IT Security Risk Analysis based on Business Process Models enhanced with Security Requirements
نویسندگان
چکیده
Traditional risk analysis approaches are based on events, probabilities and impacts. They are complex, time-consuming, and costly, and have limitations regarding the data and assessment quality: First, security events have to be identified often without much methodological guidance, making the process prone to errors and omissions. Second, concrete probability values for these events usually have to be provided, and these are not available in practice to a satisfactory degree of precision and reliability. We propose an approach for risk analysis based on business process models enhanced with security requirements and information about critical processes as well as organizational and system boundaries. This approach bypasses these limitations: security risk events can be derived from the business process models together with the security requirements, and probabilities do not have to be provided. The approach is illustrated using a business process model derived from business practice.
منابع مشابه
Resolving vulnerability identification errors using security requirements on business process models
Purpose – In any information security risk assessment, vulnerabilities are usually identified by information-gathering techniques. However, vulnerability identification errors – wrongly identified or unidentified vulnerabilities – can occur as uncertain data are used. Furthermore, businesses’ security needs are not considered sufficiently. Hence, security functions may not protect business asse...
متن کاملA Method for Eliciting Security Requirements from the Business Process Models
In recent years, the business process modelling is matured towards expressing enterprise’s organisational behaviour (i.e., business values and stakeholder interests). This shows potential to perform early security analysis to capture enterprise security needs. Traditionally, security in business processes is addressed either by representing security concepts graphically or by enforcing these se...
متن کاملIntegration of IT-Security Aspects into Information Demand Analysis and Patterns
Information logistics in general addresses demand-oriented information supply in organizations. IT-security has not received much attention in information logistics research. However, integration of security aspects into information logistics methods could be useful for application contexts with strong security requirements. As a contribution to this aspect, the paper investigates the possibili...
متن کاملSecurity-Oriented Refinement of Business Processes
Economic globalization leads to complex decentralized company structures calling for the extensive use of distributed IT-systems. The business processes of a company have to reflect these changes of infrastructure. In particular, due to new electronic applications and the inclusion of a higher number of — potentially unknown — persons, the business processes are more vulnerable against maliciou...
متن کاملMapping of McGraw Cycle to RUP Methodology for Secure Software Developing
Designing a secure software is one of the major phases in developing a robust software. The McGraw life cycle, as one of the well-known software security development approaches, implements different touch points as a collection of software security practices. Each touch point includes explicit instructions for applying security in terms of design, coding, measurement, and maintenance of softwar...
متن کامل