IEEE TRANSACTIONS ON SERVICES COMPUTING 1 A ......S. Tjoa is with the St. Pölten University of...

IEEE TRANSACTIONS ON SERVICES COMPUTING 1

A Formal Approach Enabling Risk-AwareBusiness Process Modeling and SimulationSimon Tjoa, Member, IEEE, Stefan Jakoubi, Member, IEEE, Gernot Goluch, Member, IEEE,

Gerhard Kitzler, Sigrun Goluch, and Gerald Quirchmayr

F

Abstract—The effective, efficient and continuous execution of businessprocesses is crucial for meeting entrepreneurial goals. Business pro-cess modeling and simulation are used to enable desired businessprocess optimizations. However, current approaches mainly focus oneconomic aspects while security aspects are dealt with in separate ini-tiatives. This missing interconnection may lead to significant differencesin improvement suggestions, such as the differing valuation of securityinvestments (e.g., redundancy of systems).The major contribution of this paper is the introduction of a formalmodel that is capable of expressing the relations between threats, detec-tion mechanisms, safeguards, recovery measures and their effects onbusiness processes. This novel business process simulation capabilitypaves the way for the evaluation of security investments at processdesign stage by allowing the consideration of stochastic influences ofthe occurence of threats on process activities and resources in a unifiedway. A stylized business case outlines how our method can be appliedto real world scenarios.

Index Terms—Business Process Reengineering, Consulting andStrategic Planning, Security Enablement Methods and Tools

1 INTRODUCTION

COMPANIES are increasingly confronted with thechallenge of performing their processes efficiently

and effectively with regard to economic aspects, whilemaintaining security, continuity and compliance of pro-cesses at the same time.Business process management is the dominant domainaiming at optimizing the execution of business processes

∙ S. Tjoa is with the St. Pölten University of Applied Sciences,Matthias Corvinus-Straße 15, 3100 St. Pölten, Austria.E-mail: [email protected].

∙ S. Jakoubi is with the Austrian IT-Security Competence Center,Secure Business Austria, Favoritenstr. 16, 1040 Vienna, Austria.E-mail: [email protected].

∙ G. Goluch is with the Austrian IT-Security Competence Center,Secure Business Austria, Favoritenstr. 16, 1040 Vienna, Austria.E-mail: [email protected].

∙ G. Kitzler is with the Austrian IT-Security Competence Center,Secure Business Austria, Favoritenstr. 16, 1040 Vienna, Austria.E-mail: [email protected].

∙ S. Goluch is with the Austrian IT-Security Competence Center,Secure Business Austria, Favoritenstr. 16, 1040 Vienna, Austria.E-mail: [email protected].

∙ G. Quirchmayr is with the Faculty of Computer Science,University of Vienna, Liebigg. 4/3-4, 1010 Vienna, Austria.E-mail: [email protected].

so that activities are performed efficiently and effectivelyin economic terms. "The biggest benefit of businessprocess optimization and simulation is that they deliverinsight into dynamic processes so that they are designedwell and operated effectively as conditions change." [1]However, business processes face threats that endangerthe effective and efficient execution of their activities.There exist diverse classifications of these threats [2], [3],[4], ranging from accidents (e.g., unavailability of ICTresources or the absence of strategic personnel) to naturalcatastrophes (e.g., earthquakes) and to deliberate acts(e.g., sabotage or theft). The reasons why the executionof business processes may be interrupted are manifoldand addressed by several domains, e.g., business conti-nuity management, risk management, disaster recoveryor incident handling [5], [6], [7], [8].The European Network and Information SecurityAgency (ENISA) states that "it is very difficult to isolateall the disciplines related to planning for and recoveringfrom an incident which threatens an organisation eitherfrom an internal or external source. All the disciplinesare closely related and there are areas of cross-over..." [9].Although the individual domains’ focuses, approachesand techniques may vary, their common overall ob-jective is to reduce the likelihood and to mitigate theeffects of events that may threaten a company’s sur-vivability. Within the last years the business continuitymanagement domain has gained in importance as itattaches value to determining the effects of threats onbusiness processes with the first priority on a company’ssurvival: "the biggest driver for security expenditure,according to the Global State of Security Survey, isbusiness continuity, whereas protecting the company’sreputation and customer data take precedence in theISBS 2008". [10] Therefore, business impact analysis andrisk assessment techniques are predominant [11], [12].An interesting detail in the context of this paper isthat temporal aspects are considered within the businessimpact analysis. There, information such as the financialimpact of an activity disruption after a specific durationis taken into account. However, existing methods andtechniques from the business process management andrelated domains are not used to capture the dynamic


characteristics of business processes. Advantages of busi-ness process management techniques are not used toenhance current business impact analysis techniques. Forexample, modeled business processes can be simulatedapplying path analysis concepts. This provides valuableinformation, such as the probability of certain businesscases (i.e., the probability of the possible business processexecution paths) and consequently the expected value ofthe process iterations weighted with the according paths’probabilities.In summary, there is a growing need for an integratedapproach that combines security and compliance-relateddisciplines with business process management. Recentlyconducted surveys and reports such as [13], [14] confirmthis by outlining that business process improvement,regulative and legislative changes and business interrup-tions are major concerns of today’s businesses. For ap-propriately addressing these concerns and maximizingthe entrepreneurial success, it is indispensable to imple-ment risk, business process and resource management.As long as the information flow between the abovemen-tioned domains (e.g., business process management orbusiness continuity management) is not appropriatelycoordinated and harmonized, there is a lack of commoninformation and reasoning basis in many cases, leadingto a quite different understanding of how the company’spotentials can be advanced. For example, there maybe very divergent views on the need for and benefitsof backup facilities (e.g., a redundant electronic dataprocessing center). Consequently, building the concep-tual bridge between the business process and the se-curity/contingency domains is the overall vision of ourcurrent research.In this paper we introduce our work on risk-awarebusiness process management, which seeks to decreasethe gap between economical and security viewpointswithin an organization. In the scope of this paper, theterm risk-aware business process management is used to de-scribe business process management that considers theintegration of security and risk aspects. This combinationallows a risk-aware business process analysis, enablingthe optimization of efficiency, robustness and security ofbusiness processes at the same time.The paper is organized as follows: In section 2 wesummarize related research results. At the end of therelated work section we provide a short overview on ourprevious work in the field of business process security.Section 3 introduces the formal model and simulationapproach. In section 4 we first present a sample scenario,which is then used to demonstrate how our method canbe applied to real-world business cases. Furthermore,section 4 outlines the implementation of our approach inSimulink R⃝ [15]. Section 4.3 presents simulation results ofour stylized business case. Section 5 concludes the paperand discusses further research aims and challenges.

2 RELATED WORK

In this section, we provide an overview of related workaiming at the best possible support of the planning andimplementation of organizational resilience. We there-fore start with a selection of standards and good prac-tices and proceed with related scientific research. Due tothe limited space, it is not possible to provide full details.Thus, we would refer the reader to the cited work fordetailed information.

