Short Bio

Prof. Dr. Maria Leitner is professor of Computer Science at the research group Workflow Systems and Technology at Faculty of Computer Science, University of Vienna and scientist at AIT Austrian Institute of Technology, Center for Digital Safety & Security in Vienna, Austria. Her research is on the intersection of information systems, security and human-computer interaction. She was a visiting researcher at the Center for Cybersecurity and Digital Forensics at Arizona State University in May 2017.

Between 2010 and 2013, Dr. Leitner has worked at University of Vienna, Faculty of Computer Science, research group Workflow Systems and Technology as teaching and research assistant and completed her PhD with distinction in 2015. Her PhD thesis focused on security policy integration and life cycle management in process-aware information systems. In 2014, Dr. Leitner worked as a researcher at SBA research, a IT security research cluster in Vienna where she focused on the detection of anomalies in access control systems.

Research interests

Situational awareness, cyber ranges and cyber security exercises

As threats and potential attackers are evolving continuously, modern information systems have to adapt and provide services that keep track of and identify potential threats. This signifies not only being aware (of the current situation and) what potential threats might try to do but also to detect potential misbehavior in order to provide responsive measures. Situational awareness is essential in the civil domain including critical infrastructure providers as well as other organizations. Marias research interests are the provision of methods, tools and environments for efficient the establishment as well as for the interpretation and reaction. Furthermore, training and education in this context will become more important in order to develop adequate skills. Marias research activities aim to establish and create realistic environments and tools (e.g., cyber ranges) that support a diverse training/education for various target groups from beginners to professionals.

Selected publications:

