A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation

The effective, efficient and continuous execution of business processes is crucial for meeting entrepreneurial goals. Business process modeling and simulation are used to enable desired business process optimizations. However, current approaches mainly focus on economic aspects while security aspects are dealt with in separate initiatives. This missing interconnection may lead to significant differences in improvement suggestions, such as the differing valuation of security investments (e.g., redundancy of systems). The major contribution of this paper is the introduction of a formal model that is capable of expressing the relations between threats, detection mechanisms, safeguards, recovery measures and their effects on business processes. This novel business process simulation capability paves the way for the evaluation of security investments at process design stage by allowing the consideration of stochastic influences of the occurrence of threats on process activities and resources in a unified way. A stylized business case outlines how our method can be applied to real world scenarios.

[1]  Lutz Lowis,et al.  A Risk Based Approach for Selecting Services in Business Process Execution , 2009, Wirtschaftsinformatik.

[2]  Stefan Jakoubi,et al.  A reference model for risk-aware business process management , 2009, 2009 Fourth International Conference on Risks and Security of Internet and Systems (CRiSIS 2009).

[3]  Mohammad Modarres,et al.  Reliability Engineering and Risk Analysis: A Practical Guide, Second Edition , 2009 .

[4]  B. P. Jones,et al.  British Standards Institution , 1943, Nature.

[5]  Hervé Pingaud,et al.  A Method for Integrated Management of Process-risk , 2008 .

[6]  M. Rosemann,et al.  Integrating Risks in Business Process Models , 2005 .

[7]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[8]  Shazia Wasim Sadiq,et al.  Modeling Control Objectives for Business Process Compliance , 2007, BPM.

[9]  Stefan Biffl,et al.  Business Process-based Valuation of IT-Security , 2005 .

[10]  Guido Governatori,et al.  Approximate Compliance Checking for Annotated Process Models , 2008 .

[11]  Dimitris Karagiannis,et al.  Introduction to Business Process Management Systems Concepts , 1996 .

[12]  Rajkumar Roy,et al.  Operational risk analysis in business processes , 2007 .

[13]  Mario Piattini,et al.  Towards a UML 2.0 Extension for the Modeling of Security Requirements in Business Processes , 2006, TrustBus.

[14]  Gerald Quirchmayr,et al.  Enhancing Business Impact Analysis and Risk Assessment Applying a Risk-Aware Business Process Modeling and Simulation Methodology , 2008, 2008 Third International Conference on Availability, Reliability and Security.

[15]  Gerald Quirchmayr,et al.  Extension of a Methodology for Risk-Aware Business Process Modeling and Simulation Enabling Process-Oriented Incident Handling Support , 2008, 22nd International Conference on Advanced Information Networking and Applications (aina 2008).

[16]  Kosuke Ishii,et al.  SCENARIO-BASED FMEA: A LIFE CYCLE COST PERSPECTIVE , 2000 .

[17]  Michael Rosemann,et al.  Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[18]  Emmanuel Aroms,et al.  NIST Special Publication 800-30 Risk Management Guide for Information Technology Systems , 2012 .

[19]  August-Wilhelm Scheer,et al.  ARIS Architecture and Reference Models for Business Process Management , 2000, Business Process Management.

[20]  Gerald Quirchmayr,et al.  Rope: A Methodology for Enabling the Risk-Aware Modelling and Simulation of Business Processes , 2007, ECIS.

[21]  Timothy Grance,et al.  Contingency Planning Guide For Information Technology Systems: Recommendations Of The National Institute Of Standards And Technology , 2004 .

[22]  Gerald Quirchmayr,et al.  Deriving Resource Requirements Applying Risk-Aware Business Process Modeling and Simulation , 2008, ECIS.

[23]  Stefan Sackmann,et al.  A Reference Model for Process-Oriented IT Risk Management , 2008, ECIS.

[24]  Miroslaw Malek,et al.  Modeling Business Process Availability , 2008, 2008 IEEE Congress on Services - Part I.

[25]  Bernd Scholz-Reiter,et al.  Business Process Modelling , 2011 .

[26]  Karen A. Scarfone,et al.  Computer Security Incident Handling Guide , 2004 .

[27]  Nancy R. Mead,et al.  Survivable Network System Analysis: A Case Study , 1999, IEEE Softw..

[28]  A. Naess,et al.  System reliability analysis by enhanced Monte Carlo simulation , 2009 .