2.1 Standards and Good PracticesAs a representative standard for the risk managementdomain, we selected the ISO27005[16], and for the busi-ness continuity management domain the BS25999[6], [7].However, we also provide the reader with references tofurther standards and good practices in these domains.The international standard ISO27005 [16] providesguidelines for information security risk management. Itprovides an iterative process consisting of the followingkey phases: (1) Context establishment: gathering of all in-formation relevant for setting management parameters,defining scope and boundaries, as well as setting up andrunning the information security risk management pro-cess; (2) Risk assessment: identification, quantification orqualification as well as prioritization of risks; (3) Risktreatment: selection and implementation of measures foreach risk treatment strategy (i.e., risk reduction, riskretention, risk avoidance, and risk transfer); (4) Riskacceptance: formal recording and approval of decisionsregarding accepted risks; (5) Risk communication: ex-change of all relevant risk information between decisionmakers and other stakeholders; (6) Risk monitoring andreview: continuous monitoring and review of risks con-sidering changes in the risk and in the organizationalenvironment.The following paragraph outlines further related stan-dards and best practices we want to mention.OCTAVE (Operationally Critical Threat, Asset, and Vul-nerability Evaluation) [17] is a widely accepted methodfor protecting a company’s assets. OCTAVE is an asset-driven approach that provides information security riskevaluation. An important best practice guide is the Base-line Protection Manual supplied by the German FederalOffice for Information Security. In addition to its struc-tured method, it provides an excellent Threat and Safe-guards Catalogue. [3] Regarding process-oriented meth-ods, the Failure Modes and Effects Analysis (FMEA)is widely used in the automotive industry. FMEA pri-oritizes risks of items and tries to minimize them viaprocess iterations ([18], [19]). A further representativestandard for risk management is the NIST SP800-30 [2].Business continuity management (BCM) is a manage-ment process to improve the resilience of a companyeven regarding unexpected catastrophes (e.g., earth-quakes, fire, flooding, etc.). To achieve an adequate level,a company-wide BCM strategy has to be implemented.The Good Practice Guidelines (GPG) of the Business


Continuity Institute (BCI) [11] are management guide-lines for implementing BCM according to BS25999. TheGPG approach follows the business continuity man-agement life cycle of the British standard BS25999 [6],[7], which succeeded the publicly available specificationPAS56 [20], and comprises the following phases: (1) Un-derstanding the organization: provide information thatenables prioritization of an organization’s products andservices and the urgency of activities that are requiredto deliver them. This sets the requirements that willdetermine the selection of appropriate BCM strategies.(2) Determining BCM options: evaluation of a range ofstrategies allowing an appropriate response to be chosenfor each product or service, such that the organizationcan continue to deliver those products and services atan acceptable level of operation and within an accept-able time frame during and following a disruption. (3)Developing and implementing a BCM response: creationof a management framework and a structure of incidentmanagement, business continuity and business recoveryplans that detail the steps to be taken during and af-ter an incident to maintain and restore operations. (4)Exercising, maintaining and reviewing: makes it pos-sible to demonstrate the extent to which a company’sstrategies and plans are complete, current and accurateand identify opportunities for improvement. (5) BCMprogram management: application of various (project)managerial, operational, administrative and technicaldisciplines to ensure the successful implementation ofthe BCM program. (6) Embedding BCM in the organi-zation’s culture: ensuring that the BCM program andthe communication of relevant information fit in theorganization’s environment and culture.Further literature substantially addressing the samephases includes e.g., ISO22399 [21], ISO24762 [8], andNIST SP800-34 [22].In the Business Process Management (BPM) domain,we want to mention the Business Process ModelingNotation (BPMN) [23], the ARIS reference model [24]and the workflow reference model by the WorkflowManagement Coalition (WfMC) [25]. However, for ourpurposes we selected the Business Process ManagementSystems (BPMS) paradigm by [26] as methodologicalbasis. Briefly summarized, the method consists of fiveiterative phases: (1) Strategic Decision Process: defini-tion of strategic guidelines, success factors and essentialcriteria for the business processes of a company. (2) Re-Engineering Process: documentation, adaptation, model-ing and optimization of business processes and identifi-cation of potential for reorganization. (3) Resource Allo-cation Process: implementation of business processes inIT as well as in the organization, allocation of resourcesand infrastructure. (4) Workflow Process: execution ofthe business processes in the operating environment,collecting operative information as a base for continuinganalyses. (5) Performance Evaluation Process: aggrega-tion and preparation of process information, extractionof performance indicators and metrics.

2.2 Related Scientific Research

Compared to the research domains of business processmanagement and risk management, the domain of busi-ness process security is still a very young research area.Nevertheless, there is a wide range of approaches tryingto reduce the gap between the different domains ofsecurity, risk management and business process manage-ment.Zur Muehlen and Rosemann identify risk as an inherentproperty of every business process [27]. Therefore, theypropose to counteract the trend of considering risk onlyfrom a project management viewpoint and to tackle thetopic of risk management in the context of businessprocess management. They consequently introduce ataxonomy including process related risks and their ap-pliances concerning the analysis and documentation ofbusiness processes. Additionally, they propose a taxon-omy of business processes including five clusters (goals,structure, information technology, data, and organiza-tion) and two separate life cycles (build-time and run-time), enabling the classification of both errors and risks.To capture risks in the context of business processes, theauthors introduce four interrelated model types: (1) TheRisk Structure Model provides information regardingthe relationship between risks. (2) The Risk Goal Modelrepresents a risks/goals matrix. (3) The Risk State Modelcaptures the dynamic aspects of risks and consists of thedifferent object types risk, consequence and connectors.(4) Event-driven Process Chains (EPCs) are extendedto consider risks, enabling the assignment of risks toindividual steps in the specific process.The need for a holistic business view of risk managementis addressed by Neiger et al. [28] In their approach, theyutilize value-focused process engineering, which createslinks between business processes and business objectivesat the operational and strategic levels, is utilized. Thisvalue-focused process engineering approach is appliedto risk management models, resulting in a risk-orientedprocess management view. The overall model consists offour steps: (1) To identify relevant process risks, businessobjectives are decomposed, while each process activityis examined in order to identify further relevant risks.(2) To identify risks and to determine related processes,value-focused approaches are used. (3) To identify thebest process structure to meet the business objectivesprocess configurations are suggested. (4) Finally, to en-able the selection of an optimal process configuration, al-ternative configurations and their corresponding resultsthat meet the identified risk minimization objectives arecompared.Focusing on business process availability Milanovic et al.present a framework for modeling availability consider-ing services, underlying ICT infrastructure and humanresources [29]. To model these relations, the authorsadapt a service-enabled architecture. Moreover, a fault-model with two failure modes (temporal/value) is used,thus allowing an analytical assessment procedure: (1)


Defining the business process following a process model-ing language. (2) Refining activities by modeling atomicservices. (3) Creating an infrastructure graph. (4) Map-ping services to infrastructure components. Transformpaths for service executions into Boolean expressions.(5) Mapping business processes to atomic services. Thefunctional dependency between business process, ser-vice and ICT-layer availability is the result. (6) Trans-forming the Boolean expressions into reliability blockdiagrams/fault trees to calculate steady-state availability.(7) Calculating the availability of business processesand services by solving/simulating the model generatedwith the abovementioned steps.To build the bridge between the business and the tech-nical layer, Sackmann et al. extend current risk manage-ment methods with a business process-oriented view. Tothis end, they introduce an IT risk reference model [30],[31] consisting of four interconnected layers: (1) businessprocess layer, (2) IT applications / IT infrastructure layer,(3) vulnerabilities layer, (4) threats layer. This referencemodel "serves as foundation for formal modeling of therelations between causes of IT risks and their effectson business processes or a company’s returns" [30]. Amatrix-based description is used to express these rela-tions.Using process descriptions as a basis and starting point,the POSeM approach by Röhrig [32] facilitates the selec-tion process of security measures. To meet this objective,two concepts are provided: (1) The Security EnhancedProcess Language (SEPL), allowing the representation ofsecurity requirements within business processes. (2) Rulebases enabling the validation of specific process securitydefinitions regarding consistency and the identificationof required safeguards.Rodríguez et al. [33] also tackle the challenge of model-ing security requirements in business processes in theirextension of UML 2.0. According to the authors, thisis essential since software developers derive necessaryrequirements for software design and implementationfrom business processes. The proposed extension makesuse of activity diagrams to allow the definition of busi-ness processes security requirements.Ellison et al. [34] developed the SNA (Survivable Net-work Analysis) method in order to identify and analyzeessential services of critical infrastructures. The methodcomprises four key steps. Within the first two steps,essential services and assets are identified taking failureimpacts and company goals into account. Consequently,it is possible to identify essential components that arecrucial for guaranteeing the continuous availability ofthese essential services and assets. Within step three,intrusion scenarios are developed and mapped onto thearchitecture in order to identify so called compromisablecomponents. Components that are essential and com-promisable as well as their underlying infrastructureare further analyzed with respect to key survivabilityproperties (resistance, recognition, and recovery). Thisanalysis is represented in a survivability map which is

