The use of business process modelling in information systems security analysis and design

The increasing reliance of organisations on information systems connected to or extending over open data networks has established information security as a critical success factor for modern organisations. Risk analysis appears to be the predominant methodology for the introduction of security in information systems (IS). However, risk analysis is based on a very simple model of IS as consisting of assets, mainly data, hardware and software, which are vulnerable to various threats. Thus, risk analysis cannot provide for an understanding of the organisational environment in which IS operate. We believe that a comprehensive methodology for information systems security analysis and design (IS‐SAD) should incorporate both risk analysis and organisational analysis, based on business process modelling (BPM) techniques. This paper examines the possible contribution of BPM techniques to IS‐SAD and identifies the conceptual and methodological requirements for a technique to be used in this context. Based on these requirements, several BPM techniques have been reviewed. The review reveals the need for either adapting and combining current techniques or developing new, specialised ones.

[1]  Geary A. Rummler,et al.  Improving Performance: How to Manage the White Space on the Organization Chart , 1990 .

[2]  Stephen Hinde,et al.  Recent security surveys , 1998, Comput. Secur..

[3]  Jan H. P. Eloff,et al.  Framework of a methodology for the life cycle of computer security in an organization , 1989, Comput. Secur..

[4]  Mike Martin,et al.  Enterprise Modeling and Security Policies , 1990, DBSec.

[5]  James Backhouse,et al.  Structures of responsibility and security of information systems , 1996 .

[6]  Bill Curtis,et al.  Process modeling , 1992, CACM.

[7]  Richard Baskerville,et al.  Risk analysis: an interpretive feasibility tool in justifying information systems security , 1991 .

[8]  Peter Checkland,et al.  Systems Thinking, Systems Practice , 1981 .

[9]  Allan L. Scherr,et al.  A New Approach to Business Processes , 1993, IBM Syst. J..

[10]  John E. Dobson,et al.  A Methodology for Analysing Human and Computer-related Issues in Secure Systems , 1990 .

[11]  Peter Sommer,et al.  Computer security and information integrity: Klaus Dittrich, Seppo Rautakivi and Juhani Saari 0 444 88859 4 North-Holland, Amsterdam, The Netherlands Dfl 205.00 , 1991 .

[12]  A. Koller,et al.  Speech Acts: An Essay in the Philosophy of Language , 1969 .

[13]  Kalle Lyytinen,et al.  Modelling Offices Through Discourse Analysis: The SAMPO Approach , 1992, Comput. J..

[14]  Jean Hitchings Achieving an Integrated Design: The Way Forward for Information Security , 1995 .

[15]  Ken Lindup The role of information security in corporate governance , 1996, Comput. Secur..

[16]  Peter P. Chen The entity-relationship model: toward a unified view of data , 1975, VLDB '75.

[17]  William J. Kettinger,et al.  Business Process Change: A Study of Methodologies, Techniques, and Tools , 1997, MIS Q..