  • [PDF] [DOI] M. Frank, M. Leitner, and T. Pahi, “Design considerations for cyber security testbeds: a case study on a cyber security testbed for education,” in 2017 ieee 3rd intl conf cyber science and technology congress, Orlando, Florida, 2017, p. 38–46.
    address = {Orlando, Florida},
    title = {Design Considerations for Cyber Security Testbeds: A Case Study on a Cyber Security Testbed for Education},
    publisher = {IEEE},
    doi = {10.1109/DASC-PICom-DataCom-CyberSciTec.2017.23},
    booktitle = {2017 IEEE 3rd Intl Conf Cyber Science and Technology Congress},
    author = {Frank, Maximilian and Leitner, Maria and Pahi, Timea},
    month = nov,
    year = {2017},
    abstract = {Educational testbeds have been developed for many years. Within the past ten years, the development of cloud-based storage architectures as well as the facilitation of memory and storage technology allowed for the building of small to medium-sized testbeds at low or medium cost. These developments provide the foundation for the development of educational testbeds that can be used for cyber security training and exercise of various target groups (e.g., students, IT professionals, engineers) in many domains (e.g., cyber security, IoT, Industry 4.0). Testbeds have been well established within the information security community (e.g., malware analysis, cyber security experimentation, etc.). However, these testbeds often require a certain level of maintenance or resources and were therefore not often used in non-expert communities. However, it is essential that testbeds gain a wider audience in order to enable many different groups cyber security skills and competencies. In this paper, we analyze how an educational testbed could be designed by (1) examining established testbeds in research and education and (2) analyzing how typical testbeds are designed. Based on this, we propose a design life cycle, i.e. a methodology to facilitate the development of cyber security testbeds. We demonstrate our findings in a case study. In the study, we designed and implemented a cyber security testbed for educational purposes using open source technology. The results and reviewed literature validate the design life cycle and show dependencies between the underlying technology of the testbed and the designed challenges. These findings contribute to the overall development of testbeds and can be used as basis for future work. We plan to further extend this testbed in order to develop an automated and flexible cyber security testbed. },
    pages = {38--46}
  • M. Leitner, T. Pahi, and F. Skopik, “Situational awareness for strategic decision making on a national level,” in Collaborative Cyber Threat Intelligence, F. Skopik, Ed., Crc press, 2017, p. 225–276.
    title = {Situational Awareness for Strategic Decision Making on a National Level},
    isbn = {978-1-138-03182-1},
    booktitle = {Collaborative {Cyber} {Threat} {Intelligence}},
    publisher = {CRC Press},
    author = {Leitner, Maria and Pahi, Timea and Skopik, Florian},
    editor = {Skopik, Florian},
    year = {2017},
    abstract = {With highly interconnected stakeholders, IT networks, and systems, international cooperation and coordination is becoming essential for the protection of global and local networks and services. Conventional strategies require a global view for the stabilization and protection of IT networks and systems. Much effort and solutions have been proposed to establish situational awareness (SA) within organizations (i.e. their local ICT networks). In general, SA is the perception of the element in the environment within a volume of time and space, the comprehension of their meaning, and the projection of their status in the near future. Enabling SA in cyber space, further called cyber situational awareness (CSA), is becoming a key factor for governments or public bodies. For example, CSA entails establishing preventive measures, monitoring evolving threats and campaigns in diverse and distributed IT landscapes as well as mitigating threats and sharing the information in certain trust circles to stay up-to-date. Nowadays, most critical infrastructures are operated by private organizations. The evaluation and impact analysis of critical incidents (i.e. that affect national economy or health) can be conducted such as with private-public partnerships. This chapter focuses on how (cyber) situational awareness can be established at national level to enable strategic decision making processes. In this context, national cyber security strategies are examined and it is investigated how they contribute and provide tools to foster SA. Furthermore, cyber security centers and their main tasks and responsibilities are investigated. In addition, SA models for decision making processes at individual, organizational or national level are assessed as well as how information and sources can be used to establish SA on national level.},
