The Community for Technology Leaders
RSS Icon
Subscribe
Issue No.02 - April-June (2011 vol.4)
pp: 153-166
S Jakoubi , Secure Bus. Austria, Austrian IT Security Competence Center, Vienna, Austria
G Goluch , Secure Bus. Austria, Austrian IT Security Competence Center, Vienna, Austria
G Kitzler , Secure Bus. Austria, Austrian IT Security Competence Center, Vienna, Austria
S Goluch , Secure Bus. Austria, Austrian IT Security Competence Center, Vienna, Austria
S Tjoa , St. Polten Univ. of Appl. Sci., St. Polten, Austria
ABSTRACT
The effective, efficient and continuous execution of business processes is crucial for meeting entrepreneurial goals. Business process modeling and simulation are used to enable desired business process optimizations. However, current approaches mainly focus on economic aspects while security aspects are dealt with in separate initiatives. This missing interconnection may lead to significant differences in improvement suggestions, such as the differing valuation of security investments (e.g., redundancy of systems). The major contribution of this paper is the introduction of a formal model that is capable of expressing the relations between threats, detection mechanisms, safeguards, recovery measures and their effects on business processes. This novel business process simulation capability paves the way for the evaluation of security investments at process design stage by allowing the consideration of stochastic influences of the occurrence of threats on process activities and resources in a unified way. A stylized business case outlines how our method can be applied to real world scenarios.
INDEX TERMS
Security, Unified modeling language, Risk management, Computational modeling, Biological system modeling, Business continuity, security enablement methods and tools., Business process reengineering, consulting and strategic planning
CITATION
S Jakoubi, G Goluch, G Kitzler, S Goluch, S Tjoa, "A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation", IEEE Transactions on Services Computing, vol.4, no. 2, pp. 153-166, April-June 2011, doi:10.1109/TSC.2010.17
REFERENCES
[1] Gartner Inc., "Misconceptions on Process Optimization and Simulation," Gartner Blog, 2009.
[2] NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, Nat'l Inst. of Standards and Technology (NIST), 2002.
[3] BSI (German Fed. Office for Information Security), "IT-Grundschutz Manual (English Version)," 2004.
[4] ISO/IEC 13335-1:2004, Information Technology—Security Techniques—Management of Information and Comm. Technology Security— Part 1: Concepts and Models for Information and Comm. Technology Security Management, ISO/IEC, 2004.
[5] NIST SP800-61: Computer Security Incident Handling Guide, Nat'l Inst. of Standards and Tech nology, 2004.
[6] British Standard BS25999-1:2006: Business Continuity Management— Part 1: Code of Practice, British Standard Inst. (BSI), 2006.
[7] British Standard BS25999-2:2007: Business Continuity Management—Part 2: Specification, British Standard Inst. (BSI), 2007.
[8] ISO/IEC 24762:2008, Information Technology—Security Techniques— Guidelines for Information and Comm. Technology Disaster Recovery Services, ISO/IEC, 2008.
[9] European Network and Information Security Agency (ENISA), "Business and It Continuity Overview and Implementation Principles," 2008.
[10] Department for Business, Enterprise & Regulatory Reform (BERR), "2008 Information Security Breaches Survey," 2008.
[11] Business Continuity Inst., "Good Practice Guidelines," http://www.thebci.orggpgdownloadpage.htm , 2008.
[12] J. Burtles, Principles and Practice of Business Continuity. Rothstein Assoc. Inc., 2007.
[13] Gartner Inc., "Gartner EXP Worldwide Survey of More than 1,500 CIOs Shows IT Spending to Be Flat in 2009," http://www.gartner. com/itpage.jsp?id=855612 , 2009.
[14] AON, "Global Risk Management Survey '09," http://www.aon. com2009risksurvey, 2009.
[15] The MathWorks, "Simulink—Simulation and Model-Based Design," http://www.mathworks.com/productssimulink , 2011.
[16] ISO/IEC 27005:2008 Information Technology—Security Techniques— Information Security Risk Management, ISO/IEC, 2008.
[17] CERT, OCTAVE, http://www.cert.orgoctave, 2009.
[18] MIL-STD-1629: A Military Standard—Procedures for Performing a Failure Mode Effects and Critically Analysis, Dept. of Defense Standard, 1980.
[19] S. Kmenta and K. Ishii, "Scenario-Based Fmea: A Life Cycle Cost Perspective," 2000.
[20] British Standards Institution, Pas56, 2003.
[21] ISO/PAS 22399:2007: Societal Security—Guideline for Incident Preparedness and Operational Continuity Management, ISO/PAS, 2007.
[22] NIST Sp800-34: Contingency Planning Guide for Information Technology Systems, Nat'l Inst. of Standards and Tech nology, 2002.
[23] Business Process Modeling Notation (BPMN) 1.2, Object Management Group (OMG), 2009.
[24] A.W. Scheer and M. Nüttgens, "ARIS Architecture and Reference Models for Business Process Management," Proc. Business Process Management (BPM), 2000.