used to trigger evaluation and feedback processes.Neubauer et al. propose an IT-Security Valuation Frame-work [35]. To determine the external value of securitymeasures, core business processes are used. The valu-ation itself is based on downtime costs (lost businessvalue) in the case of a system’s unavailability. To mea-sure the costs needed for implementing and attaininga specific level of security, IT processes are used. Onthe basis of the gathered information, valuation modelssuch as ALE (Annual Loss Expectancy) can be used tocalculate expected loss and to define the optimal level ofsecurity.To enable the management of uncertainties in the con-text of business process management, Sienou et al. [36]suggest a multi-layer integration of business processand risk management. They propose a method for theintegrated management of process risks, including a lifecycle model, a metamodel, a modeling language and aset of usage rules.Regarding the compliance of business processes, Weberet al. [37] propose an approach to validate whether thestates reached by a process are compliant with a setof constraints or not. This enables compliance checkingof a new or altered process against a given constraintsbase and of the process repository against a differentor changed constraints base. The authors formalize andutilize a class of compliance rules and annotated processmodels respectively.Sadiq et al. [38] also address the problem field ofbusiness process compliance and identify the need forsystematic approaches to understand the interconnectionand dependency between business and control objec-tives. Accordingly, the authors introduce a modal logicbased on normative systems theory, dealing with theeffective modeling of control objectives and their prop-agation onto business process models.To establish a connection between a company’s corebusiness processes, IT processes and security levels,Jallow et al. [39] propose a framework for risk analysisin business processes with a focus on cost, time andperformance/quality analyses. The framework consistsof the following six steps: (1) Modeling the activitiesof the business process. (2) Determining the considereddimensions (i.e., cost, time and output) for each activ-ity. As only one dimension can be evaluated within aspecific risk analysis, the objective of each analysis hasto be defined. (3) Identifying risk factors, probability ofoccurrence and impact. (4) Assumptions regarding therisk impact should be defined in order to consider un-certainties associated with risks. The authors use a three-point estimate expressed as a triangular distribution.(5) Calculating each identified risk by multiplying theoccurrence probability with the impact. "The impact isnot a discrete value but a series of values generated bythe simulation based on the distribution". (6) Calculatingforecasts for each activity and cumulative results for thewhole process. A prototypical framework implementa-tion has been performed using Microsoft Excel using the


add-on software Crystal BallTM

.Above, we gave a representative overview of severalresearch approaches that aim to establish an integratedview on security, risk and business process manage-ment. Further work can also be found in the relateddomain of reliability simulations. Reliability analysis hasa potentially wide range of application areas, e.g. riskanalysis, engineering design [40] etc. Our main BPEscan be regarded as system reliability concepts. Thereare various methods to model system reliability. Almostall of them use underlying monte carlo simulations e.g.[41]. For a complex system the underlying monte carlocalculations can be very elaborate and therefore timeconsuming. It is favored to alleviate that numerical effortby modifing the monte carlo simulation, e.g. [42]Summarizing, existing approaches have achieved thefollowing research results: (1) Rule-based validation ofprocess security and selection of counter measures. (2)Extension of modeling languages (e.g., UML 2.0) byintroducing security requirements modeling capabilities.(3) Stronger link of risk and business process manage-ment (e.g., via a taxonomy or via a reference model link-ing threats, vulnerabilities, ICT resources and businessprocesses). (4) Calculation of business process availabil-ity. (5) Integration of business and compliance objectives.(6) Determination of risk impacts on the business processactivity layer using Monte Carlo simulation (7) Simula-tion of reliability of systems. The mentioned approachescontributed substantial results in the field of businessprocess security. However, we still miss a concept meet-ing the following objectives: (1) Concept for modeling:(a) Business process activities, (b) required resources,(c) threats endangering these resources, (d) detection-,counter- and recovery measures, (e) relations betweenthese components. (2) Concept for the simulation-baseddetermination of risk impacts (e.g. time, costs, backlogs,etc.) on resources and/or directly business process activ-ities considering the interaction between threats as wellas detection-, counter- and recovery measures.These objectives serve as a basis for the identification ofopen research challenges and led us to the developmentof a methodology enabling risk-aware business processmodeling and simulation [43], [44].In this work, we present an extension of our methodcomprising the introduction of a novel formal model andsimulation approach.

2.3 Previous Work

Following, we present our overall vision of risk-awarebusiness process management [45], [46], [44], [43] inorder to both provide the reader with an adequateoverview and to clarify our contribution in sections 3to 5.In our vision, risk-aware business process managementcan be performed when appropriate bridges betweenbusiness process management and the relevant securitydomains (e.g., risk or business continuity management)

are built. Risk-aware business process modeling enablesaccording simulations as the logical next step. Thesetwo techniques are the cornerstones of business processplanning and reengineering where our current researchfocus lies. In a nutshell, in our conceptual approach

Fig. 1. Conceptual Approach towards Risk-Aware Busi-ness Process Modeling and Simulation

(see Fig. 1) business process elements, such as activitiesand resources, are endangered by threats. If a threatis successful, one of the possible impacts may be theunavailability of a resource, leading to delays in the ex-ecution time of connected activities. In order to representthe current security situation detection-, counter- andrecovery measures are modeled. If sufficient informationis available, these measures are modeled as businessprocesses that require resources and are endangeredby threats. Detection measures invoke counter- and/orrecovery measures. The quality of the measure affects thepoint in time when detection or invoking respectively,takes place. Counter measures try to eliminate an oc-curred threat and recovery measures try to re-establishthe functionality of potentially affected business processelements. Basically, detection measures are the first stepand thus can influence counter and recovery measures,whereas the efficiency and effectiveness of counter mea-sures only influences following (or overlapping acting)recovery measures. Fig. 1 shows the conceptual approachdescribed above. In our opinion, a real strength of ourapproach is that results of typical projects, such asbusiness process analyses, risk assessments or businessimpact analyses do not end up as dusty reports incabinets but can be modeled and continuously used forsimulation purposes. Following, we motivate our visionof building the bridge between the business processmanagement and risk as well as contingency domains.To exemplify our vision, Fig. 2 schematically depictscore activities of the Business Continuity Management(BCM) Life Cycle (left side) according to [6], [7] and coreactivities of the Business Process Modeling paradigmBPMS (right side) according to [26]. In between ourbridging concept is sketched that is described belowFig. 2. The following items describe the steps how thementioned domains may be applied in a more integratedway: (1) The interconnection of business process mod-eling and simulation techniques with business impactanalysis and risk assessment techniques enables the risk-


