Business Driven ICT Risk Management in the Banking Domain with RACOMAT

  • Johannes ViehmannEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10224)


Bringing business risk management and technical security risk management together is one of the major challenges banks currently struggle with in order to increase their resilience against cyber security threats. This short paper presents a systematic approach for such an integrated security risk management which is currently developed in cooperation with a system-relevant bank. The approach uses well known methods and existing standards, it takes advantage of knowledge databases and available generic domain specific models. A first case study has just started. With tool support and especially with a high level of automation the presented approach might become applicable even for large banks.


Risk assessment Security Business process simulation Banking 


  1. 1.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis – The CORAS Approach. Springer, Heidelberg (2011)CrossRefzbMATHGoogle Scholar
  2. 2.
    International Standards Organization: ISO 31000:2009(E), Risk management – Principles and guidelines (2009)Google Scholar
  3. 3.
    BIAN e.V.: The BIAN Service Landscape Version 4.5, Frankfurt am Main (2016)Google Scholar
  4. 4.
    Tjoa, S.: A formal approach enabling risk-aware business process modeling and simulation. IEEE Trans. Serv. Comput. 4, 153–166 (2011). doi: 10.1109/TSC.2010.17 CrossRefGoogle Scholar
  5. 5.
    Viehmann, J., Werner, F.: Risk assessment and security testing of large scale networked systems with RACOMAT. In: Seehusen, F., Felderer, M., Großmann, J., Wendland, M.-F. (eds.) RISK 2015. LNCS, vol. 9488, pp. 3–17. Springer, Cham (2015). doi: 10.1007/978-3-319-26416-5_1 CrossRefGoogle Scholar
  6. 6.
    Bouti, A., Kadi, D.A.: A state-of-the-art review of FMEA/FMECA. Int. J. Reliab. Qual. Saf. Eng. 1, 515–543 (1994)CrossRefGoogle Scholar
  7. 7.
    International Electrotechnical Commission: IEC 61025 Fault Tree Analysis (FTA) (1990)Google Scholar
  8. 8.
    International Electrotechnical Commission: IEC 60300-3-9 Dependability management – Part 3: Application guide – Section 9: Risk analysis of technological systems – Event Tree Analysis (ETA) (1995)Google Scholar
  9. 9.
    Rackham, G.: 2015. Banking Industry Architecture Network BIAN - How-to Guide v4: Applying the BIAN Standard, Frankfurt am Main (2016). Accessed 21 Mar 2016
  10. 10.
    Basel Committee on Banking Supervision 2016: Compilation of documents that form the global regulatory framework for capital and liquidity. Accessed 30 Dec 2016
  11. 11.
    Kreditwesengesetz in der Fassung der Bekanntmachung vom 9. September 1998 (BGBl. I S. 2776), das durch Artikel 5 des Gesetzes vom 23. Dezember 2016 (BGBl. I S. 3171) geändert worden ist. Accessed 30 Dec 2016
  12. 12.
    Mock, R., Corvo, M.: Risk analysis of information systems by event process chains. Int. J. Crit. Infrastruct. 1, 247 (2005). doi: 10.1504/IJCIS.2005.006121 CrossRefGoogle Scholar
  13. 13.
    Gjære, E.A., Meland, P.H.: Threats management throughout the software service life-cycle. Electron. Proc. Theor. Comput. Sci. 148, 1–14 (2014). doi: 10.4204/EPTCS.148.1 CrossRefGoogle Scholar
  14. 14.
    Jakoubi, S., Tjoa, S., Quirchmayr, G.: Rope: a methodology for enabling the risk-aware modelling and simulation of business processes. Presented at the ECIS 2007, AIS (2007)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Fraunhofer FOKUSBerlinGermany

Personalised recommendations