A Risk Based Approach for Selecting Services in Business Process Execution

The vision of automated business processes within a service-oriented paradigm includes the flexible orchestration of IT services. Whenever alternative services are available for activities in an ITsupported business process, an automated decision is worth aspiring to. According to valueoriented management, this decision should be motivated economically and also requires taking account of risk. This paper presents a novel approach for assessing the risk of IT services, based on vulnerability information as can be obtained in the form of publicly available Common Vulnerability Scoring System (CVSS) data. 1. Automating IT service selection Market forces are raising companies’ ability to respond quickly and flexibly to changing demands, which is seen as one of the main competitive advantages of the future [1, 23]. To keep pace, directing business models towards automation is still regarded as an important strategic topic [25] and aligning the technological infrastructure to service oriented architecture (SOA) seems a feasible and promising way [10, 16]. Apparently, present SOA and standards such as BPEL or BPMN are still in need of improvement to satisfy business demands [29] and the present hype around service orientation is endangered by setbacks [13]. Nevertheless, prominent suppliers of hardand software are already embodying service orientation into their products: IBM offers Websphere [19], SAP integrates Netweaver [6], and Microsoft uses services in Windows Vista [4]. Besides the technical feasibility of SOA, exploiting the full potential of services requires solutions to several business demands. In this contribution, the focus is laid on one of these issues: the automated selection between alternative IT services available for supporting the execution of business process activities. Since the ability of an IT service to meet business process-specific protection goals is crucial, a method for assessing the risk of an IT service within the context of the supported business process is developed. The method consists of two major parts: The first part proposes a new way to measure the probability of achieving protection goals within an IT service by assessing vulnerabilities. The second part extends business process models by an economic decision algorithm that also takes risk into consideration and enables an automated decision between alternative IT services in the concrete execution context. Addressing these two parts, the remainder of this contribution is structured as follows: in section 2, a layer-based model is introduced bringing 1 University of Freiburg, Institute of Computer Science & Social Studies, Department of Telematics, Friedrichstrasse 50, 79098 Freiburg, Germany

[1]  Scott Campbell,et al.  Mastering Enterprise SOA with SAP NetWeaver and mySAP ERP , 2006 .

[2]  Varun Grover,et al.  Types of Information Technology Capabilities and Their Role in Competitive Advantage: An Empirical Study , 2005, J. Manag. Inf. Syst..

[3]  Stefan Tai,et al.  The next step in Web services , 2003, CACM.

[4]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[5]  Stefan Sackmann,et al.  A Reference Model for Process-Oriented IT Risk Management , 2008, ECIS.

[6]  Daniel E. Geer,et al.  Information Security: Why the Future Belongs to the Quants , 2003, IEEE Secur. Priv..

[7]  Matt Bishop,et al.  Computer Security: Art and Science , 2002 .

[8]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[9]  Stefan Sackmann Assessing the effects of IT changes on IT risk - A business process-oriented view , 2008, Multikonferenz Wirtschaftsinformatik.

[10]  Judy E. Scott Mobility, Business Process Management, Software Sourcing, and Maturity Model Trends: Propositions for the IS Organization of the Future , 2007, Inf. Syst. Manag..

[11]  Philip Robinson,et al.  Security and Trust in IT Business Outsourcing: a Manifesto , 2007, STM.

[12]  Martin R. Stytz Who Are the Experts, and What Have They Done for Us Lately? , 2007, IEEE Security & Privacy.

[13]  James H. Burrows Guidelines for Security of Computer Applications , 1980 .

[14]  Rainer Böhme,et al.  Economic Security Metrics , 2005, Dependability Metrics.

[15]  Andrew S. Tanenbaum,et al.  Structured computer organization; (2nd ed.) , 1984 .

[16]  Wil M. P. van der Aalst,et al.  On the Suitability of BPMN for Business Process Modelling , 2006, Business Process Management.

[17]  Andrew S. Tanenbaum,et al.  Structured Computer Organization , 1976 .

[18]  R. Sanchez Strategic flexibility in product competition , 1995 .