Summary
Companies face the challenge to effectively and efficiently perform their business processes and to guarantee their continuous operation. To meet the economic requirements, companies predominantly apply business process management concepts. The substantial consideration of robustness and continuity of operations is performed in other domains such as risk or business continuity management. Applying these domains separately, analysis results may significantly differ as valuations from an economic and risk point of view may lead to deviating improvement recommendations. Observing developments in the past years, one can see that regulative bodies, the industry, and the research community laid a special focus on the tighter integration of business process and risk management. Consequently, the integrated consideration of economic, risk, and security aspects when analyzing and designing business processes delivers enormous value to achieve these requirements.
In this chapter, we present an survey about selected scientific approaches tackling the challenge of integrating economic and risk aspects. Furthermore, we present a methodology enabling the risk-aware modeling and simulation of business processes.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
Keywords
- Business Process
- Business Process Management
- British Standard Institute
- Recovery Measure
- Threat Scenario
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
F. Braber, I. Hogganvik, M.S. Lund, K. Stølen, and F. Vraalsen. Model-based security analysis in seven steps—a guided tour to the CORAS method. BT Technology Journal, 25:101–117, 2007.
British Standard Institute (BSI). British standard bs25999-1:2006: Business continuity management—part 1: Code of practice, 2006.
British Standard Institute (BSI). British standard bs25999-2:2007: Business continuity management—part 2: Specification, 2007.
BSI (German Federal Office for Information Security). IT-Grundschutz Manual (English version), 2004.
Business Continuity Institute. Good Practice Guidelines, 2008.
A. Ekelhart, S. Fenz, and T. Neubauer. Aurum: A framework for supporting information security risk management. In Proceedings of the 42nd Hawaii International Conference on System Sciences (HICCS 2009), pages 1–10, 2009a.
A. Ekelhart, S. Fenz, and T. Neubauer. Ontology-based decision support for information security risk management. In International Conference on Systems (ICONS 2009), pages 80–85, 2009b.
European Commission. Auditing directives. URL: http://ec.europa.eu/internal_market/auditing/directives/index_en.htm, Accessed May 2010.
European Network and Information Security Agency (ENISA). Business and it continuity overview and implementation principles, 2008.
S. Fenz, A. Ekelhart, and T. Neubauer. Business process-based resource importance determination. In Proceedings of the 7th International Conference on Business Process Management (BPM2009), pages 113–127, 2009.
Gartner Inc. Gartner EXP worldwide survey of more than 1500 CIOS shows IT Spending to be flat in 2009, 2009.
G. Goluch, A. Ekelhart, S. Fenz, S. Jakoubi, S. Tjoa, and T. Mück. Integration of an ontological information security concept in risk aware business process management. In 41st Hawaii International Conference on Systems Science (HICSS-41 2008), page 377, 2008.
Gartner Inc. Misconceptions on process optimization and simulation. Gartner Blog, 2009.
International Organization for Standardization. Iso/iec 13335-1:2004, information technology—security techniques—management of information and communications technology security, Part 1: Concepts and models for information and communications technology security management, 2004.
International Organization for Standardization. Iso/iec 24762:2008 information technology—security techniques—guidelines for information and communications technology disaster recovery services, 2008.
S. Jakoubi and S. Tjoa. A reference model for risk-aware business process management. In International Conference on Risks and Security of Internet and Systems. IEEE, New York, 2009.
S. Jakoubi, S. Tjoa, and G. Quirchmayr. Rope: A methodology for enabling the risk-aware modelling and simulation of business processes. In Fifteenth European Conference on Information Systems, pages 1596–1607, 2007.
S. Jakoubi, G. Goluch, S. Tjoa, and G. Quirchmayr. Deriving resource requirements applying risk-aware business process modeling and simulation. In 16th European Conference on Information Systems, pages 1542–1554, 2008.
S. Jakoubi, T. Neubauer, and S. Tjoa. A roadmap to risk-aware business process management. In Proceedings of the International Workshop on Secure Service Computing (SSC 2009), 2009.
A.K. Jallow, B. Majeed, K. Vergidis, A. Tiwari, and R.Roy. Operational risk analysis in business processes. BT Technology Journal, 25:168–177, 2007.
D. Karagiannis, J. Mylopoulos, and M. Schwab. Business process-based regulation compliance: The case of the sarbanes-oxley act. In Proceedings of the 15th IEEE International Requirements Engineering Conference, pages 315–321, 2007.
N. Milanovic, B. Milic, and M. Malek. Modeling business process availability. In IEEE International Conference on Services Computing (SCC 2008), pages 315–321, 2008.
National Institute of Standards and Technology. NIST SP800-30, risk management guide fir information technology systems, 2002.
National Institute of Standards and Technology. NIST SP800-61: Computer security incident handling guide, 2004.
D. Neiger, L. Churilov, M. zur Muehlen, and M. Rosemann. Integrating risks in business process models with value focused process engineering. In European Conference on Information Systems (ECIS 2006), 2006.
One Hundred Seventh Congress of the United States of America. Sarbanes–Oxley Act, 2002.
A. Rodríguez, E. Fernández-Medina, and M. Piattini. Towards a UML 2.0 extension for the modeling of security requirements in business processes. In International Conference on Trust and Privacy in Digital Business (TrustBus 2006), pages 51–61, 2006.
S. Sackmann. A reference model for process-oriented IT risk management. In 16th European Conference on Information Systems, 2008.
S. Sackmann, L. Lowis, and K. Kittel. Selecting services in business process execution—a risk-based approach. In Business Services: Konzepte, Technologien, Anwendungen, Tagung Wirtschaftsinformatik (WI09), 2009.
S. Sadiq, G. Governatori, and K. Namiri. Modelling control objectives for business process compliance. In 5th International Conference on Business Process Management (BPM2007), pages 149–164, 2007.
The MathWorks. Simulink—simulation and model-based design, URL: http://www.mathworks.com/products/simulink/, Accessed May 2010.
S. Tjoa, S. Jakoubi, G. Goluch, and G. Quirchmayr. Extension of a methodology for risk-aware business process modeling and simulation enabling process-oriented incident handling support. In Advanced Information Networking and Applications, pages 48–55, 2008a.
S. Tjoa, S. Jakoubi, and G. Quirchmayr. Enhancing business impact analysis and risk assessment applying a risk-aware business process modeling and simulation methodology. In International Conference on Availability, Reliability and Security, pages 179–186, 2008b.
I. Weber, G. Governatori, and J. Hoffmann. Approximate compliance checking for annotated process models. In 1st International Workshop on Governance, Risk and Compliance—Applications in Information Systems (GRCIS’08), 2008.
M. zur Muehlen and M. Rosemann. Integrating risks in business process models. In Australasian Conference on Information Systems (ACIS 2005), 2005.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer Science+Business Media, LLC
About this chapter
Cite this chapter
Jakoubi, S., Tjoa, S., Goluch, S., Kitzler, G. (2010). Risk-Aware Business Process Management—Establishing the Link Between Business and Security. In: Xhafa, F., Barolli, L., Papajorgji, P. (eds) Complex Intelligent Systems and Their Applications. Springer Optimization and Its Applications, vol 41. Springer, New York, NY. https://doi.org/10.1007/978-1-4419-1636-5_6
Download citation
DOI: https://doi.org/10.1007/978-1-4419-1636-5_6
Publisher Name: Springer, New York, NY
Print ISBN: 978-1-4419-1635-8
Online ISBN: 978-1-4419-1636-5
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)