Advertisement

Risk-Aware Business Process Management—Establishing the Link Between Business and Security

  • Stefan Jakoubi
  • Simon Tjoa
  • Sigrun Goluch
  • Gerhard Kitzler
Part of the Springer Optimization and Its Applications book series (SOIA, volume 41)

Summary

Companies face the challenge to effectively and efficiently perform their business processes and to guarantee their continuous operation. To meet the economic requirements, companies predominantly apply business process management concepts. The substantial consideration of robustness and continuity of operations is performed in other domains such as risk or business continuity management. Applying these domains separately, analysis results may significantly differ as valuations from an economic and risk point of view may lead to deviating improvement recommendations. Observing developments in the past years, one can see that regulative bodies, the industry, and the research community laid a special focus on the tighter integration of business process and risk management. Consequently, the integrated consideration of economic, risk, and security aspects when analyzing and designing business processes delivers enormous value to achieve these requirements.

In this chapter, we present an survey about selected scientific approaches tackling the challenge of integrating economic and risk aspects. Furthermore, we present a methodology enabling the risk-aware modeling and simulation of business processes.

Keywords

Business Process Business Process Management British Standard Institute Recovery Measure Threat Scenario 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. F. Braber, I. Hogganvik, M.S. Lund, K. Stølen, and F. Vraalsen. Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technology Journal, 25:101–117, 2007. CrossRefGoogle Scholar
  2. British Standard Institute (BSI). British standard bs25999-1:2006: Business continuity management—part 1: Code of practice, 2006. Google Scholar
  3. British Standard Institute (BSI). British standard bs25999-2:2007: Business continuity management—part 2: Specification, 2007. Google Scholar
  4. BSI (German Federal Office for Information Security). IT-Grundschutz Manual (English version), 2004. Google Scholar
  5. Business Continuity Institute. Good Practice Guidelines, 2008. Google Scholar
  6. A. Ekelhart, S. Fenz, and T. Neubauer. Aurum: A framework for supporting information security risk management. In Proceedings of the 42nd Hawaii International Conference on System Sciences (HICCS 2009), pages 1–10, 2009a. Google Scholar
  7. A. Ekelhart, S. Fenz, and T. Neubauer. Ontology-based decision support for information security risk management. In International Conference on Systems (ICONS 2009), pages 80–85, 2009b. Google Scholar
  8. European Commission. Auditing directives. URL: http://ec.europa.eu/internal_market/auditing/directives/index_en.htm, Accessed May 2010.
  9. European Network and Information Security Agency (ENISA). Business and it continuity overview and implementation principles, 2008. Google Scholar
  10. S. Fenz, A. Ekelhart, and T. Neubauer. Business process-based resource importance determination. In Proceedings of the 7th International Conference on Business Process Management (BPM2009), pages 113–127, 2009. Google Scholar
  11. Gartner Inc. Gartner EXP worldwide survey of more than 1500 CIOS shows IT Spending to be flat in 2009, 2009. Google Scholar
  12. G. Goluch, A. Ekelhart, S. Fenz, S. Jakoubi, S. Tjoa, and T. Mück. Integration of an ontological information security concept in risk aware business process management. In 41st Hawaii International Conference on Systems Science (HICSS-41 2008), page 377, 2008. Google Scholar
  13. Gartner Inc. Misconceptions on process optimization and simulation. Gartner Blog, 2009. Google Scholar
  14. International Organization for Standardization. Iso/iec 13335-1:2004, information technology—security techniques—management of information and communications technology security, Part 1: Concepts and models for information and communications technology security management, 2004. Google Scholar
  15. International Organization for Standardization. Iso/iec 24762:2008 information technology—security techniques—guidelines for information and communications technology disaster recovery services, 2008. Google Scholar
