Abstract
Information security risk management (ISRM) heavily depends on realistic impact values representing the resources’ importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources’ importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Gerber, M., von Solms, R.: Management of risk in the information age. Computers & Security 24, 16–30 (2004)
Commission of the European Communities: Communication from the Commission to the Council, The European Parliament, The European Economic and Social Committee and the Committee of the Regions ’A strategy for a Secure Information Society - Dialogue, partnership and empowerment”. COM (2006) 251 final (2006)
Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9(1), 69–104 (2004)
Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (2002)
Voorhoeve, M., Van der Aalst, W.: Ad-hoc workflow: problems and solutions. In: Proceedings of the Eigth International Workshop on Database and Expert Systems Applications, pp. 36–40. IEEE Computer Society, Los Alamitos (1997)
van der Aalst, W.: Generic workflow models: How to handle dynamic change and capture management information? In: Conference on Cooperative Information Systems, pp. 115–126 (1999)
Mills, S.: The future of business - aligning business and it to create an enduring impact on industry. Technical report, IBM (2007)
Sackmann, S.: A reference model for process-oriented it risk management. In: 16th European Conference on Information Systems, ECIS 2008 (2008)
Al-Mashari, M.: Business process management - major challenges. Business Process Management Journal 8, 411–412 (2002)
Farquhar, B.: One approach to risk assessment. Computers and Security 10(10), 21–23 (1991)
Fredriksen, R., Kristiansen, M., Gran, B.A., Stølen, K., Opperud, T.A., Dimitrakos, T.: The CORAS framework for a model-based risk management process. In: Anderson, S., Bologna, S., Felici, M. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 94–105. Springer, Heidelberg (2002)
Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE approach. Technical report, Carnegie Mellon - Software Engineering Institute, Pittsburgh, PA 15213-3890 (2003)
DCSSI: Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) - Section 2 - Approach. General Secretariat of National Defence Central Information Systems Security Division, DCSSI (2004)
ISO/IEC: ISO/IEC 27005:2007, Information technology - Security techniques - Information security risk management (2007)
Sackmann, S.: Assessing the effects of it changes on it risk - a business process-oriented view. In: Multikonferenz Wirtschaftsinformatik (MKWI 2008), pp. 1137–1148. GITO-Verlag, Berlin (2008)
Asnar, Y., Giorgini, P.: Analyzing business continuity through a multi-layers model. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 212–227. Springer, Heidelberg (2008)
Reijers, H.A., Limam, S., van der Aalst, W.M.P.: Product-based workflow design. J. Manage. Inf. Syst. 20(1), 229–262 (2003)
Eom, J.-H., Park, S.-H., Han, Y.-J., Chung, T.-M.: Risk assessment method based on business process-oriented asset evaluation for information system security. In: Shi, Y., van Albada, G.D., Dongarra, J., Sloot, P.M.A. (eds.) ICCS 2007. LNCS, vol. 4489, pp. 1024–1031. Springer, Heidelberg (2007)
van der Aalst, W., van Hee, K.: Business process redesign: a petri-net-based approach. Computers in Industry 29, 15–26 (1996)
van der Aalst, W.: The application of Petri nets to workflow management. The Journal of Circuits, Systems and Computers 8(1), 21–66 (1998)
van der Aalst, W.: Process-oriented architectures for electronic commerce and interorganizational workflow. Information Systems 24(8), 639–671 (1999)
zur Muehlen, M., Rosemann, M.: Integrating risks in business process models. In: ACIS 2005 Proceedings (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Fenz, S., Ekelhart, A., Neubauer, T. (2009). Business Process-Based Resource Importance Determination. In: Dayal, U., Eder, J., Koehler, J., Reijers, H.A. (eds) Business Process Management. BPM 2009. Lecture Notes in Computer Science, vol 5701. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-03848-8_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-03848-8_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-03847-1
Online ISBN: 978-3-642-03848-8
eBook Packages: Computer ScienceComputer Science (R0)