaan³

PUBLISHED 03 May 2023

Author details Author details

¹ Department of Information Systems, Institut Teknologi Sepuluh Nopember, Surabaya, East Java, 60111, Indonesia
² Department of Information Systems, Universitas Airlangga, Surabaya, East Java, 60115, Indonesia
³ Department of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, East Java, 60111, Indonesia

Arif Djunaidy
Roles: Conceptualization, Funding Acquisition, Methodology, Project Administration, Supervision, Validation, Writing – Original Draft Preparation, Writing – Review & Editing

Eva Hariyanti
Roles: Conceptualization, Data Curation, Formal Analysis, Investigation, Methodology, Resources, Software, Validation, Writing – Original Draft Preparation, Writing – Review & Editing

Daniel Siahaan
Roles: Methodology, Supervision, Validation, Writing – Review & Editing

OPEN PEER REVIEW

REVIEWER STATUS

Abstract

Background: Business process redesign (BPR) is typical in organizations and is followed by adaptive maintenance on supporting applications. However, BPR leads to information security vulnerabilities that can propagate to its supporting applications.
Methods: This study proposes a new method called Node Strength-based Vulnerability Modeling (NSVM) for modeling security vulnerability propagation in the business processes and IT service layers. We applied the concept of social network strength to build our propagation model. The propagation model is needed to predict the impact of BPR on application vulnerabilities. We chose e-commerce applications as a case study. We evaluated the vulnerability propagation model by comparing the predicted vulnerability scores from the model with the actual scores of e-commerce applications in the National Vulnerability Database.
Results: Our experimentation indicates that the propagation strength between nodes is influenced by Common Weakness Enumerations (CWEs) between them. Thus, the vulnerability propagation model can predict vulnerability scores at module nodes in the IT service layer. In the NSVM, the best prediction scores were obtained by aggregating the adjacency and initial scores using the maximum principle approach. The best evaluation results yield mean absolute error (MAE), root mean squared error (RMSE), and mean squared error (MSE) scores of 0.60, 1.44, and 1.16, respectively.
Conclusion: Our study shows that the vulnerability propagation model with an adaptive mechanism based on BPR can be used to predict security vulnerability scores as the impact of business process redesign.

Keywords

Business Process Redesign, Directed andWeighted Graph, e-Commerce, Propagation Model, Security Threats, Social Network Strength

Corresponding author: Arif Djunaidy

Competing interests: No competing interests were disclosed.

Grant information: The author(s) declared that no grants were involved in supporting this work.

Copyright: © 2023 Djunaidy A et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

How to cite: Djunaidy A, Hariyanti E and Siahaan D. Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign [version 1; peer review: 1 not approved]. F1000Research 2023, 12:462 (https://doi.org/10.12688/f1000research.132780.1) First published: 03 May 2023, 12:462 (https://doi.org/10.12688/f1000research.132780.1) Latest published: 03 May 2023, 12:462 (https://doi.org/10.12688/f1000research.132780.1)

1. Introduction

Business process redesign (BPR) refers to the intentional change of business processes¹ and aims at changing the way work is accomplished, and value is delivered.² BPR occurs in cross-functional organizations and often precipitates changes in job descriptions within the organizational structure.³ BPR can include adding, simplifying, changing, or automating a set of initial process models resulting in to-be process models. The to-be process model (to-be model) is defined as a model that results from applying improvement opportunities to the current (as-is) business environment. BPR efforts are always followed by adaptive maintenance on supporting applications. However, module changes in the application can lead to new information security vulnerabilities.⁴ New vulnerabilities arise caused by software programming bugs and design flaws.⁵ For example, a module change related to modifying the form for data input. The most common vulnerability that occurs due to exploiting software programming bugs is in user input validation (Common Weakness Enumeration 20 [CWE-20]). Input validation is the process of ensuring that the input data follows specific rules. Incorrect data validation can cause data corruption, as seen in structured query language (SQL) injection (CWE-89). SQL injection is a technique for exploiting program bugs in a website. The attacker injects SQL commands from web forms to either modify database contents or dump database information such as credit cards or passwords to the attacker. BPR also affects information security controls applied to business processes and applications, and changes to these controls can cause vulnerabilities in applications. As vulnerabilities can propagate between resources, vulnerabilities in business processes that propagate to an application module will also propagate to other modules.⁶ Vulnerabilities that propagate to applications following BPR should be predicted as early as possible to allow system developers to become aware of security threats that may arise from these vulnerabilities.

IT architecture describes the relationship between business processes and their supporting applications. As part of the organization’s enterprise architecture, IT architecture describes current and future designs. An organization can develop enterprise architecture using several frameworks. Most frameworks have four architectural domains: business process, information, application systems, and technology. In addition, IT architecture consists of three layers: business processes, IT services (including data and applications), and technology.⁷

Researchers have developed vulnerability propagation models that serve different purposes. For instance, models have identified vulnerabilities at the technology layer, including in the hardware, network, or infrastructure,⁸ ^– ¹¹ and between information security controls regarding specific standards.¹² Previously developed models have used weighted and directed graphs,⁸ ^, ⁹ Bayesian networks,¹² dynamic systems,¹⁰ and Petri nets¹¹ as visual representations. Some models have adaptive capabilities that allow them to adjust to changes in expert knowledge and risk history¹² as well as changes in investment strategies.¹⁰ In reviewing application vulnerabilities from BPR, we need a model that illustrates vulnerability propagation at the business process and IT service layers. Moreover, the model should have an adaptive mechanism that responds to changes in business processes.

Our study aims to develop a method for modeling vulnerability propagation in the business process and IT service layers and makes two contributions to previous research. First, the model can illustrate vulnerability propagation in these two layers. Vulnerability propagation occurs horizontally between tasks in the business process layer and between application modules in the IT service layer, while vulnerability propagation occurs vertically from business processes to applications in the IT service layer. Second, the model has an adaptive mechanism that reorders the layout when new business processes are added following BPR.

Our method can be briefly described as follows. First, we represented the vulnerability propagation model using a weighted and directed graph. We applied the concept of social network strength to assess the propagation of vulnerabilities between nodes. This approach was used to build an initial model before BPR occurred. Second, we developed adaptive mechanisms that allow the model to reorder the layout in response to the introduction of new business processes, thus changing the initial model into the to-be model through a series of procedures. We used three different methods for calculating prediction scores in the to-be model: the influential node approach, the proportion approach, and the ranking approach based on the propagation strength of the nodes. Finally, we evaluated the vulnerability propagation model by comparing the predicted vulnerability scores from the model with the actual scores of e-commerce applications in the National Vulnerability Database (NVD).

The rest of the paper is organized as follows. Section 2 describes related works. Section 3 introduces the proposed method, while Section 4 discusses the results, main findings, limitations, and provisions for future work. Finally, Section 5 presents our conclusions.

2. Related works

This section reviews previous studies on BPR, the vulnerability dictionary and its metrics, vulnerability propagation models, directed and weighted graphs, and social network strength. Business process redesign BPR is one type of business process change that an organization undergoes. These changes occur in an organization’s elements, including participant groups, roles, and systems; events, activities (tasks and sub-processes), data objects, and gateways; and sequence flow, message flow, and associations.¹³ In addition to BPR, there are two other levels of business process changes: business process improvement (BPI) and business process reengineering (BPRe).³

BPI and BPR are incremental (bottom-up) process improvements. BPR occurs across an organization’s functions, while BPI only occurs in one organizational function. Both BPR and BPI focus on continuous improvement.¹⁴ In contrast to BPI and BPR, BPRe is a top-down approach that re-examines broad and fundamental business processes. BPRe involves rethinking and developing radical business process redesigns, resulting in a new process with a very different design from the previous one.¹⁵ organizations perform BPRe for various reasons, including both internal and external factors.¹⁶ Our research focuses on assessing the impact of vulnerabilities introduced by BPR, tracking process changes, and developing a new business process model that does not differ greatly from older ones.

2.1 Vulnerability identification and prediction

Previous research has developed the concept of risk-aware business process management. This concept aims to create effective and efficient business processes while minimizing security risks.¹⁷ Knorr and Röhrig¹⁸ developed a framework for analyzing the security requirements of business processes in e-commerce. To determine security requirements for business processes on legacy systems, Argyropoulos et al.¹⁹ built a new process model that contains its information security requirements. Taubenberger et al.²⁰ developed the security requirements risk assessment tool to analyze a business process model’s security requirement and identify vulnerability errors in the process. Meanwhile, Jakoubi et al.¹⁷ created a risk-aware business process simulation to determine the cost and time required to execute business process model activities. Ahmed and Matulevičius²¹ and Varela-Vaca et al.²² proposed a method for modeling secure business processes using security patterns, while Varela-Vaca et al.²³ developed tools to evaluate security risks in business process models. Chergui and Benslimane²⁴ added notations related to information security requirements in the modeling language. These studies focused on developing secure business process models. In general, business process modeling involves collaboration between process analysts and information security experts to identify information security requirements.

Vulnerabilities can also be predicted and detected in application development at the design, implementation, and deployment stages. Information security experts can perform threat modeling to predict emerging threats based on the application design using methods such as data flow diagrams.²⁵ At the implementation stage, programmers can conduct source code reviews to detect vulnerabilities in the application. Researchers have developed automated tools to detect vulnerabilities in high-level languages such as C, C++, Java and Python source code.²⁶ ^– ³¹ In addition, there are also those developed for script-based programming languages such as PHP.³² Vulnerability scanning can also be done with automated tools while the application is running in its operational environment. We previously developed a Task-based Vulnerability Prediction method that can predict vulnerabilities based on business process models earlier than other methods.³³

2.2 Vulnerability propagation models

Researchers have developed propagation models for information security vulnerabilities. Feng et al.¹² developed a security risk analysis model that simultaneously defines risk factors and their causal relationships. This study used quantitative data from organizational risk history and qualitative data from experts’ opinions and NIST information security standards. The model used a Bayesian network and ant colony optimization methods.

Shin et al.³⁴ developed a cybersecurity risk model to evaluate cybersecurity in a reactor protection system (RPS), integrating procedural and technical aspects. They designed a procedural model using an activity-quality analysis approach to evaluate the compliance of people and organizations with regulations. Procedural and technical models were integrated with a Bayesian network, and the node probability table value was based on the expert’s opinion.

Later, De Gusmão et al.³⁵ improved Feng et al.¹² risk analysis model by incorporating a mechanism to overcome uncertainty factors when determining the vulnerability level. The risk analysis model identified and evaluated a series of risk events, along with several alternatives, in potential incident scenarios after an initial incident resulting from the misuse of information technology. This model was developed using event tree analysis combined with fuzzy decision theory.

Previous studies have also used graph theory for risk analysis and to develop mitigation strategies. Kotzanikolaou et al.⁸ used a dependency graph for risk assessment on critical infrastructure, depicting a multi-risk dependency analysis from first-order dependencies to nth-order dependencies. Furthermore, Stergiopoulos et al.³⁶ developed a mitigation strategy by placing proper security controls on prioritized infrastructure nodes based on graph centrality analysis to streamline the risk mitigation strategy. Meanwhile, Naghmouchi et al.⁹ used a weighted and directed graph to model vulnerability propagation caused by internal and external intruders on computer networks. Szpyrka and Jasiul¹¹ modified Petri nets to build a cybersecurity vulnerability propagation model, developing algorithms to generate propagation nets that were based on colored Petri nets. Nazareth and Choi¹⁰ used a dynamic system approach to evaluate alternative information security risk management (ISRM) strategies, considering both costs and investment. They employed a design science research approach with causal loop analysis and a dynamic system. In their model, the analysis of the investment’s impact on the organization’s assets occurs in the technology layer.

Researchers have also developed vulnerability models with adaptive capabilities following specific conditions. Feng et al.¹² developed a security risk model with learning mechanisms. Their model learns from expert knowledge and risk history factors. If new vulnerabilities occur, the model updates the previously estimated probability of the relationship between the nodes. Additionally, Nazareth and Choi¹⁰ ISRM model, which simulates the investment’s impact on the overall costs required for managing information security, contains adaptive mechanisms that are affected by the organization’s investment scenario.