Fig. 2. Introduction of Risks into Business Process Man-agement

aware business process analysis. (2) Processes can bebetter understood not only focusing on economic factorsbut also taking risks and business process activity dis-ruptions into consideration. Exemplarily, financial andreputational impacts of a process interruption are takeninto account when defining strategic guidelines, successfactors and essential criteria (e.g. availability require-ments) for the business processes of a company. (3) Thisbroadened view on business delivers added value when(re-) engineering and optimizing the business processes.Subsequently, business processes are available whichhave been designed under consideration of economic,continuity and risk information. (4) This delivers addedvalue for determining BCM options as the evaluationof potential strategies (e.g. alternate data center) can betightly aligned to the available business process informa-tion (e.g. product/service value, processes’ prioritizationor availability/recovery requirements). (5) Selecting themost appropriate option is the basis for developing andimplementing the BCM response. Accordingly, plans canbe developed considering process characteristic such asminimal resource requirements after an incident. (6) Therisk-aware designed business processes and the relatedcontinuity plans build the fundament for determiningappropriate resources. This comprises not only resourceutilization considerations to perform the business pro-cess activities under normal conditions. When a threatoccurs, it endangers the activities’ execution and causesthe invocation of plans that detail the steps to be takenduring and after an incident to maintain and restoreoperations. (7) This further leads to a sufficient imple-mentation of both, the business process execution inthe operation environment and the institution of thebusiness continuity and business recovery plans. (8)The aggregation and preparation of process informa-tion, extraction of performance indicators and metricsserves as valuable input for iterations in the BCM lifecycle. (9) Vice versa, lessons learned and metrics fromplans’ rehearsal or even invoked plans is the start forcontinuously improve the understanding of a company’s

business and its processes.

3 THE FORMAL MODEL

In this section, we introduce our novel formal descrip-tion for modeling threats, detection-, counter-, and re-covery measures, their interdependencies, as well asthe impact on the attributes of affected resources. Fordemonstration purposes we will focus on the securityattributes confidentiality, integrity and availability. Sub-sequently, we will use a sample scenario to show howour formal model can be used to support an evaluationinitiative of a company.

3.1 A Formal Description of Business Process Ele-mentsTo simulate the continuous execution of businessprocess elements (BPE) [47], we first introducethe set of resources R = {R1, . . . , Rn}, the set ofactivities Act = {Act1, ..., Actl} and the set of attributesA = {A1, . . . , Am}. Every single resource and activityhave their own attributes out of the set A . Withinour formal model, the interaction between activitesand resources is realized as Resource requirementsRRi, where i stands for the corresponding activity.These elements hold information about the attributes ofcertain resources needed to execute successfully. Thiscan be graphically expressed as seen in Fig.1. This couldalso be formally expressed, using the tuples (Rj , Aj , �)where Rj is the needed resource, Aj its specific neededattribute and � represents a threshold defining theminimum attribute condition that is necessary toexecute the acivity. Using the logical operators ∨/∧, itis possible to create a whole resource tree needed forexecution of a certain activity (including the possibilityto represent redundancies of resources).For clarity, we provide an example, referring to Fig.1. The mentioned activity is named Act2. Our set ofattributes consists of 2 elements: A1 is the availability ofa certain BPE and A2 the integrity of a BPE. To executethis activity successfully, it is necessary to have ServerR1 access (availability 80%, integrity 100%), an availableclient PC R2 (availability 100%) and, as can be seen inthe figure, one of the two employees R3, R4 (availability80%). In our model we would express this as follows:

RR2 = (R1, A1, 0.8, A2, 1.0) ∧ (R2, A1, 1.0)∧[(R3, A1, 0.8) ∨ (R3, A1, 0.8)]

(1)

3.2 A Formal Description of the Behavior and Ef-fects of Threats and SafeguardsIn order to simulate threats, it is indispensible to for-mally describe the impacts of threats on business pro-cesses and the effects of counter- and recovery measures.In this section we therefore introduce our formal model,which achieves the abovementioned objective.As our approach focuses on business process manage-ment, we assume that threats can affect specific attributes


of business process elements (BPE), such as the availabil-ity of a resource or the execution of an activity.In order to formally describe a threat, we introducean impact function !(t) that holds information about athreat’s characteristics, such as its behavior or speed.Let T = {T1, . . . , Tn} be the set of possible threats. EveryTn possesses the following four parameters, which ex-press the threats outcome: (1) pn indicates the probabilityof occurrence in (2) a given interval [t0; t1]; (3) the impactfunction !n(t); and (4) the corresponding attribute.For example, a threat T1 (e.g., virus) that attacks theattribute A4 (e.g., availability) with the occurrence prob-ability p1 (e.g., 70%) within the time interval 2 and 5.5and the impact function !1(t) (e.g. linear function) canbe formally expressed as:

[T1; 0.7; [2, 5.5];!1(t);A4]. (2)

A threat can be eliminated by safeguards. We groupsafeguards according to their behavior into preventive,blocking and reactive measures. The comprehensive dif-ferentiation between these types is described in thefollowing paragraphs.Preventive measures: A preventive action influencesa threat’s probability of occurrence. An example ofpreventive measures against the threat "fire" would bethe usage of fireproof materials in a building or theintroduction of a non-smoking policy in a company.Let PA = {PA1, . . . , PAm} be the set of all preventiveactions. One specific action can be described as a set oftuples

PAm := {(Tk, �k), . . .} (3)

where Tk is the applicable threat and �k the linkedprobability. A threats occurrence probability pn is de-creased by �n leading to the new occurrence probabilityp̃n : p̃n = pn − �n.Blocking measures: Blocking measures are defined inour model as safeguards that immediately destroy athreat on detection. Therefore, no further consequencesarise for the business processes. An example of a block-ing measure would be the live scanning of e-mails. If avirus is detected in the e-mail traffic by the scanner it isimmediately quarantined or deleted.Let BA = {BA1, . . . , BAl} be the set of blocking actions,then every BAl can be described as a set of tuples

BAl := {(Tk, �k), . . .} (4)

where Tk is the applicable threat and �k is the probabilityof its detection. The difference between those two proba-bilities is obvious. While the p̃n stands for the probabilityof a threat occurring, the probability �k decides whethera threat is detected and immediately destroyed.Reactive measures: A reactive measure can be definedas a safeguard that counteracts threats during an attack.Examples of reactive measures would be the manualremoval of a virus.As threats invoking a reactive measure may already havecaused damage, it consists of following three parts: (a)

detection measures, (b) counter measures and (c) recov-ery measures. These three measures are modeled in pro-cesses and therefore have similar characteristics as BPEs,such as certain resource requirements. An active threatis necessary for a successful detection. The detectionalso decides which counter measure is appropriate fora given threat. The counter measure then decides whichrecovery measure is needed. A simplified representationwould be:Detection → Counter Measures → Recovery. While thecounter measure starts immediately after the detectionperiod is over, the recovery measure can overlap with thecounter measure and begin while the counter measureis still active.To realize this we state: The detection measure hasno direct or indirect influence on the threat itself. Thedetection is active in every time step. The predefineddetection period starts as soon as there is a recognizablechange in the attribute’s condition function. We specifya specific detection measure as follows:

DMk := {Tj , Ai, dmk(t), (CMm, . . .)} (5)

where Tj is the threat, which may by definition bedetected by the specific detection measure DMk, Ai thespecific attribute, dmk(t) the function that describes theprobability of recognizing the threat Tj at a given "at-tribute’s condition" and the required counter measuresCMm, which can also be a multidimensional vector. Thedefinition of the function dmk enables us to define athreat that should be detected once the damage is x%.The counter measures affect a threat’s state and thereforehave an influence on the impact function !n(t) of alinked threat Tn. A certain counter measure CMm isfurther expressed as

CMm := {cmm(t), (RMn, . . .), (tcn, . . .)} (6)

where cmm(t) is the function that describes the effecton the threat’s impact function, RMn are the requiredrecovery measures and tcn is the threshold, which holdsinformation on when the recovery can start. The influ-ence on the threat’s impact can be realized by a newimpact function:

!̃n(t) := !n(t) ⋅ (1− cmm(t)) (7)

To know at which time step tr the recovery measureRMn is started, we require two assumptions:

1) !̃n(tr) = tcn2) !̃′n(tk) ≤ 0

The counter measure is stopped once !̃n(t) = 0.The recovery measure has a direct influence on theattribute’s condition function zi(t). It is further specifiedthrough a recovery function rmi(t) . The influence on thecondition of an attribute can be seen as a new conditionfunction

z̃i(t) := zi(t) + rmi(t) (8)

The recovery ends once the condition z̃i(t) = 1.