    url = {https://www.crcpress.com/Collaborative-Cyber-Threat-Intelligence-Detecting-and-Responding-to-Advanced/Skopik/p/book/9781138031821},
    pages = {225--276}
  • T. Pahi, M. Leitner, and F. Skopik, “Preparation, modelling, and visualisation of cyber common operating pictures for national cyber security centres,” Journal of information warfare, vol. 4, iss. 16, 2017.
    title = {Preparation, Modelling, and Visualisation of Cyber Common Operating Pictures for National Cyber Security Centres},
    volume = {4},
    url = {https://www.jinfowar.com/journal/volume-16-issue-4/preparation-modelling-visualisation-cyber-common-operating-pictures-national-cyber-security-centres},
    number = {16},
    abstract = {Common Operating Pictures (COPs) have long been a common denominator of effective cyber defence operations (for example, in law enforcement and the military). COPs are widely used to represent, visualise, and assess situations. In recent years, Cyber COPs (CCOPs) have become important in establishing cyber situational awareness. This paper describes the information types and sources required for an efficient information management process supporting CCOPs. Following an initial description of CCOPs, the paper next discusses potential decisions supported by them. Finally, it provides an example of the entire process—from the application of the information management process to national decision-making.},
    journal = {Journal of Information Warfare},
    author = {Pahi, Timea and Leitner, Maria and Skopik, Florian},
    month = dec,
    year = {2017}
  • [DOI] Cyber Situational Awareness in Public-Private-Partnerships: Organisationsübergreifende Cyber-Sicherheitsvorfälle effektiv bewältigen, F. Skopik, T. Páhi, and M. Leitner, Eds., Springer vieweg, 2018.
    title = {Cyber {Situational} {Awareness} in {Public}-{Private}-{Partnerships}: {Organisationsübergreifende} {Cyber}-{Sicherheitsvorfälle} effektiv bewältigen},
    isbn = {978-3-662-56083-9},
    shorttitle = {Cyber {Situational} {Awareness} in {Public}-{Private}-{Partnerships}},
    url = {https://www.springer.com/us/book/9783662560839},
    doi = {10.1007/978-3-658-21621-4},
    abstract = {Digitale Dienste werden für unsere Gesellschaft immer wichtiger, daher gelangen sie auch stärker ins Visier von Wirtschaftskriminellen, Spionen, Terroristen oder staatsfeindlichen Gruppierungen. Wie schützen sich Unternehmen und Staaten vor solchen Cyber-Attacken? Ein wichtiger Grundstein ist die Schaffung von Behörden, wie sie die EU-Richtlinie über Maßnahmen zur Gewährleistung eines hohen gemeinsamen Sicherheitsniveaus von Netz- und Informationssystemen (NIS) vorsieht. Das Buch zeigt, wie sich die Zusammenarbeit von Unternehmen mit diesen NIS-Behörden gestaltet mit dem gemeinsamen Ziel, Cyber-Sicherheit zu etablieren und zu gewährleisten. Darüber hinaus legen die Autoren dar, wie sich die NIS-Richtlinie und die im Mai 2018 in Kraft getretene EU-Datenschutz-Grundverordnung (DSGVO) auf Security-Prozesse in Unternehmen auswirken können. Das Buch verknüpft technische, organisatorische und rechtliche Aspekte der Zusammenarbeit und spiegelt damit die Komplexität des Themas wider. Zugleich liefert es zahlreiche Vorschläge zur Umsetzung der EU-Richtlinie. Im Mittelpunkt steht dabei das Konzept der „Cyber Situational Awareness“ – das bewusste Erfassen der aktuellen Lage – und damit ein Instrument, mit dem sich die Reaktionsfähigkeit bei Cyber-Angriffen wesentlich erhöhen lässt. Folgende Themen werden erläutert: • Aufbau und Nutzung von Cyber Situational Awareness • Erstellung von Cyber-Lagebildern auf nationaler Ebene • Informations- und Datenquellen für Cyber-Lagebilder• Informationsaustausch zwischen Cyber-Lagezentren und Stakeholdern • Informations- und Meldepflichten von Unternehmen• Planspiel zur Bildung und Evaluierung von Cyber Situational Awareness},
    language = {en},
    urldate = {2018-10-24},
    publisher = {Springer Vieweg},
    editor = {Skopik, Florian and Páhi, Tímea and Leitner, Maria},
    year = {2018}
  • [PDF] [DOI] S. Kucek and M. Leitner, “An empirical survey of functions and configurations of open-source capture the Flag (ctf) environments,” Journal of network and computer applications, vol. 151, p. 102470, 2020.
    title = {An Empirical Survey of Functions and Configurations of Open-Source Capture the {Flag} (CTF) Environments},
    volume = {151},
    issn = {1084-8045},
    url = {https://doi.org/10.1016/j.jnca.2019.102470},