2.3 Social network strength

Hangal et al.³⁷ first introduced the concept of social network strength, demonstrating that the relationship strength (tie strength) between two people in a social network is asymmetrical. That is, one person must have a more significant influence over the other. A directed and weighted graph describes how the influence of a person spreads across a social network. The influence of person A on person B is defined as the proportion of B’s investment to A. Hangal et al.³⁷ conducted a case study using the science bibliography network and retweet data on Twitter. Below, we describe essential concepts relevant to social network strength.

Influential ties refer to the influence strength between people on social networks. An analogy can be made with an investment case to understand influence ties and show how one person distributes their investment among others. For example, if person B invests most of his time in person A, then A has a great deal of influence over him. The influence A has on B, Influence(A,B), is defined as the proportion of B’s investment in A, or the amount of time B invests in A, Invest(B,A), compared to B’s total investment in a group of n people in the social network, Invest(B,X). This formula is shown in Eq. (1), which reveals that the relationship between people in a social network is asymmetrical: one person has a stronger influence than the other.

(1)

Influence (A, B) = \frac{Invest (B, A)}{\sum_{X \in in (B)} Invest (B, X)}

A person in a social network is identified as an influential individual if they strongly influence others. The influence of a node is the sum of the power of that node’s influence on n people in the network. Thus, the influence of node A is expressed by Eq. (2). We used the concepts of influential ties and influential individuals to calculate prediction scores in the vulnerability propagation model.

(2)

Influence (A) = \sum_{X \in out (A)}^{} Influence (A, X)

3. Methods

This section describes our proposed method for modeling vulnerability propagation in the business process and IT service layers. We use Business Process Model and Notation (BPMN) as a notation for the process model. We call this new method Node Strength-based Vulnerability Modeling (NSVM). Our method applies the concepts of influential ties and influential individuals to node strength to describe the strength of the vulnerability propagation between nodes and within a node.

3.1 Dataset

We used the CWE dictionary as a reference for vulnerability data. CWE is an online dictionary that lists the vulnerabilities found in software and focuses on general software vulnerabilities that are not specific to individual software products³⁸ Each CWE represents one type of vulnerability and has a hierarchical structure that allows for the review of vulnerabilities at different levels of abstraction.³⁹

We used the Magento e-commerce platform as a case study. Magento is a digital commerce platform providing online merchants unparalleled flexibility and control over their online stores’ look, content, and functionality.⁴⁰ We used Magento for the following reasons. We need case studies of BPR and the accompanying information security vulnerability data to test our method. We used common vulnerabilities and exposures (CVE) from the National Vulnerability Database (NVD) maintained by the United States government.⁴¹ CVEs are specific publicly disclosed information security vulnerabilities found in software applications. We used NVD as a data source for information security vulnerabilities because it is more up-to-date and reliable than other vulnerability databases.⁴² We have listed the CVE of all e-commerce platforms published from December 2017 to November 2021. We found 551 CVEs from 17 e-commerce platforms, corresponding to 39 CWEs. As many as 205 CVEs relating to 36 CWEs (92.31%) were Magento’s vulnerabilities. Magento provides a complete user guide for each released version so we can track its process model changes caused by BPR.

We used six BPR case studies that occurred in Magento 2.1⁴³ to 2.2⁴⁴ and Magento 2.2 to 2.3.⁴⁰ We built a dataset to represent the interrelationships between tasks in the Magento business process model and between tasks and the Magento modules. In the dataset, we described each task and module with the data related to information security vulnerabilities.⁴⁵ This dataset was used as input for the propagation modeling of information security vulnerabilities. We used this dataset to build an initial model of vulnerability propagation. We also used the dataset to construct a to-be model by adding new tasks/modules resulting from BPR to see the impact on the initial model.

In Magento 2.1 to 2.2, BPR occurred in consumer accounts and dashboards, communication channels, and payments management. Consumer account management added a process for creating a company account designed to meet the needs of B2B commerce, enabling a company to manage its accounts, roles and access rights for its teams. Changes in the consumer dashboard were related to the emergence of several new functions, including managing payment methods, redeeming gift card balances, and using credit balances to make transactions. Regarding communication channels management, a new Magento social feature was incorporated into the marketing strategy, containing links that connect Magento with the social media platform. The payment management system added a Signifyd Fraud Protection feature to detect fraudulent chargebacks and determines which orders can be filled and which should be rejected.

In the upgrade from Magento 2.2 to 2.3, BPR appeared in inventory management, shipping management, and payment management. Inventory management in Magento 2.3 can include multiple sources from several warehouses, whereas in Magento 2.2, it only involves a single source. Magento 2.3 uses two new payment methods, adding existing methods in Magento 2.2. The shipping management in Magento 2.3 added a ‘click & collect’ feature. This feature allows sellers to provide shipping options to consumers that directly deliver goods from multiple origin locations (stores/warehouses).

To evaluate the model, we retrieved Magento’s CVE as actual vulnerability scores and compared them with predicted scores from the vulnerability propagation model. We used the Common Vulnerability Scoring System (CVSS) version 3 as a vulnerability scoring standard for each CWE and CVE. The CVSS provides a standard for measuring vulnerabilities in software, generating a score between 0 and 10 to represent the severity of the exposure.⁴⁶

3.2 Representing the vulnerability propagation model

Our model is represented as a directed and weighted graph. Vertices are referred to as nodes and arcs as edges. We used the Neo4j graph database platform to build a vulnerability propagation graph model. A graph database uses highly interlinked data structures built from nodes, relationships, and properties. A graph database builds a network of interconnected entities representing its domain.⁴⁷ Neo4j has been widely used to model graph-based systems.⁴⁸

Nodes represent resources consisting of process, module, and exploited module nodes. The process node (yellow node) represents the task in the process model. This node has the attributes name, task_name, type, vuln, vuln_score, and max_score, representing task ID, task name, task type, list of CWEs, vulnerability scores of each CWE, and maximum CWE score, respectively. Vulnerabilities at the process node represent predicted vulnerabilities for each task. The module (green node) and exploited module node (red node) describe the application’s modules. This representation depends on whether the vulnerability materializes in the application. This node has the attributes name, module_name, vuln, vuln_score, and max_score; each represents module ID, module name, list of CWEs, vulnerability scores of each CWE, and maximum CWE score, respectively. Vulnerabilities at the module node mean predicted vulnerabilities based on propagation from other nodes. Meanwhile, vulnerabilities at exploited module node represent actual vulnerabilities that materialized in the application and were obtained from the NVD. We used Query 1 to form three types of nodes in the graph.

Query 1. Formation of a node.

							#Formation of task node
							CREATE (n:Process {name:id_task, task_name:nama_task, type:jenis_task, vuln:list_CWE, vuln_score:list_CWE_score, max_score:maks_CWE_score})
							#Formation of module node
							CREATE (n:(Module atau Exploited_Module {name:id_modul, module_name:nama_modul, vuln:list_CWE, vuln_score:list_CWE_score, max_score:maks_CWE_score})

In the model, an edge is formed between two nodes, representing the vulnerability propagation between resources. Each edge has a score or weight. The direction of the edge indicates the direction of the vulnerability propagation between nodes. For instance, an edge with a direction from node A to node B indicates the vulnerability propagation from resource A to resource B. This propagation model contains three types of edges: process, service, and implementation edges. The process and service edges represent horizontal propagation. Specifically, the process edge represents propagation between tasks at the business process layer, while the service edge signifies propagation between modules at the IT service layer. In contrast, the implementation edge represents vertical propagation from the business process layer to the IT service layer.

Query 2 was used to form edges between nodes in the graph. The edge connects the node containing id_origin_node to the node with id_destination_node. Each edge has a type, which is designated as the variable r:edge_type.

Query 2. Formation of an edge.

							MATCH (a),(b) WHERE a.name=id_origin_node AND b.name=id_destination_node
							
							CREATE (a)-[r:edge_type] -> (b)

3.3 Building the vulnerability propagation model

We applied the concept of social network strength to build the vulnerability propagation model. We calculated the weight of each edge by using the propagation strength (PS) formula in Eq. (1). The PS from node A to node B is calculated based on the number of CWEs in node A that are also found in B. PS between these nodes is the edge’s weight A to B and is calculated by Eq. (3).

(3)

PS (A, B) = \frac{common (B, A)}{\sum_{X \in i n (B)} common (B, X)}

Query 3 calculated common CWEs between two nodes n and m through a relation r, namely r.common.

Query 3. Calculate Common CWE on an edge.

							MATCH(n)-[r]-(m)
							SET r.common=size([x in n.vuln WHERE x in m.vuln])
							RETURN n.name, m.name, r.common

Consider the graph related to the $M_{Downl}$ module in Figure 1. $M_{Downl}$ has four incoming nodes, $M_{Check}$ , $M_{Sales}$ , P53, and P54, with the common CWEs shown in Table 1 The PS for each edge can then be calculated by 3. Table 1 displays PS scores for each edge between $M_{Downl}$ and its incoming node.

Figure 1. Example of a propagation model based on the $M_{Downl}$ module.

Table 1. Common CWEs between $M_{Downl}$ and its incoming node.

Vulnerability model	$M_{Check}$	$M_{Sales}$	P53	P54
Common CWEs	$1$	$1$	$1$	$0$
PS	$0.33$	$0.33$	$0.33$	$0$

Each node also has a propagation strength. As formulated in Eq. (4), the propagation strength of Node A, denoted PS(A), is the sum of the propagation strength of all of its outgoing nodes. This equation is adopted from Eq. (2) on the concept of influential individuals. Each node has an additional new attribute related to propagation strength at this stage.

(4)

PS (A) = \sum_{X \in o ut (A)}^{n} PS (A, X)

Query 4 was used to calculate the weight or PS from node m to n connected by r in the graph. If no common CWEs exist between the two nodes or the value of r.common equals zero, the weight is determined as zero. If there is a common CWE, the weight is calculated by dividing the r.common of the edge with the total r.common of all incoming edges to n.

Query 4. Calculate weight or PS on an edge.

							MATCH (n)<-[r]-(m)
							WITH n, sum(r.common) AS total
							SET n.total_comm=total
							RETURN n.name, n.total_comm
							MATCH (n)<-[r]-(m)
							SET (CASE WHEN n.total_comm=0 THEN r END).weight=0
							SET (CASE WHEN n.total_comm<>0 THEN r END).weight=round(toFloat(r.common)/n.total_comm,2)
							RETURN n.name, m.name, r.weight

Query 5 was then used to calculate the propagation strength of a node in the graph. A node’s PS is represented by the variable out_weight, which is the sum of all of the outgoing nodes’ weights, r_weight. The outgoing edge between nodes n and m is denoted by the edge r, (n)-[r]->(m).

Query 5. Calculate PS on a node.

							MATCH (n)-[r]->(m)
							WITH n, sum(r.weight) AS total
							SET n.out_weight=round(total,2)
							RETURN n.name, n.out_weight

To illustrate, Figure 2 shows a graph snippet related to the $M_{Check}$ module. This node is connected to other nodes through its outgoing edges, with PS scores for each outgoing node shown in Table 2 Then, the PS is calculated for the $M_{Check}$ node using Eq. (4), which results in PS( $M_{Check}$ ) = 1.90.

Figure 2. Example of a propagation model based on the $M_{Downl}$ module.

Table 2. PS ( $M_{Check}$ ) calculation based on the outgoing edges’ PS scores.

Outgoing node	Outgoing edge PS score
$M_{Captc}$	0.17
$M_{Sales}$	0.20
$M_{Downl}$	0.50
$M_{Wishl}$	0.36
$M_{CheAgree}$	0.67
PS( $M_{Check}$ )	1.90

3.4 Developing the model’s adaptive mechanisms

We developed an adaptive mechanism that enables the model to change automatically if new tasks and vulnerabilities are introduced to the initial model. Changes in the initial model follow a new process model and module dependencies in the new system architecture due to BPR. Changes in vulnerability attributes and vulnerability scores at nodes in the model were implemented using several approaches.

