An integrated conceptual model for information system security risk management supported by enterprise architecture management

  • Nicolas Mayer
  • Jocelyn Aubert
  • Eric Grandry
  • Christophe Feltus
  • Elio Goettelmann
  • Roel Wieringa
Regular Paper


Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model.


Risk management Security Enterprise architecture ArchiMate 



Supported by the National Research Fund, Luxembourg, and financed by the ENTRI project (C14/IS/8329158).


  1. 1.
    Symantec: Internet Security Threat Report, Volume 21 (2016)Google Scholar
  2. 2.
    PricewaterhouseCoopers: The Global State of Information Security Survey 2016 (2016)Google Scholar
  3. 3.
    Proper, H.A.: Enterprise Architecture—Informed steering of enterprises in motion. In: Proceedings of the 15th International Conference on Enterprise Information Systems (ICEIS) (2013)Google Scholar
  4. 4.
    Official Journal of the European Union: Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 (2009)Google Scholar
  5. 5.
    CSSF: Circulaire CSSF 12/544—Optimisation par une approche par les risques de la surveillance exercée sur les “PSF de support” (2012)Google Scholar
  6. 6.
    ISO/IEC 27001:2013: Information technology—Security techniques—Information security management systems—Requirements. International Organization for Standardization, Geneva (2013)Google Scholar
  7. 7.
    Mayer, N.: Model-based Management of Information System Security Risk, PhD Thesis, University of Namur, Namur, Belgium (2009)Google Scholar
  8. 8.
    ISO/IEC 27005:2011: Information technology—Security techniques—Information security risk management. International Organization for Standardization, Geneva (2011)Google Scholar
  9. 9.
    Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26, 276–292 (1987)CrossRefGoogle Scholar
  10. 10.
    Saha, P.: A Systemic Perspective to Managing Complexity with Enterprise Architecture. 1st edn. IGI Global (2013)Google Scholar
  11. 11.
    Op ’t Land M., Proper E., Waage M., Cloo J., Steghuis C.: Positioning Enterprise Architecture. In: Enterprise Architecture, pp. 25–47. The Enterprise Engineering Series. Springer, Berlin, HeidelbergGoogle Scholar
  12. 12.
    Dubois, E., Heymans, P., Mayer, N., Matulevičius, R.: A systematic approach to define the domain of information System Security Risk Management. In: Nurcan, S., Salinesi, C., Souveyet, C., Ralyté, J. (eds.) Int. Perspect. Inf. Syst. Eng., pp. 289–306. Springer, Berlin Heidelberg, Berlin, Heidelberg (2010)Google Scholar
  13. 13.
    Mayer, N., Grandry, E., Feltus, C., Goettelmann, E.: Towards the ENTRI framework: Security Risk Management enhanced by the use of Enterprise Architectures. In: Advanced Information Systems Engineering Workshops. Springer, Berlin (2015)Google Scholar
  14. 14.
    Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, GmbH & Co. K, Berlin and Heidelberg, New York (2014)CrossRefGoogle Scholar
  15. 15.
    Chowdhury, M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning mal-activity diagrams and security risk management for security requirements definitions. Requir. Eng. Found. Softw. Qual. 7195, 132–139 (2012)CrossRefGoogle Scholar
  16. 16.
    Matulevičius, R., Mayer, N., Heymans, P.: Alignment of misuse cases with Security Risk Management. In: Proceedings of the 4th Symposium on Requirements Engineering for Information Security (SREIS’08), in Conjunction with the 3rd International Conference of Availability, Reliability and Security (ARES’08), pp. 1397–1404. IEEE Computer Society (2008)Google Scholar
  17. 17.
    Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting secure tropos for Security Risk Management during early phases of the information systems development. In: Proceedings of the 20th International Conference on Advanced Information Systems Engineering (CAiSE’08), pp. 541–555. Springer, Berlin (2008)Google Scholar
  18. 18.
    Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) Advanced Information Systems Engineering Workshops, pp. 1–15. Springer, Berlin, Heidelberg (2012)Google Scholar
  19. 19.
    Lankhorst, M. (ed.): Enterprise Architecture at Work: Modelling, Communication And Analysis. Springer, Berlin (2005)Google Scholar
  20. 20.
    The Open Group: ArchiMate® 2.1 Specification (2013)Google Scholar
  21. 21.