    doi = {10.1016/j.jnca.2019.102470},
    abstract = {Capture the Flag (CTF) is a computer security competition that is generally used to give participants experience in securing (virtual) machines and responding to cyber attacks. CTF contests have been getting larger and are receiving many participants every year (e.g., DEFCON, NYU-CSAW). CTF competitions are typically hosted in virtual environments, specifically set up to fulfill the goals and scenarios of the CTF. This article investigates the underlying infrastructures and CTF environments, specifically open-source CTF environments. A systematic review is conducted to assess functionality and game configuration in CTF environments where the source code is available on the web (i.e., open-source software). In particular, from out of 28 CTF platforms, we found 12 open-source CTF environments. As four platforms were not installable for several reasons, we finally examined 8 open-source CTF environments (PicoCTF, FacebookCTF, HackTheArch, WrathCTF, Pedagogic-CTF, RootTheBox, CTFd and Mellivora) regarding their features and functions for hosting CTFs (e.g., scoring, statistics or supported challenge types) and providing game configurations (e.g., multiple flags, points, hint penalities). Surprisingly, while many platforms provide similar base functionality, game configurations between the platforms varied strongly. For example, hint penalty, time frames for solving challenges, limited number of attempts or dependencies between challenges are game options that might be relevant for potential CTF organizers and for choosing a technology. This article contributes to the general understanding of CTF software configurations and technology design and implementation. Potential CTF organizers and participants may use this as a reference for challenge configurations and technology utilization. Based on our analysis, we would like to further review commercial and other platforms in order to establish a golden standard for CTF environments and further contribute to a better understanding of CTF design and development.},
    journal = {Journal of Network and Computer Applications},
    author = {Kucek, Stela and Leitner, Maria},
    month = feb,
    year = {2020},
    pages = {102470}
  • [PDF] [DOI] M. Leitner, M. Frank, W. Hotwagner, G. Langner, O. Maurhart, T. Pahi, L. Reuter, F. Skopik, P. Smith, and M. Warum, “Ait cyber range: flexible cyber security environment for exercises, training and research,” in Proceedings of the European Interdisciplinary Cybersecurity Conference, New York, NY, USA, 2020, p. 1–6.
    address = {New York, NY, USA},
    series = {{EICC} 2020},
    title = {AIT Cyber Range: Flexible Cyber Security Environment for Exercises, Training and Research},
    isbn = {978-1-4503-7599-3},
    shorttitle = {AIT Cyber Range},
    url = {https://doi.org/10.1145/3424954.3424959},
    doi = {10.1145/3424954.3424959},
    abstract = {With the evolution of threats and attacks and the speed of automation, new modern training and learning environments are needed to support the challenges of digital organizations and societies. In recent years, cyber ranges, i.e., virtual environments that support the simulation of diverse infrastructures, have emerged and are often utilized for cyber security exercises or training. With these environments, organizations or individuals can increase their preparedness and dexterity, for example, by training to identify and mitigate incidents and attacks. In this paper, we present the AIT Cyber Range which was designed based on several principles such as scalability, flexibility and the utilization of Open Source technologies. This paper outlines the building blocks of the architecture and implementation: computing platform, infrastructure provisioning, software provisioning and scenario engine. Furthermore, the implementation is demonstrated by three use cases: cyber exercises, training as well as security research and development. For future work, we aim to further extend the building blocks and to address federation and interoperability with other cyber ranges.},
    urldate = {2021-01-21},
    booktitle = {Proceedings of the {European} {Interdisciplinary} {Cybersecurity} {Conference}},
    publisher = {Association for Computing Machinery},
    author = {Leitner, Maria and Frank, Maximilian and Hotwagner, Wolfgang and Langner, Gregor and Maurhart, Oliver and Pahi, Timea and Reuter, Lenhard and Skopik, Florian and Smith, Paul and Warum, Manuel},
    month = nov,
    year = {2020},
    keywords = {cyber exercises, cyber range, information security, testbed, training},
    pdf = {https://dl.acm.org/doi/pdf/10.1145/3424954.3424959},
    pages = {1--6}