[25] Workflow Management Coalition Specification the Workflow Reference Model, Workflow Management Coalition, 1995.
[26] D. Karagiannis, S. Junginger, and R. Strobl, "Introduction to Business Process Management Systems Concepts," Business Process Modelling, pp. 81-106, Springer, 1996.
[27] M. zur Muehlen and M. Rosemann, "Integrating Risks in Business Process Models," Proc. Australasian Conf. Information Systems (ACIS '05), 2005.
[28] D. Neiger, L. Churilov, M. zur Muehlen, and M. Rosemann, "Integrating Risks in Business Process Models with Value Focused Process Engineering," Proc. European Conf. Information Systems (ECIS '06), 2006.
[29] N. Milanovic, B. Milic, and M. Malek, "Modeling Business Process Availability," Proc. IEEE Int'l Conf. Services Computing (SCC '08), 2008.
[30] S. Sackmann, "A Reference Model for Process—Oriented IT Risk Management," Proc. 16th European Conf. Information Systems, 2008.
[31] S. Sackmann, L. Lowis, and K. Kittel, "Selecting Services in Business Process Execution—A Risk-Based Approach," Proc. Conf. Business Services: Konzepte, Technologien, Anwendungen, Tagung Wirtschaftsinformatik (WI '09), 2009.
[32] S. Röhrig, "Using Process Models to Analyse IT Security Requirements," PhD dissertation, Univ. of Zurich, 2003.
[33] A. Rodríguez, E. Fernández-Medina, and M. Piattini, "Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes," Proc. Int'l Conf. Trust and Privacy in Digital Business (TrustBus '06), 2006.
[34] R.J. Ellison, R.C. Linger, T. Longstaff, and N.R. Mead, "Survivable Network System Analysis: A Case Study," IEEE Software, vol. 16, no. 4, pp. 70-77, July/Aug. 1999.
[35] T. Neubauer, M. Klemen, and S. Biffl, "Business Process-Based Valuation of IT-Security," Proc. Workshop Economics-Driven Software Eng. Research (EDSER '05), 2005.
[36] A. Sienou, E. Lamine, and H. Pingaud, "A Method for Integrated Management of Process-Risk," Proc. First Int'l Workshop Governance, Risk and Compliance—Applications in Information Systems (GRCIS '08), 2008.
[37] I. Weber, G. Governatori, and J. Hoffmann, "Approximate Compliance Checking for Annotated Process Models," Proc. First Int'l Workshop Governance, Risk and Compliance—Applications in Information Systems (GRCIS '08), 2008.
[38] S. Sadiq, G. Governatori, and K. Namiri, "Modelling Control Objectives for Business Process Compliance," Proc. Fifth Int'l Conf. Business Process Management (BPM '07), 2007.
[39] A. Jallow, B. Majeed, K. Vergidis, A. Tiwari, and R. Roy, "Operational Risk Analysis in Business Processes," BT Technology J., vol. 25, no. 1, pp. 168-177, 2007.
[40] M. Modarres, M. Kaminskiy, and V. Krivtsov, Reliability Engineering and Risk Analysis: A Practical Guide, second ed. CRC Press, 2009.
[41] H. Wang and H. Pham, "Monte Carlo Reliability Simulation of Complex Systems," Reliability and Optimal Maintenance, pp. 275-294, Springer, 2006.
[42] B.L.A. Naessa and O. Batsevychc, "System Reliability Analysis by Enhanced Monte Carlo Simulation," Structural Safety, vol. 31, no. 5, pp. 349-355, Sept. 2009.
[43] S. Jakoubi, G. Goluch, S. Tjoa, and G. Quirchmayr, "Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation," Proc. 16th European Conf. Information Systems, pp. 1542-1554, 2008.
[44] S. Tjoa, S. Jakoubi, and G. Quirchmayr, "Enhancing Business Impact Analysis and Risk Assessment Applying a Risk-Aware Business Process Modeling and Simulation Methodology," Proc. Int'l Conf. Availability, Reliability and Security, pp. 179-186, 2008.
[45] S. Jakoubi, S. Tjoa, and G. Quirchmayr, "Rope: A Methodology for Enabling the Risk—Aware Modelling and Simulation of Business Processes," Proc. 15th European Conf. Information Systems, pp. 1596-1607, 2007.
[46] S. Tjoa, S. Jakoubi, G. Goluch, and G. Quirchmayr, "Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support," Proc. Conf. Advanced Information Networking and Applications, pp. 48-55, 2008.
[47] S. Jakoubi and S. Tjoa, "A Reference Model for Risk-Aware Business Process Management," Proc. IEEE Int'l Conf. Risks and Security of Internet and Systems, 2009.
[48] British Telecom, "Business Continuity—BT Data Centre Services," http://business.bt.com/it-solutions/it-services/ data-centre- servicesbusiness-continuity , July 2009.
42 ms
(Ver 2.0)

Marketing Automation Platform Marketing Automation Tool