    The Open Group: TOGAF Version 9.1. Van Haren Publishing, The Netherlands (2011)Google Scholar
  22. 22.
    Vernadat, F.: Enterprise modeling in the context of enterprise engineering: state of the art and outlook. Int. J. Prod. Manag. Eng. 2, 57 (2014)CrossRefGoogle Scholar
  23. 23.
    Peffers, K., Tuunanen, T., Rothenberger, M., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24, 45–77 (2007)CrossRefGoogle Scholar
  24. 24.
    Zivkovic, S., Kuhn, H., Karagiannis, D.: Facilitate modelling using method integration: an approach using mappings and integration rules. In: Proceedings of the 15th European Conference on Information Systems (ECIS 2007) (2007)Google Scholar
  25. 25.
    ISO/IEC/IEEE 42010:2011: Systems and software engineering—Recommended practice for architectural description of software-intensive systems. International Organization for Standardization, Geneva (2011)Google Scholar
  26. 26.
    ISO/IEC/IEEE 15288:2015: Systems and software engineering - System life cycle processes. International Organization for Standardization, Geneva (2015)Google Scholar
  27. 27.
    Buckl, S., Schweda, C.M.: On the State-of-the-Art in Enterprise Architecture Management Literature. Technische Universität München, München (2011)Google Scholar
  28. 28.
    U.S. Department of Defense: The DoDAF Architecture Framework Version 2.02.
  29. 29.
    van’t Wout, J., Waage, M., Hartman, H., Stahlecker, M., Hofman, A.: The Integrated Architecture Framework Explained. Springer, Berlin, Heidelberg (2010)Google Scholar
  30. 30.
    Wahe, S.: Open Enterprise Security Architecture (O-ESA): A Framework and Template for Policy-Driven Security. Van Haren Publishing, Zaltbommel (2011)Google Scholar
  31. 31.
    IFIP-IFAC Task Force on Architectures for Enterprise Integration: GERAM: The Generalised Enterprise Reference Architecture and Methodology. In: Bernus, P., Nemes, L., Schmidt, G. (eds.) Handbook on Enterprise Architecture, pp. 21–63. Springer, Berlin, Heidelberg (2003)Google Scholar
  32. 32.
    Raymond, K.: Reference model of open distributed processing (RM-ODP): introduction. In: Raymond, K., Armstrong, L. (eds.) Open Distributed Processing, pp. 3–14. Springer, New York (1995)CrossRefGoogle Scholar
  33. 33.
    Kruchten, P.B.: The 4+1 view model of architecture. IEEE Softw. 12, 42–50 (1995)CrossRefGoogle Scholar
  34. 34.
    Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E.: An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management based on TOGAF, ArchiMate, IAF and DoDAF. Technical Report. (2016)
  35. 35.
    Mayer, N., Aubert, J., Grandry, E., Feltus, C.: An integrated conceptual model for Information System Security Risk Management and Enterprise Architecture Management based on TOGAF. In: The Practice of Enterprise Modeling? 9th IFIP WG 8.1. Working Conference, PoEM 2016, Skövde, Sweden, pp. 353–361. Springer, Berlin (2016)Google Scholar
  36. 36.
    Schwartz, L., Grandry, E., Aubert, J., Watrinet, M.-L., Cholez, H.: Participative design of a security risk reference model: an experience in the healthcare sector. In: Proceedings of Short and Doctoral Consortium Papers Presented at the 8th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling (PoEM 2015), pp. 1–10. CEUR Workshop Proceedings, Valencia, Spain (2015)Google Scholar
  37. 37.
    Mayer, N., Dubois, E., Matulevičius, R., Heymans, P.: Towards a measurement framework for Security Risk Management. In: Modeling Security Workshop (MODSEC ’08). 11th International Conference on Model Driven Engineering Languages and Systems (MODELS ’08), Toulouse, France (2008)Google Scholar
  38. 38.
    Genon, N.: Modelling Security during Early Requirements: Contributions to and Usage of a Domain Model for Information System Security Risk Management (2007)Google Scholar
  39. 39.
    Wynekoop, J.L., Russo, N.L.: Studying system development methodologies: an examination of research methods. Inf. Syst. J. 7, 47–65 (1997)CrossRefGoogle Scholar
  40. 40.
    Brank, J., Grobelnik, M., Mladenić, D.: A survey of ontology evaluation techniques. In: Proceedings of the Conference on Data Mining and Data Warehouses (SiKDD) (2005)Google Scholar
  41. 41.
    Recker, J.C.: Conceptual model evaluation. Towards more paradigmatic rigor. In: Castro, J., Teniente, E. (eds.) CAiSE’05 Workshops, pp. 569–580. Porto, Portugal (2005)Google Scholar