Identity and access management

Ensuring individuals access to resources at the right moment for the adequate purpose is a critical challenge in distributed, heterogeneous and inter-connected environments. As various digital services (such as state-based or third-party) as well as electronic identities (serving different purposes and therefore entail different levels of quality) exist and are emerging, the adequate utilization and application is challenging. Dr. Leitners research centers on methods and tools for the cost-efficient and effective application and use of electronic identities while maintaining a certain level of privacy and security in various domains (e.g., e-government, e-commerce, e-participation). Furthermore, she is also working in the area of adequate application and operation of access control systems in order to prevent threats and detect anomalies.

Selected publications:

  • [DOI] M. Leitner and S. Rinderle-Ma, “Anomaly detection and visualization in rbac models,” in Proceedings of the 19th acm symposium on access control models and technologies (sacmat), New York, NY, USA, 2014, pp. 41-52.
    author = {Leitner, Maria and Rinderle-Ma, Stefanie},
    title = {Anomaly Detection and Visualization in RBAC Models},
    booktitle = {Proceedings of the 19th ACM Symposium on Access Control Models and Technologies (SACMAT)},
    address = {New York, NY, USA},
    series = {{SACMAT} '14},
    year = {2014},
    abstract = {With the wide use of Role-based Access Control (RBAC), the need for monitoring, evaluation, and verification of RBAC implementations (e.g., to evaluate ex post which users acting in which roles were authorized to execute permissions) is evident. In this paper, we aim at detecting and identifying anomalies that originate from insiders such as the infringement of rights or irregular activities. To do that, we compare prescriptive (original) RBAC models (i.e. how the RBAC model is expected to work) with generative (current-state) RBAC models (i.e. the actual accesses represented by an RBAC model obtained with mining techniques). For this we present different similarity measures for RBAC models and their entities. We also provide techniques for visualizing anomalies within RBAC models based on difference graphs. This can be used for the alignment of RBAC models such as for policy updates or reconciliation. The effectiveness of the approach is evaluated based on a prototypical implementation and an experiment.},
    pages = {41-52},
    isbn = {978-1-4503-2939-2},
    url = {http://doi.acm.org/10.1145/2613087.2613105},
    doi = {10.1145/2613087.2613105},
    publisher = {{ACM}}
  • [PDF] [DOI] M. Leitner, A. Bonitz, B. Herzog, W. Hötzendorfer, C. Kenngott, T. Kuhta, O. Terbu, S. Vogl, and S. Zehetbauer, “A versatile, secure and privacy-aware tool for online participation,” in 20th IEEE international enterprise distributed object computing workshop, EDOC workshops 2016, vienna, austria, september 5-9, 2016, Vienna, Austria, 2016.
    address = {Vienna, Austria},
    title = {A versatile, secure and privacy-aware tool for online participation},
    booktitle = {20th {IEEE} International Enterprise Distributed Object Computing Workshop, {EDOC} Workshops 2016, Vienna, Austria, September 5-9, 2016},
    publisher = {IEEE},
    author = {Leitner, Maria and Bonitz, Arndt and Herzog, Bernd and H{\"{o}}tzendorfer, Walter and Kenngott, Christian and Kuhta, Thomas and Terbu, Oliver and Vogl, Stefan and Zehetbauer, Sebastian},
    year = {2016},