In the following we outline how our method can beapplied to model an activity’s attributes "availability"and "integrity".

3.3 Modeling the Activity’s Attribute AvailabilityWe assume that every activity has a "degree of comple-tion" attribute G : ℝ→ [0, 1] (continuous). The activity isconsidered completed once G = 1. Finite activities havethe following characteristic properties:

∃ t̃ ∈ ℝ with G(t̃) = 1 (9)

∃ g, integrable, with G(t) =

∫ t

0

g(u)du (10)

Hence, the execution time of a process activity is thesolution of the following integral equation:

G(t̃) =

∫ t̃

0

g(u)du (11)

To measure the effect of a threat attacking the availabilityattribute of an activity, function (11) has to be enhancedwith the threat’s impact function !(t):

G(t̃) =

∫ t̃

0

g(u)− !(u)du (12)

3.4 Modeling the Activity’s Attribute IntegrityCertain activities exhibit the attribute "integrity". Tomeasure integrity loss we use a similar approach asdescribed in section 3.3. We assume the integrity of acertain activity to be a real function i : ℝ→ [0, 1]. Whileno threat is active, we set i(t) = 1. The loss of integrityis defined as follows:

IL(t) =

∫ t

t0

(1− i(u))du (13)

While no threat is active, the "loss of integrity" is constantequal 0, IL(t) = 0. Regarding the impact of a certainthreat on the activities’ integrity, we enhance the abovefunction (13) with the threat’s impact function !(u):

IL(t) =

∫ t

t0

(1− (i(u)− !(u)))du (14)

with !(u) being the integrity impact of a certain threatand t0 standing for the starting time of the activity. Theenhanced function enables us to measure the resultingloss of integrity.

3.5 Relation between Resources’ and Activities’ At-tributesWhen a threat attacks any of a resource’s attributes toa significant extent, the resulting impact has an indi-rect influence on the corresponding activity’s attribute.We assume that this interrelation is proportional tothe difference emerging from the actual resource’s at-tribute condition and the needed attribute condition. The

needed state of an attribute � can be obtained fromthe corresponding resource requirements (see section 3.1,equation (1)).Let Ntm be the actual condition of a resource’s attributeAi(t) at time unit tm, 0 < Ntm < 1. If the condition Ntm

reaches the threshold �, then the condition’s alterationhas an influence on the linked activity’s attribute. Torealize this we define a help function:

'(t) = f(� −Nt) (15)f(0) = 0 (16)

The help function '(t) can be seen as function of threatimpact on the activity’s attribute, which depends onlyon the resource’s condition and is independent of theoriginal threat’s impact function. Fig. 3 illustrates the

Fig. 3. Influence of a Threat and its Consequences onthe Availability Condition Function. In Ascending Order:Impact Function, Resource Attribute Condition and Activ-ity Attribute Condition

influence of a threat impact on the linked resource’savailability condition. Additionally, it shows that anattacked resource’s availability has an indirect influenceon the activity’s completion function. The lower chartdepicts the threat’s impact over time, while the middlechart shows the according impact of the threat on theavailability of the affected resource over time. The upperchart shows the resulting impact on the continuouscompletion function of the assigned activity (leading toan increase in the execution time). In this section weoutlined how relations between activity attributes andresource attributes can be described using the exampleof the attribute "availability". This example applies anal-ogously to all similar cases (e.g., integrity attribute).


4 EVALUATION

This section provides information on how our formaldescription can serve as input for conducting risk-awarebusiness process simulations. We therefore introducea sample scenario and demonstrate how we simulateeffects of threats and safeguards using the professionaltoolkit Simulink R⃝.

4.1 Sample Scenario

In order to demonstrate the capabilities of our formalmodel, we introduce a sample scenario, which is lateron used to show how our approach can be applied toreal world scenarios. For sake of clarity this is a stylizedbusiness case.For our sample scenario we assume that the companyACME has business processes and that the employeesassigned to several of these busines process activitiesrequire computer client resources to perform their work.An audit was conducted and one of its findings was thatimprovements should be made in client protection - froman organizational perspective through appropriate poli-cies and procedures and on the technical side throughthe implementation of an adequate anti-malware solu-tion. Thus, ACME decided in the course of an improve-ment initiative to assess different organizational andtechnical solutions. ACME analysts identified the follow-ing actions that should be considered and evaluated: (1)preventive policies, procedures and awareness trainingsin order to reduce the probability of successful malwareattacks and spreading; (2) an intrusion detection systemat the network layer; (3) an anti-malware tool on clientside for which different options should be evaluatedfrom a cost/benefit perspective; (4) clear proceduresregarding how to react to a malware incident; (5) clearprocedures regarding how to recover from a malware-incident.After an exhaustive analysis workshop, ACME identified15 incidents with a major impact on the availabilityof clients that had been reported within the last year.According to British Telecom, an average business suf-fers 11 virus attacks per day [48] - ACME takes thisvalue as feasible input data for further considerations.Furthermore, the Information Security Breaches Survey2008 [10] indicated that the median number of breachesof large businesses is three significant infections per year.Thus, the management of ACME decided that a strategicmajor goal would be to reach this median. Appropriateanalyses and evaluations regarding organizational andtechnical actions should be performed to justify securityinvestments and to gain the management approval forimplementation projects.The initial solution planning workshop resulted in thefollowing proposals for further (scenario) evaluations.Two anti-virus toolkits should be evaluated. The prod-ucts vary in acquisition costs and detection rate.