  42. 42.
    Nielsen, J.: Usability Engineering. Morgan Kaufmann, Burlington (1994)zbMATHGoogle Scholar
  43. 43.
    Cleeff, A.: Physical and Digital Security Mechanisms: Properties, Combinations and Trade-offs. University of Twente, Enschede (2015)CrossRefGoogle Scholar
  44. 44.
    Brooke, J.: SUS-a quick and dirty usability scale. Usability Eval. Ind. 189, 4–7 (1996)Google Scholar
  45. 45.
    Tullis, T.S., Stetson, J.N.: A comparison of Questionnaires for assessing Website usability. Presented at the Usability Professional Association Conference (2004)Google Scholar
  46. 46.
    Mayer, N.: A cluster approach to security improvement according to ISO/IEC 27001. In: Software Process Improvement, 17th European Conference, EuroSPI 2010Google Scholar
  47. 47.
    Mayer, N., Aubert, J.: Sector-specific tool for Information Security Risk Management in the Context of Telecommunications Regulation (Tool Demo). In: Proceedings of the 7th International Conference on Security of Information and Networks, pp 85–85. ACM, New York, NY, USA (2014)Google Scholar
  48. 48.
    Lewis, J.R., Sauro, J.: The factor structure of the System Usability Scale. In: Kurosu, M. (ed.) Human Centered Design, pp. 94–103. Springer, Berlin, Heidelberg (2009)CrossRefGoogle Scholar
  49. 49.
    Sauro, J.: A practical guide to the system usability scale: background, benchmarks & best practices. Measuring Usability LLC, Denver, CO (2011)Google Scholar
  50. 50.
    Bangor, A., Kortum, P., Miller, J.: Determining what individual SUS scores mean: adding an adjective rating scale. J. Usability Stud. 4, 114–123 (2009)Google Scholar
  51. 51.
    Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Hietala, J., Jonkers, H., Massart, S.: Modeling Enterprise Risk Management and Security with the ArchiMate®. Language, The Open Group (2015)Google Scholar
  52. 52.
    Barateiro, J., Antunes, G., Borbinha, J.: Manage Risks through the Enterprise Architecture. In: 45th Hawaii International Conference on System Science (HICSS), pp. 3297–3306 (2012)Google Scholar
  53. 53.
    ISO 31000:2009: Risk management—Principles and guidelines. International Organization for Standardization, Geneva (2009)Google Scholar
  54. 54.
    Innerhofer-Oberperfler, F., Breu, R.: Using an Enterprise Architecture for IT Risk Management. Presented at the Information Security South Africa 6th Annual Conference (2006)Google Scholar
  55. 55.
    Ertaul, L., Sudarsanam, R.: Security planning using Zachman framework for enterprises. In: Proceedings of EURO mGOV 2005 (2005)Google Scholar
  56. 56.
    Sherwood, J., Clark, A., Lynas, D.: SABSA ® Enterprise Security Architecture (2010)Google Scholar
  57. 57.
    Goldstein, A., Frank, U.: A language for multi-perspective modelling of IT security: objectives and analysis of requirements. In: La Rosa, M., Soffer, P. (eds.) Business Process Management Workshops, pp. 636–648. Springer, Berlin, Heidelberg (2013)CrossRefGoogle Scholar
  58. 58.
    Goldstein, A., Frank, U.: Components of a multi-perspective modeling method for designing and managing IT security systems. Inf. Syst. E-Bus. Manag. 14, 101–140 (2016)CrossRefGoogle Scholar
  59. 59.
    Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Berlin and Heidelberg; GmbH & Co. K, London, New York (2010)Google Scholar
  60. 60.
    Solhaug, B., Stølen, K.: The CORAS language—Why it is designed the way it is. In: Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, pp. 3155–3162. CRC Press (2014)Google Scholar
  61. 61.
    Grandry, E., Feltus, C., Dubois, E.: Conceptual integration of Enterprise Architecture Management and Security Risk Management. In: Enterprise Distributed Object Computing Conference Workshops (EDOCW), 17th IEEE International Enterprise Distributed Object Computing Conference, pp. 114–123 (2013)Google Scholar
  62. 62.
    Obrst, L., Ceusters, W., Mani, I., Ray, S., Smith, B.: The Evaluation of Ontologies. In: Baker, C.J.O., Cheung, K.-H. (eds.) Semantic Web, pp. 139–158. Springer, US (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag GmbH Germany, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Luxembourg Institute of Science and TechnologyEsch-sur-AlzetteLuxembourg
  2. 2.University of TwenteEnschedeThe Netherlands

Personalised recommendations