In the to-be model, the vulnerability scores for IT service layer nodes are predicted based on two scores: the adjacency score (AS) and the initial score (IS). The AS is obtained from the vulnerability scores of the to-be model’s incoming nodes, while the IS is taken from the actual vulnerability score of a module in the initial model. We used three methods to determine the AS: the influential node, proportion, and ranking approaches.

The influential node approach determines the AS score by taking the vulnerability score from the influence node. The influence node of node A, Influence(A), is the incoming node with the highest PS score and is thus considered to have the most influence on the vulnerability propagation model. The formula for determining the AS score for node A is calculated by Eq. (5).

(5)

AS (A) = vuln_score (Influence (A)) where, Influence (A) = Node (max P S (X_{}), X \in In (A))

The proportion approach determines the AS score by calculating the total proportion of its incoming node vulnerabilities. The AS score for a node is the sum of its incoming node vulnerability scores, vuln(Xi), multiplied by its propagation strength, PS(Xi). The result is divided by the incoming node’s total propagation strength, as stated in Eq. (6).

(6)

AS (A) = \frac{\sum_{X \in i n (A)} PS (X) \times vuln (X)}{\sum_{X \in i n (A)} PS (X)}

The ranking approach determines the AS score at a node by listing vulnerabilities in the incoming node, vuln(Xi), in ascending order. Each incoming node is given a weight according to its rank. Then, the AS score is calculated by adding the vulnerability scores of the incoming nodes, vuln(Xi), with the incoming node’s ranking weight, rank(Xi), and the result is divided by the total ranking weight, as shown in Eq. (7):

(7)

AS (A) = \frac{\sum_{X \in i n (A)} rank (X) \times vuln (X)}{\sum_{X \in i n (A)} rank (X_{})} .

Figure 3 illustrates the influential node, proportion, and ranking approaches. As an example, we can determine the AS score for the $M_{Newsl}$ module. This module contains the incoming nodes $M_{Custo}$ , P47, P48, and P49, with their PS and vulnerability scores given in Table 3.

Figure 3. Example of a propagation model based on the $M_{Newsl}$ module.

Table 3. PS and vulnerability scores for incoming nodes on $M_{Newsl}$ .

Measures	Incoming node				Total
Measures	$M_{Custo}$	P47	P48	P49	Total
Vulnerability	7.50	8.19	7.09	8.19
PS	0.77	0.10	0.05	0.15	1.07
Rank	4	2	1	3	10

The influential node approach determines the AS score from the vulnerability score of the node with the largest PS, $M_{C u s t o}$ = 0.77. Therefore, the AS score for $M_{N e w s l}$ equals the vulnerability score for $M_{C u s t o}$ , which Eq. (5) gives as 7.50. The proportion approach calculates the AS score using the formula in Eq. (6). The PS of each incoming node is multiplied by its vulnerability score. Next, the results are summed and divided by the total PS for all incoming nodes. Thus, the AS score for $M_{N e w s l}$ is 7.64. Then, the ranking approach is used to assign weights sequentially to PS scores and calculate AS scores using Eq. (7). First, the ranking weight for each incoming node is multiplied by its vulnerability score. The results are then summed and divided by the total weight of the ranking, yielding an AS score for $M_{N e w s l}$ of 7.8.

We also predicted a node’s vulnerability score by considering the actual vulnerability score from the initial model (the IS). This score represents the magnitude of the vulnerability that has appeared in the application. It is necessary to aggregate the AS and IS values to calculate the predicted vulnerability score.

We carried out two experiments to aggregate the AS and IS values. For the first experiment, we used the maximum principle, choosing the maximum score between the AS and IS values as the final prediction score. This concept is based on the first principle of risk aggregation.⁴⁹ We used the average calculation between the AS and IS values in the second approach based on Rezvani et al.⁵⁰ research. For example, suppose that in the initial model, the $M_{N e w s l}$ module has a vulnerability score of 7.5. Then, as Table 4 shows, the predicted vulnerability score for $M_{N e w s l}$ in the to-be model can be calculated with both aggregation methods for each of the three AS calculation approaches.

Table 4. Vulnerability scores prediction for $M_{Newsl}$ module.

Vulnerability	AS calculation approach
Vulnerability	Influential node	Proportion	Ranking
AS score	7.50	7.64	7.80
IS score	7.50	7.50	7.50
Maximum principle	7.50	7.64	7.80
Average calculation	7.50	7.57	7.65

3.5 Evaluation through case studies

We evaluated the vulnerability propagation model by comparing the predicted scores from the to-be model with the actual vulnerabilities in the NVD. As described in the dataset, we took BPR case studies from Magento 2.1 to 2.2 and Magento 2.2 to 2.3. We used the initial version of Magento, before BPR, as a reference for building the initial model. Next, the adaptive mechanism described in Section 3.4 changed the initial model to the to-be model. In the evaluation, we compared predicted scores in the to-be model with actual Magento vulnerability scores in the NVD using three evaluation measures, the mean absolute error (MAE), the mean squared error (MSE), and the root mean squared error (RMSE). These measurements are frequently used to compare predicted and actual values.⁵¹

4. Results

This section describes the results of implementing NSVM in the case studies.⁵² We also discuss our main findings and the study’s limitations and directions for future research.

4.1 Vulnerability propagation modeling results

Since we used six business processes from Magento 2.1 and 2.2 as case studies, we developed six initial models, as shown in Figure 4a through 4f. For example, we used the account management system in Magento 2.1 to show how to build an initial model based on the process model and its vulnerability data. The account management system consists of six main processes, including ‘create user account’, ‘sign in’, ‘reset password’, ‘update profile information’, ‘continue shopping’, and ‘display dashboard’, as shown in Figure 5. We would review the vulnerability model for the sign-in process, which consists of nine tasks connected to the following primary process, ‘reset password’, as shown in Figure 6.

Figure 4. The initial model for (a) account management in Magento 2.1, (b) communication channels management in Magento 2.1, (c) payment management in Magento 2.1, (d) inventory management in Magento 2.2, (e) shipping management in Magento 2.2, and (f) payment management in Magento 2.2.

Figure 5. The process model of consumer account management in Magento 2.1.

Figure 6. The process model of consumer account management in Magento 2.1.

Magento 2.1 implements the sign-in process through the module-authorization and module-captcha. The module-authorization manages access control according to the application’s roles and rules. The module-captcha verifies the authentication process through the captcha code. In the Magento architecture, both modules are dependent on the module-customer. Table 5 shows the vulnerabilities for each task and module, which then become attributes for each node in the vulnerability propagation model. Figure 7 depicts the graph representing the vulnerability propagation model for the sign-in process.

Table 5. Task and module vulnerabilities related to the sign-in process in Magento 2.1.

ID	Task/Module name	ID CWE	Vulnerability score	Max score
P7	Input Email and Password	20, 88, 115, 229, 233, 352, 434, 451, 510, 639, 1173	7.09, 7.09, 3.19, 3.19, 3.19, 7.09, 7.09, 7.09, 7.09, 6.58, 3.19	7.09
P8	Generate CAPTCHA	20, 74, 78, 79, 89, 91, 94, 200, 203, 264, 269, 284, 285, 287, 312, 327, 345, 346, 362, 384, 502, 613, 639, 863	8.19, 8.19, 8.19, 8.19, 8.19, 8.19, 8.19, 5.6, 8.19, 8.19, 8.19, 5.6, 5.56, 8.19, 5.6, 7.68, 5.56, 8.19, 7.89, 5.6, 7.89, 8.19, 7.68, 8.19	8.19
P9	Retype CAPTCHA	241, 287, 328, 655, 693, 804, 807	3.19, 7.09, 7.09, 7.09, 7.09, 7.09, 5	7.09
P10	Check CAPTCHA	20, 74, 78, 79, 89, 91, 94, 200, 203, 264, 269, 284, 285, 287, 312, 327, 345, 346, 362, 384, 502, 613, 639, 863	8.19, 8.19, 8.19, 8.19, 8.19, 8.19, 8.19, 5.6, 8.19, 8.19, 8.19, 5.6, 5.56, 8.19, 5.6, 7.68, 5.56, 8.19, 7.89, 5.6, 7.89, 8.19, 7.68, 8.19	8.19
P11	Check Email and Password	256, 257, 259, 263, 309, 521, 640, 916	8.19, 8.19, 8.19, 8.19, 8.19, 8.19, 6.62, 8.19	8.19
P12	Display Landing Login Page	36, 66, 205, 213, 226, 312, 362, 366, 403, 405, 414, 610, 668, 669, 704, 706	8.19, 5.6, 5.6, 5.6, 5.6, 5.6, 7.89, 4.29, 7.68, 3.68, 6.07, 7.68, 7.68, 7.68, 4.29, 7.68	8.19
P13	Display Failed Message	200, 295, 311, 335, 354, 364, 406, 441, 649, 915, 922, 940, 941	5.6, 6.07, 7.68, 8.19, 5.56, 8.19, 3.68, 8.19, 4.29, 3.98, 7.68, 8.19, 3.47	8.19
$M_{Autho}$	module-authorization	79, 312	5.4, 5.2	5.40
$M_{Captc}$	module-captcha	79, 312	5.4, 5.2	5.40
$M_{Custo}$	module-customer	79, 200, 352	5.4, 7.5, 6.5	7.50

Figure 7. Vulnerability propagation model regarding the sign-in process in Magento 2.1.

A directed and weighted graph best describes vulnerability propagation at the business process and IT service layers. Vertical propagation is unidirectional, moving from business processes to applications, and cannot be reversed. The weight of the edge represents the propagation strength from one node to another. Some edges have a PS value of zero, indicating a feeble propagation strength. This zero-score phenomenon mainly occurs on edges between process nodes with different task types. These edges were not removed from the initial model because the relationship between nodes is used as a reference when adding new nodes to develop the to-be model. However, further research is needed to develop a modeling method that considers task type as one of the factors affecting vulnerability propagation at the business process layer.

4.2 Adaptive mechanism modeling results

We used three BPR case studies from Magento 2.1 to 2.2 and three from Magento 2.2 to 2.3 to experiment with adaptive mechanisms in the vulnerability propagation model. Figure 8(a) and (b) provide an example of a process model for managing consumer accounts before BPR in Magento 2.1 and after BPR in Magento 2.2. This case involves additional sub-processes related to company account management. Figure 8(c) shows a series of tasks included in the company account management sub-process.

Figure 8. BPMN for managing customer accounts for (a) Magento 2.1 before BPR, (b) Magento 2.2 after BPR, and (c) new sub-processes associated with managing company accounts in Magento 2.2.

In Magento 2.1 to 2.2 and Magento 2.2 to 2.3, BPR added processes with a series of sequential, parallel, and looping tasks. The adaptive mechanism developed in this study can operate with these three types of task series. The tasks in the newly added process model are represented as a series of new nodes formed in the graph using Queries 1 and 2. Following the new IT architecture and process model, the new node series were added to the to-be model structure. The following discussion offers an example of each BPR scenario that results from adding a new series of tasks to the to-be model.

Figure 8(c) shows a sequential series of tasks that must be completed to create company accounts. The process of creating a company account is related to the customer module in Magento 2.2. Table 6 shows the vulnerabilities of tasks related to this process.

Table 6. Vulnerabilities for each task in the sub-process of creating a company account.

