Cybersecurity Evaluation of Enterprise Architectures: The e-SENS Case

  • Tanja PavleskaEmail author
  • Helder Aranha
  • Massimiliano Masi
  • Eric Grandry
  • Giovanni Paolo Sellitto
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 369)


Technology management through enterprise architectures has already become a widespread practice across large enterprises. Modeling and evaluating the cybersecurity aspect of it, however, has just begun to get the needed attention. This paper presents a cybersecurity evaluation methodology developed for the reference architecture of the e-SENS project and derives a generic framework for cybersecurity evaluation of an enterprise architecture. The evaluation addresses both the high-level design artefacts (the reference architecture) and operational solutions. Therefore, both a conceptual and an empirical framework are developed as part of the methodology. The former extends a goal-based security model with a threat-view incorporating standardized guidelines on security measures, whereas the latter captures and systematizes implemented project-specific security practices. The resulting methodology effectively supports the evaluation and is easy to grasp by non-technical people. Moreover, it is lendable to formalization, supporting a semi-automatic process of solution architecture design.


Cybersecurity Enterprise architecture e-SENS Evaluation methodology Framework 


  1. 1.
    Korman, M., Lagerström, R., Välja, M., Ekstedt, M., Blom, R.: Technology management through architecture reference models: a smart metering case. In: 2016 Portland International Conference on Management of Engineering and Technology, pp. 2338–2350 (2016)Google Scholar
  2. 2.
    Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(3), 363–373 (2013)CrossRefGoogle Scholar
  3. 3.
    Holm, H., Shahzad, K., Buschle, M., Ekstedt, M.: P2CySeMoL: predictive, probabilistic cyber security modeling language. IEEE Trans. Dependable Secure Comput. 12(6), 626–639 (2015)CrossRefGoogle Scholar
  4. 4.
    Grandry, E., e-SENS Architecture team: D6.7 e-SENS European Interoperability Reference Architecture. European Commission, 31 Mar 2017Google Scholar
  5. 5.
    Masi, M., Pavleska, T., Aranha, H.: Automating smart grid solution architecture design. In: 2018 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 1–6 (2018)Google Scholar
  6. 6.
    Cherdantseva, Y., Hilton, J.: A reference model of information assurance & security. In: Proceedings of the 2013 International Conference on Availability, Reliability and Security, Washington, DC, USA, pp. 546–555 (2013)Google Scholar
  7. 7.
    ENISA: Technical Guideline on Minimum Security Measures — ENISA (2014)Google Scholar
  8. 8.
    Röhrig, S.: Using Process Models to Analyse IT Security Requirements. University of Zurich (2003)Google Scholar
  9. 9.
    Anton, A.I., Earp, J.B., Reese, A.: Analyzing website privacy requirements using a privacy goal taxonomy. In: Proceedings IEEE Joint International Conference on Requirements Engineering, pp. 23–31 (2002)Google Scholar
  10. 10.
    Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 4th edn. Prentice Hall PTR, Upper Saddle River (2006)zbMATHGoogle Scholar
  11. 11.
    DG CONNECT: Introduction to the Connecting Europe Facility eDelivery building block. European Commission (2015)Google Scholar
  12. 12.
    eHDSI Business Analyst: Non-repudiation mechanism - eHealth DSI Operations - CEF Digital (2019). Accessed 02 Aug 2019Google Scholar
  13. 13.
  14. 14.
  15. 15.
    European Commission: The Directive on security of network and information systems (NIS Directive). Digital Single Market, 09 May 2017. Accessed 31 Aug 2017Google Scholar
  16. 16.
    ENISA, “Technical Guideline on Threats and Assets — ENISA.” 14-Sep-2014Google Scholar
  17. 17.
    ENISA: Technical Guideline on Incident Reporting — ENISA, 24 Oct 2014Google Scholar
  18. 18.
  19. 19.
    Bowen, P., Hash, J., Wilson, M.: SP 800-100. Information Security Handbook: A Guide for Managers. National Institute of Standards & Technology, Gaithersburg, MD, United States (2006)Google Scholar
  20. 20.
    Cyber Security Agency of Singapore: CSA Singapore Security-by-Design Framework v1.0. Cyber Security Agency, Singapore, 09 November 2017Google Scholar
  21. 21.
    Ullberg, J., Johnson, P., Buschle, M.: A language for interoperability modeling and prediction. Comput. Ind. 63(8), 766–774 (2012)CrossRefGoogle Scholar
  22. 22.
    Zuccato, A., Daniels, N., Jampathom, C., Nilson, M.: Report: modular safeguards to create holistic security requirement specifications for system of systems. In: Massacci, F., Wallach, D., Zannone, N. (eds.) ESSoS 2010. LNCS, vol. 5965, pp. 218–230. Springer, Heidelberg (2010). Scholar
  23. 23.
    Mercuri, R.: Uncommon criteria. Commun. ACM 45(1), 172 (2002)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Tanja Pavleska
    • 1
    Email author
  • Helder Aranha
    • 2
  • Massimiliano Masi
    • 3
  • Eric Grandry
    • 4
  • Giovanni Paolo Sellitto
    • 5
  1. 1.Jozef Stefan InstituteLjubljanaSlovenia
  2. 2.Public Administration Shared Services Entity, I.P.AmadoraPortugal
  3. 3.Tiani Spirit GmbHViennaAustria
  4. 4.Ministry of Mobility and Public WorksLuxembourgLuxembourg
  5. 5.Autorità Nazionale AnticorruzioneRomeItaly

Personalised recommendations