    abstract = {Online participations have increased in recent years and various tools emerged to support participatory processes. However, often they support only one level of participation such as information, consultation or co-operation and definite security and privacy considerations seem to be not a priority. What is missing so far is a secure and flexible tool that can be used for multiple purposes and integrates security and privacy considerations from the beginning. In this paper, we propose a tool for online participation that supports multiple levels of participation, provides authentication with different electronic identities (eIDs), incorporates security and privacy by design and ensures interoperability to existing identity solutions. For example, with the use of different eIDs (if adequate to the level of participation), we expect to enable a low threshold for participation. Based on the aforementioned requirements, we expect to increase the trust between operators and participants in online participations in the long run.},
    doi = {10.1109/EDOCW.2016.7584342},
    url = {http://dx.doi.org/10.1109/EDOCW.2016.7584342}
  • [PDF] [DOI] C. Schuppler, M. Leitner, and S. Rinderle-Ma, “Privacy-aware data assessment of online social network registration processes,” in Proceedings of the eighth acm conference on data and application security and privacy, New York, NY, USA, 2018, p. 167–169.
    address = {New York, NY, USA},
    series = {{CODASPY} '18},
    title = {Privacy-aware Data Assessment of Online Social Network Registration Processes},
    isbn = {978-1-4503-5632-9},
    url = {http://doi.acm.org/10.1145/3176258.3176950},
    doi = {10.1145/3176258.3176950},
    booktitle = {Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy},
    publisher = {ACM},
    author = {Schuppler, Christine and Leitner, Maria and Rinderle-Ma, Stefanie},
    year = {2018},
    abstract = {Privacy and security research has been very active concerning online social networks (OSN) as a vast amount of personal information is used and published (by users) within OSNs. However, most people do not pay attention on what personal information they provide during registration. Depending on what information is provided in (public) OSN profiles, that data might be misused by attackers e.g., for cross-site profile cloning. This paper assesses data provided by the user during the registration of OSNs. Therefore, it is investigated how OSN registration processes are typically modeled, which information is needed to create a profile in OSNs and which attack scenarios can occur based on the provided data. The results contribute to the understanding of OSN registration process design as well as requested data and to replicate and reuse processes for further privacy and security investigations.},
    note ={Poster},
    pages = {167--169}
  • [DOI] M. Leitner, A. Bonitz, W. Hötzendorfer, O. Terbu, S. Vogl, and S. Zehetbauer, “Design und Entwicklung eines E-Partizipationsökosystems,” in Digitale Bürgerbeteiligung: Forschung und Praxis – Chancen und Herausforderungen der elektronischen Partizipation, M. Leitner, Ed., Wiesbaden: Springer fachmedien wiesbaden, 2018, p. 163–187.
    address = {Wiesbaden},
    title = {Design und {Entwicklung} eines {E}-{Partizipationsökosystems}},
    isbn = {978-3-658-21621-4},
    url = {https://doi.org/10.1007/978-3-658-21621-4_7},