ID	Task/Module name	Vulnerabilities (CWE ID)	Vulnerability scores	Max score
P67	Create Company Account	20, 88, 115, 229, 233, 352, 434, 451, 510, 639, 1173	7.09, 7.09, 3.19, 3.19, 3.19, 7.09, 7.09, 7.09, 7.09, 6.58, 3.19	7.09
P68	Create Company Admin	20, 88, 115, 229, 233, 352, 434, 451, 510, 639, 1173	7.09, 7.09, 3.19, 3.19, 3.19, 7.09, 7.09, 7.09, 7.09, 6.58, 3.19	7.09
P69	Set Up the Company Structure	241, 287, 328, 655, 693, 804, 807	3.19, 7.09, 7.09, 7.09, 7.09, 7.09, 5	7.09
P70	Define Role and Permission	20, 88, 115, 229, 233, 352, 434, 451, 510, 639, 1173	7.09, 7.09, 3.19, 3.19, 3.19, 7.09, 7.09, 7.09, 7.09, 6.58, 3.19	7.09
P71	Create Company Users	20, 88, 115, 229, 233, 352, 434, 451, 510, 639, 1173	7.09, 7.09, 3.19, 3.19, 3.19, 7.09, 7.09, 7.09, 7.09, 6.58, 3.19	7.09
P72	Save Company Account	99, 212, 271, 283, 285, 296, 400, 402, 404, 410, 413, 512, 638, 662, 667, 672, 694, 708, 732, 771, 772, 862, 863, 920	7.68, 5.6, 8.19, 8.19, 5.56, 8.19, 8.19, 5.6, 6.11, 4.5, 4.5, 5.6, 8.19, 7.68, 3.68, 7.89, 8.19, 7.68, 8.19, 3.68, 3.68, 8.19, 8.19, 3.68	8.19
P73	Send Registration Link to Admin Email	300, 311, 319, 326, 328, 338, 352, 353, 354, 402, 522, 567, 601, 636, 641, 654, 662, 668, 757, 918, 924, 1173	8.19, 7.68, 7.68, 8.19, 8.19, 5.6, 8.19, 5.13, 5.56, 5.6, 8.19, 8.19, 5.6, 8.19, 8.19, 8.19, 7.68, 7.68, 8.19, 8.19, 7.68, 4.29	8.19
P74	Update Company Account	200, 295, 311, 335, 354, 364, 406, 441, 649, 915, 922, 940, 941	5.6, 6.07, 7.68, 8.19, 5.56, 8.19, 3.68, 8.19, 4.29, 3.98, 7.68, 8.19, 3.47	8.19
P75	Send Registration Link to User’s Email	300, 311, 319, 326, 328, 338, 352, 353, 354, 402, 522, 567, 601, 636, 641, 654, 662, 668, 757, 918, 924, 1173	8.19, 7.68, 7.68, 8.19, 8.19, 5.6, 8.19, 5.13, 5.56, 5.6, 8.19, 8.19, 5.6, 8.19, 8.19, 8.19, 7.68, 7.68, 8.19, 8.19, 7.68, 4.29	8.19

We introduced new nodes into the initial model and added new tasks and their vulnerabilities with Query 1. The edges connecting the new nodes were then formed using Query 2. The graph in Figure 9 was made based on the new series of tasks shown in Figure 8(c). This graph was added to the initial company account management process model in Figure 4(a). Next, the mechanism for changing the model was implemented using Queries 3 to 5, and the vulnerability score was predicted using the three approaches shown in Eq. (5), (6), and (7). After BPR, the graph of the sign-in process in Figure 7 was integrated with the graph for creating a company account, as shown in Figure 10. A complete graph of managing customer accounts after BPR can be seen in Figure 11.

Figure 9. Vulnerability propagation model regarding the sub-process of creating a company account in Magento 2.2.

Figure 10. Vulnerability propagation model for creating a company account connected with the sign-in process in Magento 2.2.

Figure 11. To-be model for (a) account management in Magento 2.2, (b) communication channels management in Magento 2.2, (c) payment management in Magento 2.2, (d) inventory management in Magento 2.3, (e) shipping management in Magento 2.3, and (f) payment management in Magento 2.3.

After adding a new series of tasks, we calculated the prediction scores of the to-be model. Table 7 shows the AS for each module node in the IT service layer, which was calculated using the influential node, proportion, and ranking approaches. Table 7 also presents the predicted scores by aggregating the AS and the IS using three approaches.

Table 7. The evaluation results for the Adjacency Score (AS), average calculation principle (ACP), and maximum principle (MP) using the three approaches.

BPR Case	Module ID	Module name	Initial score	Actual score	AS			ACP			MP
BPR Case	Module ID	Module name	Initial score	Actual score	I	P	R	I	P	R	I	P	R
Manage	$M_{Custo}$	customer	7.50	7.50	7.09	7.54	7.52	7.30	7.52	7.51	7.50	7.54	7.52
Customer	$M_{Autho}$	authorization	5.40	7.50	8.19	8.15	7.97	6.80	6.78	6.69	8.19	8.15	7.97
Account	$M_{Captc}$	captcha	5.40	7.50	7.50	8.27	7.99	6.45	6.84	6.70	7.50	8.27	7.99
2.1 to 2.2	$M_{User}$	user	7.50	7.50	8.19	7.54	7.23	7.85	7.52	7.37	8.19	7.54	7.50
	$M_{Wishl}$	wishlist	9.80	9.80	9.80	9.58	7.73	9.80	9.69	8.77	9.80	9.80	9.80
	$M_{Check}$	checkout	9.80	9.80	7.50	7.44	7.16	8.65	8.62	8.48	9.80	9.80	9.80
	$M_{Sales}$	sales	9.80	9.80	7.50	8.09	7.70	8.65	8.95	8.75	9.80	9.80	9.80
	$M_{Downl}$	downloadable	4.90	4.90	9.80	9.80	8.34	7.35	7.35	6.62	9.80	9.80	8.34
	$M_{ImpExpor}$	import-export		9.80	7.17	7.17	7.85	7.17	7.17	7.85	7.17	7.17	7.85
	$M_{Store}$	store		7.50	7.50	7.17	7.15	7.50	7.17	7.15	7.50	7.17	7.15
	$M_{Payme}$	payment		8.10	9.80	9.01	8.19	9.80	9.01	8.19	9.80	9.01	8.19
Manage	$M_{Email}$	email	7.20	8.80	7.43	6.91	6.59	7.32	7.06	6.90	7.43	7.20	7.20
Communication	$M_{AdmNotif}$	admin-notification	7.20	8.80	6.33	6.70	6.67	6.77	6.95	6.94	7.20	7.20	7.20
Channel	$M_{Newsl}$	newsletter	4.80	8.80	7.43	7.11	7.06	6.12	5.96	5.93	7.43	7.11	7.06
2.1 to 2.2	$M_{Rss}$	rss	5.30	5.30	6.33	6.33	6.48	5.82	5.82	5.89	6.33	6.33	6.48
	$M_{Varia}$	variable	5.40	8.80	6.33	6.62	6.62	5.87	6.01	6.01	6.33	6.62	6.62
Manage	$M_{Payme}$	payment	5.40	9.80	6.33	6.57	6.35	5.87	5.99	5.88	6.33	6.57	6.35
Payment	$M_{Paypa}$	paypal	7.50	7.50	7.43	6.68	6.73	7.47	7.09	7.12	7.50	7.50	7.50
2.1 to 2.2	$M_{Brain}$	braintree	7.50	7.50	7.50	6.89	6.63	7.50	7.20	7.07	7.50	7.50	7.50
	$M_{AuthoNet}$	authorizenet	7.50	7.50	7.50	7.08	6.72	7.50	7.29	7.11	7.50	7.50	7.50
	$M_{Cyber}$	cybersource	7.50	7.50	7.50	7.08	6.67	7.50	7.29	7.09	7.50	7.50	7.50
	$M_{Eway}$	eway	7.50	7.50	7.50	7.23	6.72	7.50	7.37	7.11	7.50	7.50	7.50
	$M_{WorlPay}$	worldpay	7.50	7.50	7.50	7.08	6.59	7.50	7.29	7.05	7.50	7.50	7.50
	$M_{Signifyd}$	signifyd		7.20	7.43	7.28	6.53	7.43	7.28	6.53	7.43	7.28	6.53
Manage	$M_{CatInven}$	catalog-inventory	5.40	5.40	6.33	6.61	6.80	5.87	6.01	6.10	6.33	6.61	6.80
Inventory	$M_{ProAlert}$	product-alert	7.20	7.20	6.33	6.21	6.86	6.77	6.71	7.03	7.20	7.20	7.20
2.2 to 2.3	$M_{CatRule}$	catalog-rule		4.80	7.43	7.19	6.42	7.43	7.19	6.42	7.43	7.19	6.42
	$M_{Email}$	email		6.50	6.33	6.33	7.06	6.33	6.33	7.06	6.33	6.33	7.06
	$M_{ImpExpor}$	import-export		6.60	6.33	6.22	6.96	6.33	6.22	6.96	6.33	6.22	6.96
Manage	$M_{Shipp}$	shipping	7.20	7.20	6.33	6.33	6.69	6.77	6.77	6.95	7.20	7.20	7.20
Shipping	$M_{MultiShip}$	multishipping		8.10	6.33	6.33	7.06	6.33	6.33	7.06	6.33	6.33	7.06
2.2 to 2.3	$M_{ImpExpor}$	import-export	9.10	9.10	7.43	7.43	7.43	8.27	8.27	8.27	9.10	9.10	9.10
	$M_{ShippTem}$	shipping-temando		7.20	7.43	6.64	6.75	7.43	6.64	6.75	7.43	6.64	6.75
Manage	$M_{Payme}$	payment	9.80	9.80	7.43	6.70	6.35	8.62	8.25	8.08	9.80	9.80	9.80
Payment	$M_{Paypa}$	paypal	7.50	7.50	7.43	6.69	7.07	7.47	7.10	7.29	7.50	7.50	7.50
2.2 to 2.3	$M_{Brain}$	braintree	7.50	7.50	7.50	6.96	7.19	7.50	7.23	7.35	7.50	7.50	7.50
	$M_{AuthoNet}$	authorizenet	7.50	7.50	7.50	7.14	7.33	7.50	7.32	7.42	7.50	7.50	7.50
	$M_{Cyber}$	cybersource	7.50	7.50	7.50	7.14	7.16	7.50	7.32	7.33	7.50	7.50	7.50
	$M_{Eway}$	eway	7.50	7.50	7.50	7.28	7.21	7.50	7.39	7.36	7.50	7.50	7.50
	$M_{WorlPay}$	worldpay	7.50	7.50	7.50	7.14	6.93	7.50	7.32	7.22	7.50	7.50	7.50
	$M_{Signifyd}$	signifyd	7.20	7.20	7.43	7.29	7.84	7.32	7.25	7.52	7.43	7.29	7.84
	$M_{Klarna}$	module-klarna		7.50	7.50	7.27	7.34	7.50	7.27	7.34	7.50	7.27	7.34
	$M_{AmazoPay}$	amazon-pay		7.50	7.50	7.27	7.06	7.50	7.27	7.06	7.50	7.27	7.06
				MAE	0.93	1.07	1.10	0.79	0.84	0.84	0.66	0.67	0.60
				RMSE	2.00	2.01	1.93	1.72	1.69	1.60	1.73	1.68	1.44
				MSE	2.23	2.25	2.09	1.65	1.59	1.43	1.66	1.58	1.16

Figure 11(a) through (f) depict the to-be models of the six BPR cases. In the application layer, the module node’s vulnerability scores represent predicted vulnerabilities affected by the vulnerability propagation of associated nodes. After using the three approaches for calculating the AS, we found that each module node has three susceptibility scores. The final prediction scores were obtained by aggregating the AS and IS values.

4.3 Discussion

We predicted vulnerability scores for each module node using three approaches for calculating the AS and two approaches to aggregate the AS and IS values. We then compared the predicted scores with the actual vulnerability scores in Magento 2.2 obtained from the NVD. Next, we evaluated six BPR cases (see Table 7).

From Table 7, we can see that the prediction score using only the AS score from the three approaches has a high error score. The lowest MAE, RMSE, and MSE values are 0.93, 2.00, and 2.09, respectively. The experimental results from calculating the AS with the influential node, proportion, and ranking approaches show that the error scores do not greatly differ. Therefore, we can choose one of these three approaches to calculate AS.

The evaluation results of the prediction scores obtained from the aggregation of AS and IS reveal a lower error score, indicating that it is essential to consider vulnerability scores in the initial model. The evaluation aggregates AS and IS values with the maximum principle results in a lower error than the average calculation approach. Using the ranking approach for AS calculation, the MAE, RMSE, and MSE values are 0.60, 1.44, and 1.16, respectively. In our study, the maximum principle approach is most appropriate for aggregating AS and IS values. However, Rezvani et al.⁵⁰ used the average calculation approach to aggregate vulnerability scores on the computer network.