  16. S. Jakoubi and S. Tjoa. A reference model for risk-aware business process management. In International Conference on Risks and Security of Internet and Systems. IEEE, New York, 2009. Google Scholar
  17. S. Jakoubi, S. Tjoa, and G. Quirchmayr. Rope: A methodology for enabling the risk-aware modelling and simulation of business processes. In Fifteenth European Conference on Information Systems, pages 1596–1607, 2007. Google Scholar
  18. S. Jakoubi, G. Goluch, S. Tjoa, and G. Quirchmayr. Deriving resource requirements applying risk-aware business process modeling and simulation. In 16th European Conference on Information Systems, pages 1542–1554, 2008. Google Scholar
  19. S. Jakoubi, T. Neubauer, and S. Tjoa. A roadmap to risk-aware business process management. In Proceedings of the International Workshop on Secure Service Computing (SSC 2009), 2009. Google Scholar
  20. A.K. Jallow, B. Majeed, K. Vergidis, A. Tiwari, and R.Roy. Operational risk analysis in business processes. BT Technology Journal, 25:168–177, 2007. CrossRefGoogle Scholar
  21. D. Karagiannis, J. Mylopoulos, and M. Schwab. Business process-based regulation compliance: The case of the sarbanes-oxley act. In Proceedings of the 15th IEEE International Requirements Engineering Conference, pages 315–321, 2007. Google Scholar
  22. N. Milanovic, B. Milic, and M. Malek. Modeling business process availability. In IEEE International Conference on Services Computing (SCC 2008), pages 315–321, 2008. Google Scholar
  23. National Institute of Standards and Technology. NIST SP800-30, risk management guide fir information technology systems, 2002. Google Scholar
  24. National Institute of Standards and Technology. NIST SP800-61: Computer security incident handling guide, 2004. Google Scholar
  25. D. Neiger, L. Churilov, M. zur Muehlen, and M. Rosemann. Integrating risks in business process models with value focused process engineering. In European Conference on Information Systems (ECIS 2006), 2006. Google Scholar
  26. One Hundred Seventh Congress of the United States of America. Sarbanes–Oxley Act, 2002. Google Scholar
  27. A. Rodríguez, E. Fernández-Medina, and M. Piattini. Towards a UML 2.0 extension for the modeling of security requirements in business processes. In International Conference on Trust and Privacy in Digital Business (TrustBus 2006), pages 51–61, 2006. Google Scholar
  28. S. Sackmann. A reference model for process-oriented IT risk management. In 16th European Conference on Information Systems, 2008. Google Scholar
  29. S. Sackmann, L. Lowis, and K. Kittel. Selecting services in business process execution—a risk-based approach. In Business Services: Konzepte, Technologien, Anwendungen, Tagung Wirtschaftsinformatik (WI09), 2009. Google Scholar
  30. S. Sadiq, G. Governatori, and K. Namiri. Modelling control objectives for business process compliance. In 5th International Conference on Business Process Management (BPM2007), pages 149–164, 2007. Google Scholar
  31. The MathWorks. Simulink—simulation and model-based design, URL: http://www.mathworks.com/products/simulink/, Accessed May 2010.
  32. S. Tjoa, S. Jakoubi, G. Goluch, and G. Quirchmayr. Extension of a methodology for risk-aware business process modeling and simulation enabling process-oriented incident handling support. In Advanced Information Networking and Applications, pages 48–55, 2008a. Google Scholar
  33. S. Tjoa, S. Jakoubi, and G. Quirchmayr. Enhancing business impact analysis and risk assessment applying a risk-aware business process modeling and simulation methodology. In International Conference on Availability, Reliability and Security, pages 179–186, 2008b. Google Scholar
  34. I. Weber, G. Governatori, and J. Hoffmann. Approximate compliance checking for annotated process models. In 1st International Workshop on Governance, Risk and Compliance—Applications in Information Systems (GRCIS’08), 2008. Google Scholar
  35. M. zur Muehlen and M. Rosemann. Integrating risks in business process models. In Australasian Conference on Information Systems (ACIS 2005), 2005. Google Scholar

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Stefan Jakoubi
    • 1
  • Simon Tjoa
    • 2
  • Sigrun Goluch
    • 1
  • Gerhard Kitzler
    • 1
  1. 1.Secure Business AustriaViennaAustria
  2. 2.St. Poelten University of Applied SciencesSt. PoeltenAustria

Personalised recommendations