    abstract = {Um elektronische Beteiligung generell zu ermöglichen, werden sozio-technische Informationssysteme, unabhängig von deren Ausprägung und Reichweite, entworfen und entwickelt. Die Auswahl und Gestaltung der Systeme kann maßgeblich am Erfolg oder Misserfolg von Bürgerbeteiligungen sein. Daher ist es von Beginn an wichtig, die Anforderungen und Funktionalitäten, die ein System unterstützen soll, zu kennen. Das System bildet die Basis für elektronische Beteiligung und ist Teil eines E-Partizipationsökosystems. Das Ökosystem umfasst auch die Gemeinschaft (z. B. StakeholderInnen, BürgerInnen, Wirtschaftstreibende etc.) und weitere Bedingungen (z. B. Gesetzesvorgaben etc.), die auch von der elektronischen Beteiligung direkt oder indirekt betroffen sind. Um dies vollständig zu erfassen, werden in diesem Kapitel das Design und die Entwicklung des Ökosystems analysiert, insbesondere unter dem Aspekt der Wahrung der Sicherheit und Privatsphäre.},
    booktitle = {Digitale {Bürgerbeteiligung}: {Forschung} und {Praxis} – {Chancen} und {Herausforderungen} der elektronischen {Partizipation}},
    publisher = {Springer Fachmedien Wiesbaden},
    author = {Leitner, Maria and Bonitz, Arndt and Hötzendorfer, Walter and Terbu, Oliver and Vogl, Stefan and Zehetbauer, Sebastian},
    editor = {Leitner, Maria},
    year = {2018},
    doi = {10.1007/978-3-658-21621-4_7},
    pages = {163--187}
  • [PDF] [DOI] C. E. Rubio-Medrano, S. Jogani, M. Leitner, Z. Zhao, and G. Ahn, “Effectively enforcing authorization constraints for emerging space-sensitive technologies,” in Proceedings of the 24th ACM Symposium on Access Control Models and Technologies, New York, NY, USA, 2019, p. 195–206.
    address = {New York, NY, USA},
    series = {{SACMAT} '19},
    title = {Effectively Enforcing Authorization Constraints for Emerging Space-Sensitive Technologies},
    isbn = {978-1-4503-6753-0},
    url = {http://doi.acm.org/10.1145/3322431.3325109},
    doi = {10.1145/3322431.3325109},
    abstract = {Recently, applications that deliver customized content to end-users, e.g., digital objects on top of a video stream, depending on information such as their current physical location, usage patterns, personal data, etc., have become extremely popular. Despite their promising future, some concerns still exist with respect to the proper use of such space-sensitive applications (S-Apps) inside independently-run physical spaces, e.g., schools, museums, hospitals, memorials, etc. Based on the idea that innovative technologies should be paired with novel (and effective) security measures, this paper proposes space-sensitive access control (SSAC), an approach for restricting space-sensitive functionality in such independently-run physical spaces, allowing for the specification, evaluation and enforcement of rich and flexible authorization policies, which, besides meeting the specific needs for S-Apps, are also intended to avoid the need for interruptions in their normal use as well as repetitive policy updates, thus providing a convenient solution for both policy makers and end-users. We present a theoretical model, a proof-of-concept S-App, and a supporting API framework, which facilitate the policy crafting, storage, retrieval and evaluation processes, as well as the enforcement of authorization decisions. In addition, we present a performance case study depicting our proof-of-concept S-App in a set of realistic scenarios, as well as a user study which resulted in 90\% of participants being able to understand and write authorization policies using our approach, and 93\% of them also recognizing the need for restricting functionality in the context of emerging space-sensitive technologies, thus providing evidence that encourages the adoption of SSAC in practice.},
    urldate = {2019-07-03},
    booktitle = {Proceedings of the 24th {ACM} {Symposium} on {Access} {Control} {Models} and {Technologies}},
    publisher = {ACM},
    author = {Rubio-Medrano, Carlos E. and Jogani, Shaishavkumar and Leitner, Maria and Zhao, Ziming and Ahn, Gail-Joon},
    year = {2019},
    pages = {195--206}