This study used BPR in the Magento application as a case study. Choosing a different application will inevitably lead to different predictions of vulnerabilities, and this is because the business process model underlies the application is also different. The vulnerability propagation model developed using our method is strongly influenced by the structure of the business process model.

The NSVM method can develop a propagation model for analyzing information security vulnerabilities from the business process to the IT services layers. Moreover, the NSVM method adapts the model when new processes are introduced. This method can also be used to manage the addition of new processes that involve a series of sequential, parallel, or looping tasks. Organizations can use our method to build vulnerability deployment models based on their business process models. This model can early predict applications’ security vulnerabilities before application development, in contrast to previous studies that detect security vulnerabilities during or after application development.²⁶ ^– ²⁹

Organizations must have an initial IT architecture model and its security vulnerability data to build a vulnerability propagation model. Then the organization can build a predictive model based on the to-be model of the IT architecture resulting from BPR. The business process model as a part of the IT architecture must be developed using BPMN. This is different from threat modeling, which uses data flow diagrams as the basic model for prediction.²⁵

Our method can automatically predict vulnerability scores for each resource (tasks and application modules) on the to-be model. Process designers can obtain early information about security vulnerabilities posed by BPR. Our method can reduce reliance on security experts to predict vulnerabilities in the process model, unlike threat modeling, which only depends on experts to predict vulnerabilities in the process model.²⁵

We also compare the NSVM method and other methods, focusing specifically on the modeled architecture layer, the modeling representation, the approach, and the adaptive mechanism, as shown in Table 8. The NSVM method uses a business process model and IT architecture to form a graph. As such, our method differs from other modeling methods, which use the relationship between components of IT assets, such as hardware or infrastructure,⁹ ^, ¹¹ ^, ³⁴ ^, ³⁶ or security controls that refer to specific standards.¹²

Table 8. A comparison between the NSVM method and other methods.

Method	Architectural layer	Model representation	Approach	Adaptive mechanism
Node Strength-based Vulnerability Modeling	Business process and IT service	Directed and weighted graph	Social network strength	Yes, BPR
Feng et al.¹²	IT asset	Bayesian network	Ant colony optimisation	Yes, security incidents
Stergiopoulos et al.³⁶	IT asset	Directed and weighted graph	Centrality metrics	No
Naghmouchi et al.⁹	IT asset	Directed and weighted graph	Binomial distribution	No
Szpyrka and Jasiul¹¹	IT asset	Petri nets	Labelled transition system	No
Shin et al.³⁴	IT service	Bayesian network	Activity quality analysis	No

Additionally, the NSVM method uses the CWE dictionary as a vulnerability reference and determines a prediction score by referring to the CVSS metric. In contrast, other studies have predicted risks by calculating the percentage of opportunities of threats arising from a lack of control.¹² ^, ³⁴ Our method can also be distinguished from Naghmouchi et al.,⁹ which used the vulnerability propagation model to predict the critical time at which the highest vulnerability propagation occurs. Likewise, Stergiopoulos et al.³⁶ employed a vulnerability model to analyze the effectiveness of risk mitigation efforts. The NSVM method is the first vulnerability modeling method that uses a business process model and IT architecture as its basis. It uses the model to predict vulnerability scores in application modules based on CVSS metrics.

5. Conclusions

This research has succeeded in developing node strength-based vulnerability modeling and applying the concept of social network strength to construct a vulnerability propagation model with an adaptive mechanism based on BPR. The propagation strength between nodes (node strength) is influenced by common CWEs between the two nodes. Hence, the vulnerability propagation model can predict vulnerability scores at module nodes in the IT service layer after new processes are introduced. In the NSVM, the best prediction scores were obtained by aggregating the adjacency and initial scores using the maximum principle approach. The best evaluation results from case studies show MAE, RMSE, and MSE scores of 0.60, 1.44, and 1.16, respectively.

However, this study has limitations that should be addressed in future research. Some of the model’s edges have a propagation strength score equal to zero, especially those between process nodes with different task types. The modeling method should address this issue by considering the task type as a factor that affects vulnerability propagation at the business process layer. The NSVM method develops a vulnerability propagation model that should be used to track the resources that affect the vulnerabilities in each application module in the IT service layer. This tracking is necessary to locate the critical path that leads to the most vulnerable module. Further research can be conducted to find this critical path in the vulnerability propagation model.

Data availability

Underlying data

Mendeley: Dataset: Adaptive Modelling for Security Vulnerability Propagation. http://doi.org/10.17632/fdh7n692vz.1 ⁵²

This project contains the following underlying data:

• Dataset - Adaptive Modelling for Security Vulnerability Propagation.xlsx

Data are available under the terms of the Creative Commons Attribution 4.0 International license (CC-BY 4.0).

Software availability

The following is the list of source codes and software used in this study:

• Magento version 2.1 can be accessed at https://github.com/magento2-download/magento-CE-2.1.5/releases
• Magento version 2.2 can be found at https://github.com/magento2-download/magento-CE-2.2.2/releases
• Neo4J version 5.6 can be found at https://neo4j.com/product

Acknowledgements

This research was supported by Universitas Airlangga and Institut Teknologi Sepuluh Nopember (ITS), Indonesia.

References

1. Gross S, Stelzl K, Grisold T, et al.: The Business Process Design Space for exploring process redesign alternatives. Bus. Process. Manag. J. 2020; 27(8): 25–56. Publisher Full Text
2. Dumas M, La Rosa M, Hajo JM, et al.: Fundamentals of Business process management. Inf. Syst. 2018; 37(6): 517. Publisher Full Text
3. Grover V, Kettinger WJ: Business Process Change: Concepts, Methods and Technologies. Idea Group Publishing; 1998. Publisher Full Text
4. Brilingaitė A, Bukauskas L, Kutka E: Detection of Premeditated Security Vulnerabilities in Mobile Applications. European Conference on Cyber Warfare and Security. 2019; pp. 63–71.
5. Jang-Jaccard J, Nepal S: A survey of emerging threats in cybersecurity. J. Comput. Syst. Sci. 2014; 80(5): 973–993. Publisher Full Text
6. Hariyanti E, Djunaidy A, Siahaan DO: A Conceptual Model for Information Security Risk Considering Business Process Perspective. 4th International Conference on Science and Technology, ICST, Yogyakarta, IEEE. Vol. 1. 2018; pp. 1–6. Publisher Full Text
7. Minoli D: Enterprise Architecture A to Z. New York: CRC Press; 2008.
8. Kotzanikolaou P, Theoharidou M, Gritzalis D: Interdependencies between critical infrastructures: Analyzing the risk of cascading effects. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 6983 LNCS. 2013; pp. 104–115. Publisher Full Text
9. Yassine Naghmouchi M, Perrot N, Nizar Kheir A, et al.: A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems. Proceedings of the 2016 International Workshop on Managing Insider Security Threats - MIST’16. 2016; pp. 97–100. Publisher Full Text
10. Nazareth DL, Choi J: A system dynamics model for information security management. Inf. Manag. 2015; 52(1): 123–134. Publisher Full Text
11. Szpyrka M, Jasiul B: Evaluation of cyber security and modelling of risk propagation with Petri nets. Symmetry. 2017; 9(3): 1–13. Publisher Full Text
12. Feng N, Wang HJ, Li M: A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 2014; 256: 57–73. 00200255. Publisher Full Text
13. White S: Introduction to BPMN. BPTrends. 2004; 15: pp. 1–2. 09636897. Publisher Full Text
14. Davenport TH: Process Innovation: Reengineering Work through Information Technology. 1993. Publisher Full Text
15. Hammer M, Champy J: Reengineering the Corporation: A Manifesto for Business Revolution. Harper Business; 1993.
16. Chan PS, Peel D: Causes and Impact of Reengineering. Bus. Process. Manag. J. 1998; 4(1): 44–55. Publisher Full Text
17. Jakoubi S, Tjoa S, Goluch S, et al.: Risk-Aware Business Process Management-Establishing the Link Between Business and Security. In Fatos X, Leonard B, Papajorgji PJ , editors. Complex Intelligent Systems and Their Applications , volume 41 of Springer Optimization and Its Applications, Springer. 2010; pp. 109–135. Publisher Full Text
18. Knorr K, Röhrig S: Security Requirements of E-Business Processes. I3E’01 Proceeding of The IFIP Conference on Towards The E-Society: E-Commerce, E-Business, E-Government, ACM Digital Library. 2001; pp. 73–86.
19. Argyropoulos N, Alcañiz L, Mouratidis H, et al.: Eliciting Security Requirements for Business Processes of Legacy Systems.Ralyté, Jolita SE, Pastor Ó, editors. 8th Practice of Enterprise Modelling (P0EM). Valencia: Springer; 2015; pp. 91–107. Publisher Full Text
20. Taubenberger S, Jürjens J, Yijun Y, et al.: Resolving vulnerability identification errors using security requirements on business process models. Inf. Manag. Comput. Secur. 2013; 21(3): 202–223. Publisher Full Text
21. Ahmed N, Matulevičius R: Securing Business Process using Security Risk-Oriented Patterns. Computer Standards and Interfaces. 2014; 36: 723–733. Publisher Full Text
22. Varela-Vaca AJ, Warschofsky R, Gasca RM, et al.: A Security Pattern-Driven Approach Toward the Automation of Risk Treatment in Business Processes. Advances in Intelligent Systems and Computing. 2013; 189 AISC; pp. 13–23. Publisher Full Text
23. Varela-Vaca ÁJ, Parody L, Gasca RM, et al.: Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models. IEEE Access. 2019; 7: 26448–26465. Publisher Full Text
24. Chergui MEA, Benslimane SM: A valid bpmn extension for supporting security requirements based on cyber security ontology. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 11163 LNCS:219–232. 2018. Publisher Full Text
25. Shostack A: Threat Modeling: Designing for Security. Indiana: John Wiley & Sons, Inc; 2014.
26. Chernis B, Verma R: Machine Learning Methods for Software Vulnerability Detection. In Jennifer B Sartor, Theo D’Hondt, and Wolfgang De Meuter, editors. IIWSPA’18: 4th ACM International Workshop on Security And Privacy Analytics, Tempe, ACM. 2018; pp. 31–39. Publisher Full Text
27. Harer JA, Kim LY, Russell RL, et al.: Automated Software Vulnerability Detection with Machine Learning.2018.
28. Man H, An J, Huang W, et al.: JSEFuzz: Vulnerability Detection Method for Java Web Application. 3rd International Conference on System Reliability and Safety, ICSRS 2018, Spain, IEEE. 2018; pp. 92–96. Publisher Full Text
29. Russell R, Kim L, Hamilton L, et al.: Automated Vulnerability Detection in Source Code Using Deep Representation Learning. 17th IEEE International Conference on Machine Learning and Applications, ICMLA, Orlando, IEEE. 2018; pp. 757–762. Publisher Full Text
30. Silva MM, de Gusmão APH , Poleto T, et al.: A multidimensional approach to information security risk management using FMEA and fuzzy theory. Int. J. Inf. Manag. 2014; 34(6): 733–740. Publisher Full Text
31. Wartschinski L, Noller Y, Vogel T, et al.: VUDENC: Vulnerability Detection with Deep Learning on a Natural Codebase for Python. Inf. Softw. Technol. 2022; 144(January 2021): 106809. Publisher Full Text
32. Anbiya DR, Purwarianti A, Asnar Y: Vulnerability Detection in PHP Web Application Using Lexical Analysis Approach with Machine Learning. 5th International Conference on Data and Software Engineering (ICoDSE). 2018; pp. 1–6. Publisher Full Text
33. Hariyanti E, Djunaidy A, Siahaan D: Information security vulnerability prediction based on business process model using machine learning approach. Comput. Secur. Nov 2021; 110: 102422. Publisher Full Text
34. Shin J, Son H, Khalil-ur R, et al.: Development of a cyber security risk model using Bayesian networks. Reliab. Eng. Syst. Saf. 2015; 134: 208–217. Publisher Full Text
35. De Gusmão APH, Silva LCE, Silva MM, et al.: Information security risk analysis model using fuzzy decision theory. Int. J. Inf. Manag. 2016; 36(1): 25–34. Publisher Full Text
36. Stergiopoulos G, Kotzanikolaou P, Theocharidou M, et al.: Risk mitigation strategies for critical infrastructures based on graph centrality analysis. Int. J. Crit. Infrastruct. Prot. 2015; 10: 34–44. Publisher Full Text
37. Hangal S, MacLean D, Lam MS, et al.: All friends are not equal: Using weights in social graphs to improve search. The 4th SNA-KDD Workshop’10. Vol. 10. 2010; pp. 1–7.
38. Mitre: CWE - Common Weakness Scoring System (CWSS).2014. Reference Source
39. NIST: NVD - Categories, 2009.Reference Source
40. Magento: Magento Community Edition User Guide - Version 2.3.2019.
41. NIST: NVD - Search and Statistics.2021. Reference Source
42. Johnson P, Lagerstrom R, Ekstedt M, et al.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Transactions on Dependable and Secure Computing. 2018; 15(6): 1002–1015. Publisher Full Text
43. Magento: Magento Community Edition User Guide - Version 2.1.2016. Reference Source
44. Magento: Magento Community Edition User Guide - Version 2.2.2017. Reference Source
45. Hariyanti E, Djunaidy A, Siahaan D: Dataset: Adaptive Modelling for Security Vulnerability Propagation. Mendeley Data. 2023; 1. Publisher Full Text
46. FIRST: Common Vulnerability Scoring System v3. 0: Specification Document.2015.
47. Webber J, Van Bruggen R: Graph Databases. New Jersey: John Wiley & Sons, Inc.; 2020.
48. Wirawan PW, Riyanto DE, Nugraheni DMK, et al.: Graph Database Schema for Multimodal Transportation in Semarang. J. Inf. Syst. Eng. Bus. Intell. 2019; 5(2): 163. Publisher Full Text
49. BSI: BSI-Standard 100-2 Grundschutz Methodology.2008.
50. Rezvani M, Sekulic V, Ignjatovic A, et al.: Interdependent Security Risk Analysis of Hosts and Flows. IEEE Trans. Inf. Forensics Secur. 2015; 10(11): 2325–2339. Publisher Full Text
51. Shcherbakov MV, Brebels A, Shcherbakova NL, et al.: A survey of forecast error measures. World Appl. Sci. J. 2013; 24(24): 171–176. Publisher Full Text
52. Hariyanti E, Djunaidy A, Siahaan D: Dataset: Adaptive Modelling for Security Vulnerability Propagation. [Dataset]. Mendeley Data. 2023; V1. Publisher Full Text

