论文信息 - Assessing the effects of IT changes on IT risk - A business process-oriented view

Assessing the effects of IT changes on IT risk - A business process-oriented view

The economic relevance of IT risk is increasing due to various operational, technical as well as regulatory reasons. Increasing flexibility of business processes and rising dependability on IT require continuous risk assessment, challenging current methods of risk management. Extending these methods by a business process-oriented view is a promising approach for taking the occurring dynamics and interlinks into consideration. In this contribution, a layer based approach for systematic modeling of relations between causes (threats) and effects (direct and indirect loss) is pursued. On the basis of these cause-effect relations, the presented IT Risk Indicator InTRIn measures changes in the IT support of business processes. It is discussed how InTRIn can provide accurate and real-time information on the IT risk situation and thus improve IT risk management. 1 Flexible Business Processes and IT Risk The flexibility to adapt business processes to customers’ changing demands is regarded as an important instrument for companies in order to be able to distinguish themselves from their competitors (e.g. [Sa95; BG05; Mi07]). To create flexibility, information technology adopts an increasingly supportive role. While, at least in Germany, two out of three companies already use IT systems such as ERP or SCM to manage their business processes [Sa05], the need for flexibility is further reinforced by current technological trends. The increasing operational use of web services and the realization of service-oriented architectures (SOA), as well as the use of virtualization approaches or so-called services on demand, provide a helpful and suitable IT infrastructure [Mi07; Kr05]. However, increasing automation of business processes by relying on a flexible IT infrastructure does not only improve business process performance but also places particular emphasis on IT risk. On the one hand, business processes are directly linked with a company’s economic return as well as compliance with regulations, contracts, and standards [LK06] [Ka08]. Increasing dependency of business processes on IT also increases the possible indirect losses resulting from a malfunction of IT that can easily

Stefan Sackmann

[1] R. Sanchez. Strategic flexibility in product competition , 1995 .

[2] Donn B. Parker,et al. Risks of risk-based security , 2007, Commun. ACM.

[3] W E Vesely,et al. Fault Tree Handbook , 1987 .

[4] Michael E. Whitman. Enemy at the gate: threats to information security , 2003, CACM.

[5] Ulrich Faisst,et al. An optimization model for the management of security risks in banking companies , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).

[6] Michael Rosemann,et al. Integrating risks in business process models with value focused process engineering , 2006, ECIS.

[7] Varun Grover,et al. Types of Information Technology Capabilities and Their Role in Competitive Advantage: An Empirical Study , 2005, J. Manag. Inf. Syst..

[8] Lawrence A. Gordon,et al. The economics of information security investment , 2002, TSEC.

[9] George M. Giaglis,et al. A Taxonomy of Business Process Modeling and Information Systems Modeling Techniques , 2001 .

[10] Jonathan Liebenau,et al. International perspectives on information security practices: opinions, preferences and tools in the financial services industry , 2006 .

[11] Thomas A. Longstaff,et al. A common language for computer security incidents , 1998 .