4.2 Implementation

The main layer (Fig. 4) of the model represents ourinternal setting, which is composed of 2 activities (1stLevel Support and 2nd Level Support) and 2 resources (PCsand Server) for each activity. Fig. 4 shows the main layerof the built Simulink model.On the left side of this layer the blocks simin andChart construct incoming "calls" for the activity 1st LevelSupport. This signal, represented by a Boolean, getsforwarded to the activity block itself and is there usedto determine whether the activity has to be executed ornot (0 stands for no execution, 1 represents a "need ofexecution"). The outcome variables of this block are thesignals Backlog, Resourceneeds, Next Needs, Integrities andDegrees. Resourceneeds is used to determine whether theserver and PCs are needed. Backlog counts the piled upcalls. Integrities and Degrees are the two attributes "Lossof Integrity" (LI) and "Degree of Completion" (DC), bothintroduced in sections 3.3 and 3.4. They record the stateof the attributes’ conditions. Next Needs is of Booleantype. This signal is usually set to 0. Whenever 1st LevelSupport has finished an execution, the signal is set to 1.The 2nd Level block represents a decision. Wheneverthe input signal (In1) is 1, the block decides whether2nd Level Support is needed or not. The block 2nd LevelSupport is built in the same way as 1st Level Support, withthe only difference being that there is no output signalNext Needs.The PCs and Server blocks represent the implementedresources. Both activities need PC availability, serveravailability and server integrity for successful execution.The input signals (Needsact1, Needsact2) hold informationon the extent of availability/integrity that is needed bythe activites. The output signals (Availabilities, Availabili-ties1 and Integrity, Integrity1) contain information on thepossible degree of availability or integrity the resourcesare able to provide. This information serves as an inputsignal for both activities 1st Level Support and 2nd LevelSupport.The activity layer (Fig. 5) is the subsystem of the two

Fig. 6. Simulation Model: Resource Layer

activity blocks 1st Level Support and 2nd Level Support. Ithas three input signals: Initialize, Resourcegets Availabilityand Resourcegets Integrity. The input signal Initialize isforwarded to the state flow chart on/off which switchesthe activity on or off. If it is switched on the output signalon_off is set to 1. This indicator is forwarded to the out


Fig. 4. Simulation Model: Main Layer

Fig. 5. Simulation Model: Activity Layer

Fig. 7. Simulation Model: Detection - Counter - Recov-ery Measure Layer

Fig. 8. Simulation Model: Threat Layer

port Resourceneeds and further used for calculation of DCand LI.The blocks Add1 and Add2 realize '(t), defined in equa-tion (16). According to our formal model (see subsection3.3), this signal gets integrated into the Degree of Comple-tion block. The second input port of this block is only of atechnical nature. It is a so-called trigger signal (Boolean)that resets the integral value back to its initial value 0.The finished? block determines if the Degree of Completionequals 1. If so, an indicator for a finished execution ofthe activity switches the on_off signal in the block on/offback to 0.

The same subsystem calculates the LI attribute condi-tion. The blocks Add3, Add4 and Add5 realize '(t). Thisfunction gets integrated into the Integrity Mismatch block,according to our formal model (see subsection 3.4). Thesecond input port of the integrator is again a resettingtrigger, as described above. This value gets further com-pared to a changeable constant that determines whetherthere is enough integrity for a successful execution. Thisis a result of the fact that integrity is either 1 or 0.Fig. 6 shows the resource layer. This subsystem standsfor the two resources PCs and Server. We chose todescribe only one of the two resource layer. It containstwo further subsystems: the threat layer (Fig. 8) and theCounter mechanisms layer (Fig. 7).For the prototypical simulation we exemplarily simu-lated two threats on different attributes. The first threatattacks the availability attribute of a resource, the secondthreat its integrity attribute. This is again implementedin two different subsystems working in the same way.For explanation we focus on the server’s availability.The resource layer contains the Resource block, thecounter measure mechanisms block DCR and a corre-sponding Threat block. The Resource block is realizedas an embedded Matlab R⃝ function block. This meansthat within the block we created a Matlab R⃝ functionthat calculates the resource’s condition (state_in) at eachtime step of the simulation. Depending on the input


signals - th_value_in, rec_values_in - the condition is de-creasing or increasing respectively. Therefore, the outputsignal of that block is the attribute’s condition (Availabil-ity_Attribute_Condition). This signal is forwarded to thecorresponding DCR block, which is described below. Theoutput signals of the DCR block are: Countervalue andRecoveryvalue. The counter value serves as input signalsfor the corresponding Threat block, while the recoveryvalue is directly connected to the Resource block. TheThreat block represents the threat’s impact value. Theinput signal Counter Measure decreases the threat’s healthand therefore its impact value, which is sent on to theResource block.The detection - counter - recovery measure layer canbe seen in Fig. 7. It contains three blocks, one for eachmeasure. This subsystem has two input signals, Attributeand Threat Impact, and two output signals, Countervalueand Recoveryvalue. The input signal Attribute is used forthe Recovery and Detection blocks.By the same token,the Threat Impact signal serves as input for the Detectionand Counter blocks. The two output signals Countervalueand Recoveryvalue represent the values of the counterand recovery measure at each time step, which arefurther used as input signals for the Threat block andthe Resource block from the resource layer.The Detection block has two input signals, Attribute andImpact, which come directly from the resource layer.The first one is used to calculate a pointwise detec-tion probability, depending on the attribute’s conditionfunction dm1(t) in our formal model (see section 3.2,equation (5)). The time dependency is only a formalrepresentation. Whenever this value is larger than acertain threshold (determined by random numbers), thethreat is said to be detected. In this case, the outputsignal detected is set true, and calls the correspondingcounter measure (Counter block). The second input signalImpact is only used to re-enable the detection measure,as it gets inactive after detecting the threat.The Counter block has two input parameters. The firstIn1 comes directly from the Detection and is of Booleannature, the second signal In2 represents the threat’shealth resp. impact and comes directly from the Threatblock in the resource layer. Within the block there isan on/off switch which is turned "on" once the Booleansignal In1 is true, which is when the threat is successfullydetected. Once the block is activated the block calculatesa counter value on the basis of the counter measurefunction cm1(t) (see section 3.2, equation (6)) from ourformal model. This value is the output signal Out2. Aslong as the threat remains undetected, the counter valueis set to 0. The second output signal Out1 is used as anindicator value for the start of the recovery measure. Itis set to 1 once the counter measure has been successful.The Recovery block works in a very similar way to theCounter block. It has two input signals. In1 comes directlyfrom the Resource block in the resource layer, and In2,which is the indicator value of the abovementionedCounter block. Once the recovery starts, which is when

the indicator is set to 1, the block calculates a recoveryvalue on the basis of the recovery function rm1(t) de-fined in the formal model (see section 3.2, equation (8)).This value also serves as the only output signal of theRecovery block, and is 0 as long as the counter measuredoes not activate the recovery measure.The threat layer (Fig. 8) has only one input signal,Counter Measure, representing cm1(t). To decide whethera threat is going to be active, we draw a random numberin each time step. Once the block Random Number drawsa number larger than a certain threshold, the threatoccurs. This is realized in Switch on/off. Once there is anactive threat in a certain time step, Switch on/off switchesto on and the signal t starts to run at 0, representing thetime the threat is active. It is used as an input signalfor the Impact and Health block. This block calculates theactual Health depending on the Counter Measure signal.Additionally it determines the impact value, dependingon the threat’s health. This is realized as an embeddedMatlab R⃝ function, which consists of the impact function!1(t). As described in our formal model the basic impactfunction !1(t) is enhanced with a factor that representsthe counter measure value. The enhanced impact func-tion would be !̃1(t) (see equation 7). This function isused within the Impact and Health block to determine thethreat’s health and impact. The only output signal Impactserves as an input signal for the Resource block in theresource layer and for the corresponding DCR block.