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 03 May 2023

Author details Author details

¹ Department of Information Systems, Institut Teknologi Sepuluh Nopember, Surabaya, East Java, 60111, Indonesia
² Department of Information Systems, Universitas Airlangga, Surabaya, East Java, 60115, Indonesia
³ Department of Informatics, Institut Teknologi Sepuluh Nopember, Surabaya, East Java, 60111, Indonesia

Arif Djunaidy
Roles: Conceptualization, Funding Acquisition, Methodology, Project Administration, Supervision, Validation, Writing – Original Draft Preparation, Writing – Review & Editing

Eva Hariyanti
Roles: Conceptualization, Data Curation, Formal Analysis, Investigation, Methodology, Resources, Software, Validation, Writing – Original Draft Preparation, Writing – Review & Editing

Daniel Siahaan
Roles: Methodology, Supervision, Validation, Writing – Review & Editing

Competing interests

No competing interests were disclosed.

Grant information

The author(s) declared that no grants were involved in supporting this work.

Article Versions (1)

version 1

Published: 03 May 2023, 12:462

https://doi.org/10.12688/f1000research.132780.1

Copyright

© 2023 Djunaidy A et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

Download

Export To

metrics

	Views	Downloads
F1000Research	-	-
PubMed Central Data from PMC are received and updated monthly.	-	-

Citations

0

SEE MORE DETAILS

CITE

how to cite this article

Djunaidy A, Hariyanti E and Siahaan D. Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign [version 1; peer review: 1 not approved]. F1000Research 2023, 12:462 (https://doi.org/10.12688/f1000research.132780.1)

NOTE: If applicable, it is important to ensure the information in square brackets after the title is included in all citations of this article.

track

receive updates on this article

Track an article to receive email alerts on any updates to this article.

Open Peer Review

Version 1

VERSION 1

PUBLISHED 03 May 2023

Views

8

Reviewer Report 19 Aug 2025

SA Mohaiminul Islam, MSIT, Washington University of Science & Technology (WUST),, Alexandria,, Virginia, USA

Ankur Sarkar, MSIT, Washington University of Science & Technology, Alexandria, Virginia, USA

Mohammed Majid Bakhsh, MSIT, Washington University of Science and Technology, Alexandria, Virginia, USA

Not Approved

https://doi.org/10.5256/f1000research.145729.r402477

Summary of the Article
The paper proposes a Node Strength-based Vulnerability Modeling (NSVM) approach to predict how business process reengineering (BPR) changes propagate vulnerabilities from business processes to IT service layers. The method represents processes and modules as a ... Continue reading

Summary of the Article
The paper proposes a Node Strength-based Vulnerability Modeling (NSVM) approach to predict how business process reengineering (BPR) changes propagate vulnerabilities from business processes to IT service layers. The method represents processes and modules as a directed weighted graph, drawing on social network “strength of ties” analogies. Edge weights are calculated based on common CWE vulnerabilities, and node strength combines adjacency scores (AS) with initial scores (IS) using either summation or maximum aggregation.
A case study on Magento e-commerce platform (versions 2.1, 2.2, 2.3) is presented. Data include 551 CVEs (2017–2021) across 17 platforms, with 205 mapped to Magento. Evaluation shows the best performance when AS and IS are combined using the maximum rule, yielding MAE = 0.60, RMSE = 1.44, MSE = 1.16. The authors argue NSVM improves prediction compared to prior approaches such as Bayesian models or Petri nets by bridging both business process and IT service layers.
The article contributes a fresh perspective on vertical (process→IT) and horizontal (intra-layer) vulnerability propagation and emphasizes that traditional infrastructure-only models often miss this linkage.
Evaluation Against Review Form Questions
1. Is the rationale for developing the new method clearly explained?
Answer: Partly
The authors explain that existing models inadequately capture the propagation of vulnerabilities across layers (process → IT service). This is a valid and important gap. However, the practical rationale remains underdeveloped:

What specific failures of existing methods (e.g., Bayesian, Petri nets) does NSVM correct?
How would an organization use NSVM in practice? For example, would it be applied during software design reviews, risk assessments, or patch prioritization?

Recommendation to authors: Strengthen the introduction by clearly identifying limitations of existing approaches and give a practical scenario where NSVM offers unique value.
2. Is the description of the method technically sound?
Answer: Partly
The general modeling approach is reasonable, but there are concerns:

Edge weights: Defined solely by CWE overlap counts, without considering severity or exploitability. This risks over-emphasizing many trivial overlaps versus one critical overlap.
Normalization: Node strength can exceed 1, undermining probabilistic interpretation. Authors must clarify whether these are meant as influence scores rather than probabilities.
Cypher queries: The provided code snippets are not valid Neo4j syntax (dynamic relationship types, conditional SET). As presented, they would not execute.

Recommendation to authors:

Revise formulas to include CWE severity weighting or at least discuss limitations.
Clarify the semantics of node strength (probability vs influence).
Provide corrected, runnable Cypher scripts in an appendix or supplementary file.

3. Are sufficient details provided to allow replication of the method?
Answer: Partly
The paper references a dataset on Mendeley and shares some Cypher queries, which is positive. However:

The process of mapping CWEs to BPMN tasks is not described. Was this expert judgment, automated mapping, or derived from a repository?
The process of mapping CVEs to Magento modules is opaque. NVD CVEs are typically product-wide; attributing them to modules requires careful justification.
Without these steps, another researcher cannot reproduce the results.

Recommendation to authors:

Provide a detailed description (or supplementary dataset) showing how tasks were mapped to CWE lists.
Document the procedure for assigning CVEs to specific modules, ideally with examples.
Supply runnable scripts (Neo4j queries, preprocessing pipeline) as supplementary material.

4. If results are presented, are all source data available to ensure reproducibility?
Answer: Partly
Some data are available: CVEs and CWEs are public, and a Mendeley dataset is linked. However, the critical intermediate mapping (task→CWE, CVE→module) is missing. Without these, results cannot be verified or reproduced.
Recommendation to authors: Release the mapping datasets (or at least examples with annotation criteria) alongside the paper.
5. Are the conclusions adequately supported by the findings?
Answer: Partly
The conclusion—that NSVM works best with maximum aggregation of AS and IS—is supported by their reported metrics on Magento. However:

The evaluation is limited to a single ecosystem (Magento). Generalizability to other domains is untested.
The mapping of CVEs to modules is insufficiently transparent, raising concerns about internal validity.
No comparison to severity-weighted baselines or external models is presented.

Recommendation to authors:

Acknowledge that the conclusions are tentative and domain-specific.
Validate NSVM on at least one other system or cross-validate across Magento subsystems.
Provide comparisons with more realistic baselines (e.g., severity-weighted propagation).

Constructive Criticisms & Required Revisions
Must be addressed for scientific soundness:

Clarify task→CWE and CVE→module mapping protocols. Without this, reproducibility and validity are compromised.
Correct Cypher queries and provide runnable code/scripts. Current syntax is invalid.
Address normalization of node strength (probability vs influence) and explain why totals >1 are acceptable.
Justify CWE overlap as propagation strength—ideally introduce severity weighting or show why raw counts suffice.

Should be addressed (improve clarity & impact):

Expand on the rationale with specific real-world application scenarios.
Provide a worked micro-example of 3–4 nodes to illustrate the full pipeline.
Standardize terminology and fix language issues (typos, mixed English/Indonesian terms).
Move comparative Table 8 earlier in the paper to frame novelty.
Discuss limitations explicitly (single domain, CWE mapping assumptions).

Overall Recommendation
The paper addresses an important gap and introduces a novel perspective on vulnerability propagation across business and IT service layers. However, the current version lacks methodological clarity and reproducibility, particularly around mapping procedures and code execution. I recommend Major Revisions before the paper can be considered scientifically sound.

Is the rationale for developing the new method (or application) clearly explained?

Partly
Is the description of the method technically sound?

Partly
Are sufficient details provided to allow replication of the method development and its use by others?

Partly
If any results are presented, are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions about the method and its performance adequately supported by the findings presented in the article?

Partly

References

1. Meyer H, Sancho J, Mrdakovic M, Miao W, et al.: Optical packet switching in HPC. An analysis of applications performance. Future Generation Computer Systems. 2018; 82: 606-616 Publisher Full Text
2. Mechs S, Lamparter S, Peschke J, Müller J: Efficient Identification of Energy-Optimal Switching and Operating Sequences for Modular Factory Automation Systems. 7906: 202-211 Publisher Full Text
3. Stergiopoulos G, Kotzanikolaou P, Theocharidou M, Gritzalis D: Risk mitigation strategies for critical infrastructures based on graph centrality analysis. International Journal of Critical Infrastructure Protection. 2015; 10: 34-44 Publisher Full Text
4. Szpyrka M, Jasiul B: Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets. Symmetry. 2017; 9 (3). Publisher Full Text
5. Shin J, Son H, Khalil ur R, Heo G: Development of a cyber security risk model using Bayesian networks. Reliability Engineering & System Safety. 2015; 134: 208-217 Publisher Full Text
6. Tapiador J, Orfila A, Ribagorda A, Ramos B: Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System. IEEE Transactions on Dependable and Secure Computing. 2015; 12 (3): 312-325 Publisher Full Text
7. Poolsappasit N, Dewri R, Ray I: Dynamic Security Risk Management Using Bayesian Attack Graphs. IEEE Transactions on Dependable and Secure Computing. 2012; 9 (1): 61-74 Publisher Full Text
8. Avizienis A, Laprie J, Randell B, Landwehr C: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing. 2004; 1 (1): 11-33 Publisher Full Text
9. Telpner R, Ben-Abraham R, Klein Y, Nakache R, et al.: Intrasplenic Preconditioning: A Model for the Study of Xenostimuli Accommodation. Journal of Surgical Research. 2011; 168 (1): 135-142 Publisher Full Text
10. Joint Task Force Transformation Initiative: Guide for conducting risk assessments. 2012. Publisher Full Text

Competing Interests: No competing interests were disclosed.

