Advertisement

Using Value Models for Business Risk Analysis in e-Service Networks

  • Dan IonitaEmail author
  • Roel J. Wieringa
  • Lars Wolos
  • Jaap Gordijn
  • Wolter Pieters
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 235)

Abstract

Commercially provided electronic services commonly operate on top of a complex, highly-interconnected infrastructure, which provides a multitude of entry points for attackers. Providers of e-services also operate in dynamic, highly competitive markets, which provides fertile ground for fraud. Before a business idea to provide commercial e-services is implemented in practice, it should therefore be analysed on its fraud potential.

This analysis is a risk assessment process, in which risks are ordered on severity and the unacceptable ones are mitigated. Mitigations may consist of changes in the e-service network to reduce the attractiveness of fraud for the fraudster, or changes in coordination process steps or IT architecture elements to make fraud harder or better detectable.

We propose to use \(e^{3}\) value business value models for the identification and quantification of risks associated with e-service packages. This allows for impact estimation as well as understanding the attacker’s business cases. We show how the \(e^{3}\) value ontology — with minimal extensions – can be used to analyse known telecommunication fraud scenarios. We also show how the approach can be used to quantify infrastructure risks. Based on the results, as well as feedback from practitioners, we discuss the scope and limits of generalizability of our approach.

Keywords

e-services Fraud Risk Governance and control Value modelling 

Notes

Acknowledgements

The ideas and models presented here were developed with the support of S. Koenen and Dr. M. Daneva of the University of Twente. This research has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no. 318003 (TREs- PASS). This publication reflects only the author’s views and the Union is not liable for any use that may be made of the information contained herein.

References

  1. 1.
    Baker, D.: International revenue share fraud: are we winning the battle against telecom pirates? Black Swan Telecom J., November 2012Google Scholar
  2. 2.
    Freedman, D.: The phone hacking scandal: implications for regulation. Telev. New Media 13(1), 17–20 (2012)CrossRefGoogle Scholar
  3. 3.
    Gordijn, J., Akkermans, H.: Value based requirements engineering: exploring innovative e-commerce idea. Requirements Eng. J. 8(2), 114–134 (2003)CrossRefGoogle Scholar
  4. 4.
    Gordijn, J., Akkermans, H., van Vliet, H.: Business modelling is not process modelling. In: Mayr, H.C., Liddle, S.W., Thalheim, B. (eds.) ER Workshops 2000. LNCS, vol. 1921, pp. 40–51. Springer, Heidelberg (2000) CrossRefGoogle Scholar
  5. 5.
    Gordijn, J., Van Vliet, H.: On the interaction between business models and software architecture in electronic commerce. In: Addendum to the Proceedings of the 7th European Software Engineering Conference/Foundations of Software Engineering/ESEC 1999 (1999)Google Scholar
  6. 6.
    Gordijn, J., Wieringa, R.J.: A value-oriented approach to e-business process design. In: Eder, J., Missikoff, M. (eds.) CAiSE 2003. LNCS, vol. 2681, pp. 390–403. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  7. 7.
    Ionita, D., Hartel, P., Pieters, W., Wieringa, R.: Current established risk assessment methodologies and tools, September 2013Google Scholar
  8. 8.
    Janssen, W., van Buuren, R., Gordijn, J.: Business case modelling for e-services. In: Vogel, D.R., Walden, P., Gricar, J., Lenart, G. (eds.) Proceedings of the 18th BLED Conference (e-Integration in Action), pages cdrom, Maribor, SL. University of Maribor (2005)Google Scholar
  9. 9.
    Kartseva, V.: Designing Controls for Network Organization: A Value-Based Approach. Ph.D. thesis, Vrije Universiteit Amsterdam (2008)Google Scholar
  10. 10.
    Kartseva, V., Gordijn, J., Tan, Y.-H.: Designing value-based inter-organizational controls using patterns. In: Lyytinen, K., Loucopoulos, P., Mylopoulos, J., Robinson, B. (eds.) Design Requirements Engineering. LNBIP, vol. 14, pp. 276–301. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  11. 11.
    Kuhn, D.R.: National Institute of Standards and Technology (U.S.). PBX vulnerability analysis [microform] : finding holes in your PBX before someone else does/D. Richard Kuhn. U.S. Dept. of Commerce, Technology Administration, National Institute of Standards and Technology; For sale by the Supt. of Docs., U.S. G.P.O Gaithersburg, Md.: Washington, D.C. (2001)Google Scholar
  12. 12.
    Mohan, K., Ramesh, B.: Ontology-based support for variability management in product and service families. In: Proceedings of the 36th Hawaii International Conference on System Sciences, Hawaii (2003)Google Scholar
  13. 13.
    Normann, R., Ramírez, R.: Designing Interactive Strategy - From Value Chain to Value Constellation. Wiley, Chichester (1994) Google Scholar
  14. 14.
    Pijpers, V., Gordijn, J.: Bridging business value models and business process models in aviation value webs via possession rights. In: Proceedings of the 20th Annual Hawaii International Conference on System Sciences, page cdrom. Computer Society Press (2007)Google Scholar
  15. 15.
    Regan, T.: Pbx security in the voip environment, March 2013. http://www.spitfire.co.uk/pdf/05_PBX_Security_in_the_VoIP_environment-white_paper_140313_2.pdf. Accessed November 2014
  16. 16.
    Singh, P.M.: Integrating business value in enterprise architecture modeling and analysis, August 2013Google Scholar
  17. 17.
    SMARTVOX. How secure is your asterisk pbx? (2014). http://kb.smartvox.co.uk/asterisk/secure-asterisk-pbx-part-1/. Accessed November 2014
  18. 18.
    Wieringa, R.: Design Science Methodology for Information Systems and Software Engineering. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  19. 19.
    Wieringa, R., Gordijn, J.: Value-oriented design of correct service coordination protocols. In: Proceedings of the 20th ACM Symposium on Applied Computing, pp. 1320–1327. ACM Press (2005)Google Scholar
  20. 20.
    Wikipedia. Business telephone system – Wikipedia, the free encyclopedia (2014)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2015

Authors and Affiliations

  • Dan Ionita
    • 1
    Email author
  • Roel J. Wieringa
    • 1
  • Lars Wolos
    • 2
  • Jaap Gordijn
    • 3
  • Wolter Pieters
    • 1
    • 4
  1. 1.University of TwenteEnschedeThe Netherlands
  2. 2.Goethe University FrankfurtFrankfurtGermany
  3. 3.Vrije Universiteit AmsterdamAmsterdamThe Netherlands
  4. 4.TU DelftDelftThe Netherlands

Personalised recommendations