4.3 Simulation Results

This section discusses the initial results gained from ourproof-of-concept simulation of the sample scenario. Wecompare two different settings where the introducedapproach was used and demonstrate how changes in thescenario impact backlogs and revenues of activities.We simulated two scenarios differing in the quality ofthe blocking measure of the availability threats. Fig. 9depicts scenario 1. The implemented blocking measurehas a detection rate of 75% for the availability threat and84% for the implemented integrity threat. The purchasecost of the availability threat blocking measure is setto 12,000$ and the cost of the integrity threat blockingmeasure is 7,000$. As there are no running costs, thiswould be the only expense for these particular measures.Fig. 9 consists of eight corresponding subplots. Subplots(f)-(h) one can see the Integrity impact (h), the conditionfunction of the integrity attribute (g) of the implementedresource and the linked integrity attribute (h) of theoverlying activity. We see one successful attack by thethreat. It has only a minor influence on the resource’sintegrity attribute due to its small and short impact. Thesudden decrease of the threat’s impact function is dueto the strong counter measures. This leads to a loss ofthe activity’s integrity attribute. This happens aroundthe simulation time 150-250. The gap in the activity’sintegrity around the time 50-80 is due to the lack of anactivity itself. Regarding the impacts of an integrity loss


Fig. 9. Simulation Results of Scenario 1. AvailabilityBlocking Measure: 75%

we assume a negative income (i.e. additional costs).Subplots (c)-(e) show two attacks on the availabilityattribute of a certain resource, where (e) shows the avail-ability impact, (d) the resource’s availability attributecondition and (c) the resulting influence on the activity’scompletion. We assume an activity to be finished oncethe completion function is 1; this function can be seenin subplot (c). Due to the less efficient blocking measure(75%), two threats are able to attack successfully. Theyhave a significant effect on the resource’s availability,as can be seen in subplot (d). For a short period oftime the resource is even completely unavailable. Thisresults in a deceleration of the activity’s completion. Thecounter measure period is rather short in comparisonto its recovery period, which takes a particularly longtime (d). One can see that even more than one activityexperiences a deceleration in completion due to the longrecovery period of the needed resource.In subplots (a)-(b) we can now see the overall benefit(b) and the arising backlog (a). Due to the cheap butweak blocking measure and the resulting threats, thereis almost no benefit. The counter and recovery periodsof the attacked resource cost more than the activity isable to produce, hence the decrease and increase in thebenefit function in subplot (b). The backlog is initallygood, but in the periods of availability loss the backlogcannot be processed. Fig. 10 shows the simulation resultsof scenario 2. As mentioned above, the difference lies inthe availability threat blocking measure. It now has adetection percentage of 95%, while the integrity threatblocking measure stays the same (84%). Due to thehigher quality of the availability threat blocking measure

Fig. 10. Simulation Results of Scenario 2. AvailabilityBlocking Measure: 95%

the purchase costs are 22,000$, 7,000$ respectively.Subplots (f)-(h) are exactly the same as in scenario 1.Due to the better availability threat blocking measure,no availability threat is able to attack successfully. Thisresults in a constant impact curve ≡ 0, which is repre-sented in chart (e). Therefore, the availability attributeof the resource is constant ≡ 1 (d). In this case everyactivity can be processed in the same predefined timeperiod. The results of this simulation show that the lackof successful threats yields a significant lower backlog (a)and an almost constant increase in benefit (b). The slightdip in the benefit function (b) is due to the successfulattack of an integrity threat ((f)-(h)), resulting in negativeincome for a brief period of time.When comparing the two scenarios, scenario 2 is clearlythe better choice. Despite the higher purchase costs, thebenefit of the better availability threat blocking measureis significant, as can be seen in both the subplots (a) and(b).

5 CONCLUSION

The management of processes and the calculation ofrisks that threaten the meeting of organizational objec-tives have been performed for decades. However, inrecent years, it can be observed that regulative bod-ies increasingly force companies to take more stringentmeasures regarding risk and business continuity aspectswhen economically optimizing their business processes.This new challenge has also been addressed by the sci-entific community, leading to substantial research resultsconcerning the integration of security and risk aspectsinto business process analysis and design. Nevertheless,


few research efforts can be found in the simulation-basedevaluation of risk impacts on the execution of businessprocesses.In this paper we presented our current research re-sults in the field of risk-aware business process man-agement. The major contribution of this paper is theintroduction of a novel formal model and simulationapproach enabling the simultaneous consideration ofeconomic, risk and contingency aspects when analyz-ing and designing business processes. We introduceda formal model enabling the expression of businessprocess elements as well as relations to and betweenthreats and safeguarding measures. We described ourformal model and a prototypical implementation withthe professional toolkit Simulink R⃝ on the basis of ademonstrative sample scenario. We built a formal modelconsisting of the succeeding key elements: Threats affectattributes of business process elements, such as availabil-ity, confidentiality or (indirectly) execution times. Threatpreventing or threat defeating measures are grouped intopreventive, blocking and reactive measures. Preventivemeasures affect the occurrence probability of a threat(e.g., no-smoking policy). Blocking measures immedi-ately eliminate a threat once recognized (e.g., anti-virusscanner) giving the threat no chance to harm anything.Reactive measures consist of the three parts Detection,Counter, and Recovery measures: Detection measurescan recognize a threat with a defined effectiveness andaccordingly invoke appropriate counter and/or recoveryMeasures. Counter measures try to eliminate an occurredthreat, and recovery measures re-establish the intendedfunctionality of attacked attributes. Reactive measuresare modeled as processes that, like business processeshave a specific process flow and resource requirements.Our novel formal model allows us to map real worldscenarios with professional tools like Simulink R⃝ in orderto perform risk-aware business process simulations. Thesimulation results have been very promising, showingthe negative impacts of threats and the positive effectsof safeguarding measures on the execution of businessprocesses.The tailoring of our approach to different situationsthan presented in the stylized scenario is possible as theintroduced formal model provides sufficient flexibility.The required modeling effort depends on the wantedlevel of granularity. Exemplarily, in the case of a high-level business impact analysis in order to determine theorder of impacts’ magnitude and the greater overviewabout dependencies between processes and resourcesthe required effort is rather low.However, one must notforget the effort for the information gathering phase.Business specialists have to be questioned in order todetermine process activities, connections to resources(e.g. required services) and potential risk scenarios. Sub-sequently, technical specialists have to enrich the modelwith details of the underlying infrastructure (e.g. servercluster) and assessment of related information and com-munication technology risks.

The application of our proposed method is expected torender the following benefits: (1) Integrated modeling ofbusiness processes, risks as well as detection, counter,and recovery measure information. Consequently, thisallows the simulation of threats and safeguard measureson attributes of business process elements, such as theavailability or integrity of a resource. Subsequently, im-pacts on business process executions can be derivedin a simulation-based way. (2) Identification of singlepoints of failure or substantial weaknesses in resourceplanning and allocation. Simulation-based determinationof resource requirements of business processes withregard to numerous threat scenarios. (3) Provision ofvaluable information concerning the justification of secu-rity/contingency investments when simulating differentthreatening and mitigation scenarios. Metrics such asthe maximum tolerable period of disruption (MTPD) ormean time between failures (MTBF) can easily be deter-mined. These may again serve as valuable input, e.g., forreviewing service level agreements. (4) Simulation-basedsupport of target-performance evaluations enhancingcontinuous process improvement cycles.Currently, we focus on two further research challengesthat extend our formal model and simulation approach:(1) Extension of the formal model to consider servicelevel management aspects (e.g., planning service levelagreements from a requester’s view or analyzing impactsof resource disruption regarding agreement breachesfrom a provider’s view), and (2) dynamic resource re-allocation taking into consideration resource require-ments of counter and recovery measures and prioritiesof business processes affecting this re-allocation.We are convinced that our approach has the potentialto find its way into business process analyzing andplanning domains where it would provide substantialsupport in the integrated consideration of economic aswell as risk and continuity aspects.

REFERENCES[1] G. Inc., “Misconceptions on process optimization and simulation.”

Gartner Blog, 2009.[2] NIST Special Publication 800-30, Risk Management Guide for Infor-

mation Technology Systems, National Institute of Standards andTechnology (NIST) Std., 2002.

[3] BSI (German Federal Office for Information Security), “IT-Grundschutz Manual (english version),” 2004.