Reviewer Expertise: Software Quality Assurance, Test Automation (Java, Selenium, TestNG, Cucumber), Agile Methodologies, Cybersecurity in Business Processes, Vulnerability Analysis and Risk Modeling, Artificial Intelligence in Software Testing, Predictive Analytics, Blockchain Applications in IT Security, Machine Learning for Quality Assurance, API Testing (REST, SOAP), Database Testing (SQL, Oracle), Business Process Modeling and Automation

We confirm that we have read this submission and believe that we have an appropriate level of expertise to state that we do not consider it to be of an acceptable scientific standard, for reasons outlined above.

CITE

Report a concern

Respond or Comment

Comments on this article Comments (0)

Version 1

VERSION 1 PUBLISHED 03 May 2023

Open Peer Review

Reviewer Status

Reviewer Reports

	Invited Reviewers
	1
Version 1 03 May 23	read

SA Mohaiminul Islam, Washington University of Science & Technology (WUST),, Alexandria,, USA

Ankur Sarkar, Washington University of Science & Technology, Alexandria, USA

Mohammed Majid Bakhsh, Washington University of Science and Technology, Alexandria, USA

Comments on this article

All Comments(0)

Add a comment

Sign up for content alerts

Browse by related subjects

Back to all reports

Reviewer Report

8 Views

19 Aug 2025 | for Version 1

SA Mohaiminul Islam, MSIT, Washington University of Science & Technology (WUST),, Alexandria,, Virginia, USA

Ankur Sarkar, MSIT, Washington University of Science & Technology, Alexandria, Virginia, USA

Mohammed Majid Bakhsh, MSIT, Washington University of Science and Technology, Alexandria, Virginia, USA

8 Views Cite this report Responses(0)

Not Approved

Summary of the Article
The paper proposes a Node Strength-based Vulnerability Modeling (NSVM) approach to predict how business process reengineering (BPR) changes propagate vulnerabilities from business processes to IT service layers. The method represents processes and modules as a directed weighted graph, drawing on social network “strength of ties” analogies. Edge weights are calculated based on common CWE vulnerabilities, and node strength combines adjacency scores (AS) with initial scores (IS) using either summation or maximum aggregation.
A case study on Magento e-commerce platform (versions 2.1, 2.2, 2.3) is presented. Data include 551 CVEs (2017–2021) across 17 platforms, with 205 mapped to Magento. Evaluation shows the best performance when AS and IS are combined using the maximum rule, yielding MAE = 0.60, RMSE = 1.44, MSE = 1.16. The authors argue NSVM improves prediction compared to prior approaches such as Bayesian models or Petri nets by bridging both business process and IT service layers.
The article contributes a fresh perspective on vertical (process→IT) and horizontal (intra-layer) vulnerability propagation and emphasizes that traditional infrastructure-only models often miss this linkage.
Evaluation Against Review Form Questions
1. Is the rationale for developing the new method clearly explained?
Answer: Partly
The authors explain that existing models inadequately capture the propagation of vulnerabilities across layers (process → IT service). This is a valid and important gap. However, the practical rationale remains underdeveloped:

What specific failures of existing methods (e.g., Bayesian, Petri nets) does NSVM correct?
How would an organization use NSVM in practice? For example, would it be applied during software design reviews, risk assessments, or patch prioritization?

Recommendation to authors: Strengthen the introduction by clearly identifying limitations of existing approaches and give a practical scenario where NSVM offers unique value.
2. Is the description of the method technically sound?
Answer: Partly
The general modeling approach is reasonable, but there are concerns:

Edge weights: Defined solely by CWE overlap counts, without considering severity or exploitability. This risks over-emphasizing many trivial overlaps versus one critical overlap.
Normalization: Node strength can exceed 1, undermining probabilistic interpretation. Authors must clarify whether these are meant as influence scores rather than probabilities.
Cypher queries: The provided code snippets are not valid Neo4j syntax (dynamic relationship types, conditional SET). As presented, they would not execute.

Recommendation to authors:

Revise formulas to include CWE severity weighting or at least discuss limitations.
Clarify the semantics of node strength (probability vs influence).
Provide corrected, runnable Cypher scripts in an appendix or supplementary file.

3. Are sufficient details provided to allow replication of the method?
Answer: Partly
The paper references a dataset on Mendeley and shares some Cypher queries, which is positive. However:

The process of mapping CWEs to BPMN tasks is not described. Was this expert judgment, automated mapping, or derived from a repository?
The process of mapping CVEs to Magento modules is opaque. NVD CVEs are typically product-wide; attributing them to modules requires careful justification.
Without these steps, another researcher cannot reproduce the results.

Recommendation to authors:

Provide a detailed description (or supplementary dataset) showing how tasks were mapped to CWE lists.
Document the procedure for assigning CVEs to specific modules, ideally with examples.
Supply runnable scripts (Neo4j queries, preprocessing pipeline) as supplementary material.

4. If results are presented, are all source data available to ensure reproducibility?
Answer: Partly
Some data are available: CVEs and CWEs are public, and a Mendeley dataset is linked. However, the critical intermediate mapping (task→CWE, CVE→module) is missing. Without these, results cannot be verified or reproduced.
Recommendation to authors: Release the mapping datasets (or at least examples with annotation criteria) alongside the paper.
5. Are the conclusions adequately supported by the findings?
Answer: Partly
The conclusion—that NSVM works best with maximum aggregation of AS and IS—is supported by their reported metrics on Magento. However:

The evaluation is limited to a single ecosystem (Magento). Generalizability to other domains is untested.
The mapping of CVEs to modules is insufficiently transparent, raising concerns about internal validity.
No comparison to severity-weighted baselines or external models is presented.

Recommendation to authors:

Acknowledge that the conclusions are tentative and domain-specific.
Validate NSVM on at least one other system or cross-validate across Magento subsystems.
Provide comparisons with more realistic baselines (e.g., severity-weighted propagation).

Constructive Criticisms & Required Revisions
Must be addressed for scientific soundness:

Clarify task→CWE and CVE→module mapping protocols. Without this, reproducibility and validity are compromised.
Correct Cypher queries and provide runnable code/scripts. Current syntax is invalid.
Address normalization of node strength (probability vs influence) and explain why totals >1 are acceptable.
Justify CWE overlap as propagation strength—ideally introduce severity weighting or show why raw counts suffice.

Should be addressed (improve clarity & impact):

Expand on the rationale with specific real-world application scenarios.
Provide a worked micro-example of 3–4 nodes to illustrate the full pipeline.
Standardize terminology and fix language issues (typos, mixed English/Indonesian terms).
Move comparative Table 8 earlier in the paper to frame novelty.
Discuss limitations explicitly (single domain, CWE mapping assumptions).

Overall Recommendation
The paper addresses an important gap and introduces a novel perspective on vulnerability propagation across business and IT service layers. However, the current version lacks methodological clarity and reproducibility, particularly around mapping procedures and code execution. I recommend Major Revisions before the paper can be considered scientifically sound.

Is the rationale for developing the new method (or application) clearly explained?

Partly
Is the description of the method technically sound?

Partly
Are sufficient details provided to allow replication of the method development and its use by others?

Partly
If any results are presented, are all the source data underlying the results available to ensure full reproducibility?

Partly
Are the conclusions about the method and its performance adequately supported by the findings presented in the article?

Partly

References

1. Meyer H, Sancho J, Mrdakovic M, Miao W, et al.: Optical packet switching in HPC. An analysis of applications performance. Future Generation Computer Systems. 2018; 82: 606-616 Publisher Full Text
2. Mechs S, Lamparter S, Peschke J, Müller J: Efficient Identification of Energy-Optimal Switching and Operating Sequences for Modular Factory Automation Systems. 7906: 202-211 Publisher Full Text
3. Stergiopoulos G, Kotzanikolaou P, Theocharidou M, Gritzalis D: Risk mitigation strategies for critical infrastructures based on graph centrality analysis. International Journal of Critical Infrastructure Protection. 2015; 10: 34-44 Publisher Full Text
4. Szpyrka M, Jasiul B: Evaluation of Cyber Security and Modelling of Risk Propagation with Petri Nets. Symmetry. 2017; 9 (3). Publisher Full Text
5. Shin J, Son H, Khalil ur R, Heo G: Development of a cyber security risk model using Bayesian networks. Reliability Engineering & System Safety. 2015; 134: 208-217 Publisher Full Text
6. Tapiador J, Orfila A, Ribagorda A, Ramos B: Key-Recovery Attacks on KIDS, a Keyed Anomaly Detection System. IEEE Transactions on Dependable and Secure Computing. 2015; 12 (3): 312-325 Publisher Full Text
7. Poolsappasit N, Dewri R, Ray I: Dynamic Security Risk Management Using Bayesian Attack Graphs. IEEE Transactions on Dependable and Secure Computing. 2012; 9 (1): 61-74 Publisher Full Text
8. Avizienis A, Laprie J, Randell B, Landwehr C: Basic concepts and taxonomy of dependable and secure computing. IEEE Transactions on Dependable and Secure Computing. 2004; 1 (1): 11-33 Publisher Full Text
9. Telpner R, Ben-Abraham R, Klein Y, Nakache R, et al.: Intrasplenic Preconditioning: A Model for the Study of Xenostimuli Accommodation. Journal of Surgical Research. 2011; 168 (1): 135-142 Publisher Full Text
10. Joint Task Force Transformation Initiative: Guide for conducting risk assessments. 2012. Publisher Full Text

Competing Interests

No competing interests were disclosed.

Reviewer Expertise

Software Quality Assurance, Test Automation (Java, Selenium, TestNG, Cucumber), Agile Methodologies, Cybersecurity in Business Processes, Vulnerability Analysis and Risk Modeling, Artificial Intelligence in Software Testing, Predictive Analytics, Blockchain Applications in IT Security, Machine Learning for Quality Assurance, API Testing (REST, SOAP), Database Testing (SQL, Oracle), Business Process Modeling and Automation

We confirm that we have read this submission and believe that we have an appropriate level of expertise to state that we do not consider it to be of an acceptable scientific standard, for reasons outlined above.

Respond to this report

Responses (0)

[1] 1. Gross S, Stelzl K, Grisold T, et al.: The Business Process Design Space for exploring process redesign alternatives. Bus. Process. Manag. J. 2020; 27(8): 25–56. Publisher Full Text

[2] 2. Dumas M, La Rosa M, Hajo JM, et al.: Fundamentals of Business process management. Inf. Syst. 2018; 37(6): 517. Publisher Full Text

[3] 3. Grover V, Kettinger WJ: Business Process Change: Concepts, Methods and Technologies. Idea Group Publishing; 1998. Publisher Full Text

[4] 4. Brilingaitė A, Bukauskas L, Kutka E: Detection of Premeditated Security Vulnerabilities in Mobile Applications. European Conference on Cyber Warfare and Security. 2019; pp. 63–71.

[5] 5. Jang-Jaccard J, Nepal S: A survey of emerging threats in cybersecurity. J. Comput. Syst. Sci. 2014; 80(5): 973–993. Publisher Full Text

[6] 6. Hariyanti E, Djunaidy A, Siahaan DO: A Conceptual Model for Information Security Risk Considering Business Process Perspective. 4th International Conference on Science and Technology, ICST, Yogyakarta, IEEE. Vol. 1. 2018; pp. 1–6. Publisher Full Text

[7] 7. Minoli D: Enterprise Architecture A to Z. New York: CRC Press; 2008.