Security in process-aware information systems

As the design and implementation of security policies is a fundamental key to a successful implementation of secure software systems, a holistic integration of security policies in PAIS is essential. Dr. Leitners PhD thesis entitled “Security policy integration and life cycle management in process-aware information systems” aimed at providing an integrated view on security policies in PAIS – thereby providing preventive, detective and reactive security measures in PAIS. Particularly, the security policy life cycle in combination with the business process life cycle was investigated. Together, the integrated view contributes to the implementation of security policies in business processes which further strengthens the IT security and compliance management in organizations. Her research focuses on methods and tools for the definition, enactment and management of security in PAIS that spans from process definition and modeling to process execution and audit.

Selected publications:

  • [PDF] [DOI] M. Leitner, M. Miller, and S. Rinderle-Ma, “An analysis and evaluation of security aspects in the business process model and notation,” in Proceedings of the 8th international conference on availability, reliability and security (ares), 2013, pp. 262-267.
    title = {An Analysis and Evaluation of Security Aspects in the Business Process Model and Notation},
    publisher = {{IEEE}},
    booktitle = {Proceedings of the 8th International Conference on Availability, Reliability and Security (ARES)},
    author = {Leitner, Maria and Miller, Michelle and Rinderle-Ma, Stefanie},
    abstract = {Enhancing existing business process modeling languages with security concepts has attracted increased attention in research and several graphical notations and symbols have been proposed. How these extensions can be comprehended by users has not been evaluated yet. However, the comprehensibility of security concepts integrated within business process models is of utmost importance for many purposes such as communication, training, and later automation within a process-aware information system. If users do not understand the security concepts, this might lead to restricted acceptance or even misinterpretation and possible security problems in the sequel. In this paper, we evaluate existing security extensions of Business Process Model and Notation (BPMN) as BPMN constitutes the de facto standard in business modeling languages nowadays. The evaluation is conducted along two lines, i.e., a literature study and a survey. The findings of both evaluations identify shortcomings and open questions of existing approaches. This will yield the basis to convey security-related information within business process models in a comprehensible way and consequently, unleash the full effects of security modeling in business processes.},
    pages = {262-267},
    doi = {10.1109/ARES.2013.34},
    url = {http://dx.doi.org/10.1109/ARES.2013.34},
    pdf = {LeitnerMR_analysis_2013},
    year = {2013}
  • [DOI] M. Leitner and S. Rinderle-Ma, “A systematic review on security in process-aware information systems – constitution, challenges, and future directions,” Information and software technology, vol. 56, iss. 3, p. 273–293, 2014.
    title = {A systematic review on security in Process-Aware Information Systems – Constitution, challenges, and future directions},
    volume = {56},
    issn = {0950-5849},
    url = {http://www.sciencedirect.com/science/article/pii/S0950584913002334},
    doi = {10.1016/j.infsof.2013.12.004},
    number = {3},
    urldate = {2014-01-15},
    journal = {Information and Software Technology},
    author = {Leitner, Maria and Rinderle-Ma, Stefanie},
    month = mar,
    abstract = {Context
    Security in Process-Aware Information Systems (PAIS) has gained increased attention in current research and practice. However, a common understanding and agreement on security is still missing. In addition, the proliferation of literature makes it cumbersome to overlook and determine state of the art and further to identify research challenges and gaps. In summary, a comprehensive and systematic overview of state of the art in research and practice in the area of security in PAIS is missing.
    This paper investigates research on security in PAIS and aims at establishing a common understanding of terminology in this context. Further it investigates which security controls are currently applied in PAIS.
    A systematic literature review is conducted in order to classify and define security and security controls in PAIS. From initially 424 papers, we selected in total 275 publications that related to security and PAIS between 1993 and 2012. Furthermore, we analyzed and categorized the papers using a systematic mapping approach which resulted into 5 categories and 12 security controls.
    In literature, security in PAIS often centers on specific (security) aspects such as security policies, security requirements, authorization and access control mechanisms, or inter-organizational scenarios. In addition, we identified 12 security controls in the area of security concepts, authorization and access control, applications, verification, and failure handling in PAIS. Based on the results, open research challenges and gaps are identified and discussed with respect to possible solutions.
    This survey provides a comprehensive review of current security practice in PAIS and shows that security in PAIS is a challenging interdisciplinary research field that assembles research methods and principles from security and PAIS. We show that state of the art provides a rich set of methods such as access control models but still several open research challenges remain.},
    year = {2014},
    note = {Open Access},
    pages = {273--293}
  • [DOI] S. Kriglstein, M. Leitner, S. Kabicher-Fuchs, and S. Rinderle-Ma, “Evaluation Methods in Process-Aware Information Systems Research with a Perspective on Human Orientation,” Business & information systems engineering, vol. 58, iss. 6, p. 397–414, 2016.
    title = {Evaluation {Methods} in {Process}-{Aware} {Information} {Systems} {Research} with a {Perspective} on {Human} {Orientation}},
    volume = {58},
    issn = {1867-0202},
    url = {http://dx.doi.org/10.1007/s12599-016-0427-3},
    doi = {10.1007/s12599-016-0427-3},
    abstract = {Research on process-aware information systems (PAIS) has experienced a dramatic growth in recent years. Lately, a particular increase of empirical studies and focus on human oriented research questions could be observed, leading to an expansion of applied evaluation methods in PAIS research. At the same time, it can be observed that evaluation methods are not always applied in a systematic manner and related terminology is at times used in an ambiguous way. Hence, the paper aims at investigating evaluation methods that are typically employed in PAIS research with a special focus on human orientation. The applied methodology includes a literature review, an expert survey, and a focus group. The authors present their findings as a collection of typical evaluation methods and the related PAIS artifacts. They highlight which evaluation methods are currently used and which evaluation methods could be of interest for future PAIS research efforts.},
    number = {6},
    journal = {Business \& Information Systems Engineering},
    author = {Kriglstein, Simone and Leitner, Maria and Kabicher-Fuchs, Sonja and Rinderle-Ma, Stefanie},
    year = {2016},
    note = {Open Access},
    pages = {397--414}