[8] 8. Kotzanikolaou P, Theoharidou M, Gritzalis D: Interdependencies between critical infrastructures: Analyzing the risk of cascading effects. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 6983 LNCS. 2013; pp. 104–115. Publisher Full Text

[9] 9. Yassine Naghmouchi M, Perrot N, Nizar Kheir A, et al.: A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems. Proceedings of the 2016 International Workshop on Managing Insider Security Threats - MIST’16. 2016; pp. 97–100. Publisher Full Text

[10] 10. Nazareth DL, Choi J: A system dynamics model for information security management. Inf. Manag. 2015; 52(1): 123–134. Publisher Full Text

[11] 11. Szpyrka M, Jasiul B: Evaluation of cyber security and modelling of risk propagation with Petri nets. Symmetry. 2017; 9(3): 1–13. Publisher Full Text

[12] 12. Feng N, Wang HJ, Li M: A security risk analysis model for information systems: Causal relationships of risk factors and vulnerability propagation analysis. Inf. Sci. 2014; 256: 57–73. 00200255. Publisher Full Text

[13] 13. White S: Introduction to BPMN. BPTrends. 2004; 15: pp. 1–2. 09636897. Publisher Full Text

[14] 14. Davenport TH: Process Innovation: Reengineering Work through Information Technology. 1993. Publisher Full Text

[15] 15. Hammer M, Champy J: Reengineering the Corporation: A Manifesto for Business Revolution. Harper Business; 1993.

[16] 16. Chan PS, Peel D: Causes and Impact of Reengineering. Bus. Process. Manag. J. 1998; 4(1): 44–55. Publisher Full Text

[17] 17. Jakoubi S, Tjoa S, Goluch S, et al.: Risk-Aware Business Process Management-Establishing the Link Between Business and Security. In Fatos X, Leonard B, Papajorgji PJ , editors. Complex Intelligent Systems and Their Applications , volume 41 of Springer Optimization and Its Applications, Springer. 2010; pp. 109–135. Publisher Full Text

[18] 18. Knorr K, Röhrig S: Security Requirements of E-Business Processes. I3E’01 Proceeding of The IFIP Conference on Towards The E-Society: E-Commerce, E-Business, E-Government, ACM Digital Library. 2001; pp. 73–86.

[19] 19. Argyropoulos N, Alcañiz L, Mouratidis H, et al.: Eliciting Security Requirements for Business Processes of Legacy Systems.Ralyté, Jolita SE, Pastor Ó, editors. 8th Practice of Enterprise Modelling (P0EM). Valencia: Springer; 2015; pp. 91–107. Publisher Full Text

[20] 20. Taubenberger S, Jürjens J, Yijun Y, et al.: Resolving vulnerability identification errors using security requirements on business process models. Inf. Manag. Comput. Secur. 2013; 21(3): 202–223. Publisher Full Text

[21] 21. Ahmed N, Matulevičius R: Securing Business Process using Security Risk-Oriented Patterns. Computer Standards and Interfaces. 2014; 36: 723–733. Publisher Full Text

[22] 22. Varela-Vaca AJ, Warschofsky R, Gasca RM, et al.: A Security Pattern-Driven Approach Toward the Automation of Risk Treatment in Business Processes. Advances in Intelligent Systems and Computing. 2013; 189 AISC; pp. 13–23. Publisher Full Text

[23] 23. Varela-Vaca ÁJ, Parody L, Gasca RM, et al.: Automatic Verification and Diagnosis of Security Risk Assessments in Business Process Models. IEEE Access. 2019; 7: 26448–26465. Publisher Full Text

[24] 24. Chergui MEA, Benslimane SM: A valid bpmn extension for supporting security requirements based on cyber security ontology. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 11163 LNCS:219–232. 2018. Publisher Full Text

[25] 25. Shostack A: Threat Modeling: Designing for Security. Indiana: John Wiley & Sons, Inc; 2014.

[26] 26. Chernis B, Verma R: Machine Learning Methods for Software Vulnerability Detection. In Jennifer B Sartor, Theo D’Hondt, and Wolfgang De Meuter, editors. IIWSPA’18: 4th ACM International Workshop on Security And Privacy Analytics, Tempe, ACM. 2018; pp. 31–39. Publisher Full Text

[27] 27. Harer JA, Kim LY, Russell RL, et al.: Automated Software Vulnerability Detection with Machine Learning.2018.

[28] 28. Man H, An J, Huang W, et al.: JSEFuzz: Vulnerability Detection Method for Java Web Application. 3rd International Conference on System Reliability and Safety, ICSRS 2018, Spain, IEEE. 2018; pp. 92–96. Publisher Full Text

[29] 29. Russell R, Kim L, Hamilton L, et al.: Automated Vulnerability Detection in Source Code Using Deep Representation Learning. 17th IEEE International Conference on Machine Learning and Applications, ICMLA, Orlando, IEEE. 2018; pp. 757–762. Publisher Full Text

[30] 30. Silva MM, de Gusmão APH , Poleto T, et al.: A multidimensional approach to information security risk management using FMEA and fuzzy theory. Int. J. Inf. Manag. 2014; 34(6): 733–740. Publisher Full Text

[31] 31. Wartschinski L, Noller Y, Vogel T, et al.: VUDENC: Vulnerability Detection with Deep Learning on a Natural Codebase for Python. Inf. Softw. Technol. 2022; 144(January 2021): 106809. Publisher Full Text

[32] 32. Anbiya DR, Purwarianti A, Asnar Y: Vulnerability Detection in PHP Web Application Using Lexical Analysis Approach with Machine Learning. 5th International Conference on Data and Software Engineering (ICoDSE). 2018; pp. 1–6. Publisher Full Text

[33] 33. Hariyanti E, Djunaidy A, Siahaan D: Information security vulnerability prediction based on business process model using machine learning approach. Comput. Secur. Nov 2021; 110: 102422. Publisher Full Text

[34] 34. Shin J, Son H, Khalil-ur R, et al.: Development of a cyber security risk model using Bayesian networks. Reliab. Eng. Syst. Saf. 2015; 134: 208–217. Publisher Full Text

[35] 35. De Gusmão APH, Silva LCE, Silva MM, et al.: Information security risk analysis model using fuzzy decision theory. Int. J. Inf. Manag. 2016; 36(1): 25–34. Publisher Full Text

[36] 36. Stergiopoulos G, Kotzanikolaou P, Theocharidou M, et al.: Risk mitigation strategies for critical infrastructures based on graph centrality analysis. Int. J. Crit. Infrastruct. Prot. 2015; 10: 34–44. Publisher Full Text

[37] 37. Hangal S, MacLean D, Lam MS, et al.: All friends are not equal: Using weights in social graphs to improve search. The 4th SNA-KDD Workshop’10. Vol. 10. 2010; pp. 1–7.

[38] 38. Mitre: CWE - Common Weakness Scoring System (CWSS).2014. Reference Source

[39] 39. NIST: NVD - Categories, 2009.Reference Source

[40] 40. Magento: Magento Community Edition User Guide - Version 2.3.2019.

[41] 41. NIST: NVD - Search and Statistics.2021. Reference Source

[42] 42. Johnson P, Lagerstrom R, Ekstedt M, et al.: Can the common vulnerability scoring system be trusted? A Bayesian analysis. IEEE Transactions on Dependable and Secure Computing. 2018; 15(6): 1002–1015. Publisher Full Text

[43] 43. Magento: Magento Community Edition User Guide - Version 2.1.2016. Reference Source

[44] 44. Magento: Magento Community Edition User Guide - Version 2.2.2017. Reference Source

[45] 45. Hariyanti E, Djunaidy A, Siahaan D: Dataset: Adaptive Modelling for Security Vulnerability Propagation. Mendeley Data. 2023; 1. Publisher Full Text

[46] 46. FIRST: Common Vulnerability Scoring System v3. 0: Specification Document.2015.

[47] 47. Webber J, Van Bruggen R: Graph Databases. New Jersey: John Wiley & Sons, Inc.; 2020.

[48] 48. Wirawan PW, Riyanto DE, Nugraheni DMK, et al.: Graph Database Schema for Multimodal Transportation in Semarang. J. Inf. Syst. Eng. Bus. Intell. 2019; 5(2): 163. Publisher Full Text

[49] 49. BSI: BSI-Standard 100-2 Grundschutz Methodology.2008.

[50] 50. Rezvani M, Sekulic V, Ignjatovic A, et al.: Interdependent Security Risk Analysis of Hosts and Flows. IEEE Trans. Inf. Forensics Secur. 2015; 10(11): 2325–2339. Publisher Full Text

[51] 51. Shcherbakov MV, Brebels A, Shcherbakova NL, et al.: A survey of forecast error measures. World Appl. Sci. J. 2013; 24(24): 171–176. Publisher Full Text

[52] 52. Hariyanti E, Djunaidy A, Siahaan D: Dataset: Adaptive Modelling for Security Vulnerability Propagation. [Dataset]. Mendeley Data. 2023; V1. Publisher Full Text

Adaptive modeling for security vulnerability propagation to predict the impact of business process redesign

Abstract

Keywords

1. Introduction

2. Related works

2.1 Vulnerability identification and prediction

2.2 Vulnerability propagation models

2.3 Social network strength

(1)

(2)

3. Methods

3.1 Dataset

3.2 Representing the vulnerability propagation model

Query 1. Formation of a node.

Query 2. Formation of an edge.

3.3 Building the vulnerability propagation model

(3)

Query 3. Calculate Common CWE on an edge.

Figure 1. Example of a propagation model based on the MDownl module.

Table 1. Common CWEs between MDownl and its incoming node.

(4)

Query 4. Calculate weight or PS on an edge.

Query 5. Calculate PS on a node.

Figure 2. Example of a propagation model based on the MDownl module.

Table 2. PS ( MCheck ) calculation based on the outgoing edges’ PS scores.

3.4 Developing the model’s adaptive mechanisms

(5)

(6)

(7)

Figure 3. Example of a propagation model based on the MNewsl module.

Table 3. PS and vulnerability scores for incoming nodes on MNewsl .

Table 4. Vulnerability scores prediction for MNewsl module.

3.5 Evaluation through case studies

4. Results

4.1 Vulnerability propagation modeling results

Figure 4. The initial model for (a) account management in Magento 2.1, (b) communication channels management in Magento 2.1, (c) payment management in Magento 2.1, (d) inventory management in Magento 2.2, (e) shipping management in Magento 2.2, and (f) payment management in Magento 2.2.

Figure 5. The process model of consumer account management in Magento 2.1.

Figure 6. The process model of consumer account management in Magento 2.1.

Table 5. Task and module vulnerabilities related to the sign-in process in Magento 2.1.

Figure 7. Vulnerability propagation model regarding the sign-in process in Magento 2.1.

4.2 Adaptive mechanism modeling results

Figure 8. BPMN for managing customer accounts for (a) Magento 2.1 before BPR, (b) Magento 2.2 after BPR, and (c) new sub-processes associated with managing company accounts in Magento 2.2.

Table 6. Vulnerabilities for each task in the sub-process of creating a company account.

Figure 9. Vulnerability propagation model regarding the sub-process of creating a company account in Magento 2.2.

Figure 10. Vulnerability propagation model for creating a company account connected with the sign-in process in Magento 2.2.

Figure 11. To-be model for (a) account management in Magento 2.2, (b) communication channels management in Magento 2.2, (c) payment management in Magento 2.2, (d) inventory management in Magento 2.3, (e) shipping management in Magento 2.3, and (f) payment management in Magento 2.3.

Table 7. The evaluation results for the Adjacency Score (AS), average calculation principle (ACP), and maximum principle (MP) using the three approaches.

4.3 Discussion

Table 8. A comparison between the NSVM method and other methods.

5. Conclusions

Data availability

Underlying data

Software availability

Acknowledgements

References

Comments on this article Comments (0)

Open Peer Review

Comments on this article Comments (0)

Open Peer Review

Reviewer Status

Reviewer Reports

Comments on this article

Browse by related subjects

Competing Interests Policy

Stay Updated

Figure 1. Example of a propagation model based on the $M_{Downl}$ module.

Table 1. Common CWEs between $M_{Downl}$ and its incoming node.

Figure 2. Example of a propagation model based on the $M_{Downl}$ module.

Table 2. PS ( $M_{Check}$ ) calculation based on the outgoing edges’ PS scores.

Figure 3. Example of a propagation model based on the $M_{Newsl}$ module.

Table 3. PS and vulnerability scores for incoming nodes on $M_{Newsl}$ .

Table 4. Vulnerability scores prediction for $M_{Newsl}$ module.