[4] ISO/IEC 13335-1:2004, Information technology - Security techniques- Management of information and communications technology security- Part 1: Concepts and models for information and communicationstechnology security management, ISO/IEC Std., 2004.

[5] NIST SP800-61: Computer security incident handling guide, NationalInstitute of Standards and Technology Std., 2004.

[6] British Standard BS25999-1:2006: Business Continuity Management -Part 1: Code of practice, British Standard Institute (BSI) Std., 2006.

[7] British Standard BS25999-2:2007: Business Continuity Management -Part 2: Specification, British Standard Institute (BSI) Std., 2007.

[8] ISO/IEC 24762:2008 Information technology - Security techniques -Guidelines for information and communications technology disasterrecovery services, ISO/IEC Std., 2008.

[9] European Network and Information Security Agency (ENISA),“Business and it continuity overview and implementation princi-ples,” 2008.

[10] Department for Business, Enterprise & Regulatory Reform(BERR), “2008 information security breaches survey.” 2008.

[11] Business Continuity Institute, “Good Prac-tice Guidelines,” 2008. [Online]. Available:http://www.thebci.org/gpgdownloadpage.htm


[12] J. Burtles, Principles and practice of business continuity. RothsteinAssociates Inc, 2007.

[13] Gartner Inc, “Gartner exp worldwide survey of more than 1.500cios shows it spending to be flat in 2009,” 2009. [Online].Available: http://www.gartner.com/it/page.jsp?id=855612

[14] AON, “Global risk management survey ’09,” 2009. [Online].Available: http://www.aon.com/2009risksurvey

[15] The MathWorks, “Simulink - simulationand model-based design.” [Online]. Available:http://www.mathworks.com/products/simulink

[16] ISO/IEC 27005:2008 Information technology - Security techniques -Information security risk management, ISO/IEC Std., 2008.

[17] CERT. (2009) OCTAVE. [Online]. Available:http://www.cert.org/octave

[18] MIL-STD-1629: A Military standard - Procedures for performing afailure mode effects and critically analysis, Department of DefenseStd., 1980.

[19] S. Kmenta and K. Ishii, “Scenario-based fmea: A life cycle costperspective.”

[20] British Standards Institution, “Pas56,” 2003.[21] ISO/PAS 22399:2007: Societal security - Guideline for incident pre-

paredness and operational continuity management, ISO/PAS Std.,2007.

[22] National Institute of Standards and Technology, “Nist sp800-34: Contingency planning guide for information technology sys-tems,” 2002.

[23] Business Process Modeling Notation (BPMN) 1.2, Object Manage-ment Group (OMG) Std.

[24] A. W. Scheer and M. Nüttgens, “Aris architecture and referencemodels for business process management,” in BPM, 2000.

[25] Workflow Management Coalition Specification The Workflow ReferenceModel, Workflow Management Coalition Std.

[26] D. Karagiannis, S. Junginger, and R. Strobl, Business Process Mod-elling. Springer, Berlin, 1996, ch. Introduction to Business ProcessManagement Systems Concepts, pp. 81–106.

[27] M. zur Muehlen and M. Rosemann, “Integrating risks in businessprocess models,” in Australasian Conference on Information Systems(ACIS 2005), 2005.

[28] D. Neiger, L. Churilov, M. zur Muehlen, and M. Rosemann,“Integrating risks in business process models with value focusedprocess engineering,” in European Conference on Information Sys-tems (ECIS 2006), 2006.

[29] N. Milanovic, B. Milic, and M. Malek, “Modeling business processavailability,” in IEEE International Conference on Services Computing(SCC 2008), 2008.

[30] S. Sackmann, “A reference model for process-oriented it riskmanagement,” in 16th European Conference on Information Systems,2008.

[31] S. Sackmann, L. Lowis, and K. Kittel, “Selecting services in busi-ness process execution - a risk-based approach,” in Business Ser-vices: Konzepte, Technologien, Anwendungen, Tagung Wirtschaftsinfor-matik (WI09), 2009.

[32] S. Röhrig, “Using process models to analyse it security require-ments,” Ph.D. dissertation, University of Zurich, 2003.

[33] A. Rodríguez, E. Fernández-Medina, and M. Piattini, “Towardsa uml 2.0 extension for the modeling of security requirements inbusiness processes,” in International Conference on Trust and Privacyin Digital Business (TrustBus 2006), 2006.

[34] R. J. Ellison, R. C. Linger, T. Longstaff, and N. R. Mead, “Sur-vivable network system analysis: A case study,” IEEE Software,vol. 16, pp. 70–77, 1999.

[35] T. Neubauer, M. Klemen, and S. Biffl, “Business process-basedvaluation of it-security,” in Economics-driven software engineeringresearch (EDSER 2005), 2005.

[36] A. Sienou, E. Lamine, and H. Pingaud, “A method for integratedmanagement of process-risk,” in 1st International Workshop on Gov-ernance, Risk and Compliance - Applications in Information Systems(GRCIS’08), 2008.

[37] I. Weber, G. Governatori, and J. Hoffmann, “Approximate compli-ance checking for annotated process models,” in 1st InternationalWorkshop on Governance, Risk and Compliance - Applications inInformation Systems (GRCIS’08), 2008.

[38] S. Sadiq, G. Governatori, and K. Namiri, “Modelling controlobjectives for business process compliance,” in 5th InternationalConference on Business Process Management (BPM2007), 2007.

[39] A. Jallow, B. Majeed, K. Vergidis, A. Tiwari, and R.Roy, “Opera-tional risk analysis in business processes,” BT Technology Journal,vol. 25, 2007.

[40] M. Modarres, M. Kaminskiy, and V. Krivtsov, Reliability Engineer-ing and Risk Analysis: A Practical Guide, 2nd ed. CRC Press, 2009.

[41] H. Wang and H. Pham, Reliability and Optimal Maintenance, ser.Springer Series in Reliability Engineering. Springer London,2006, ch. Monte Carlo Reliability Simulation of Complex Systems,pp. 275–294.

[42] B. L. A. Naessa and O. Batsevychc, “System reliability analysis byenhanced monte carlo simulation,” Structural safety, vol. 31, no. 5,pp. 349–355, September 2009.

[43] S. Jakoubi, G. Goluch, S. Tjoa, and G. Quirchmayr, “Derivingresource requirements applying risk-aware business process mod-eling and simulation,” in 16th European Conference on InformationSystems, 2008, pp. 1542–1554.

[44] S. Tjoa, S. Jakoubi, and G. Quirchmayr, “Enhancing business im-pact analysis and risk assessment applying a risk-aware businessprocess modeling and simulation methodology,” in InternationalConference on Availability, Reliability and Security, 2008, pp. 179–186.

[45] S. Jakoubi, S. Tjoa, and G. Quirchmayr, “Rope: A methodologyfor enabling the risk-aware modelling and simulation of businessprocesses,” in Fifteenth European Conference on Information Systems,2007, pp. 1596–1607.

[46] S. Tjoa, S. Jakoubi, G. Goluch, and G. Quirchmayr, “Extensionof a methodology for risk-aware business process modeling andsimulation enabling process-oriented incident handling support,”in Advanced Information Networking and Applications, 2008, pp. 48–55.

[47] S. Jakoubi and S. Tjoa, “A reference model for risk-aware businessprocess management,” in International Conference on Risks andSecurity of Internet and Systems. IEEE, 2009.

[48] British Telecom, “Business continuity - bt data centre services,”accessed July 2009. [Online]. Available: http://business.bt.com/it-solutions/it-services/data-centre-services/business-continuity

Simon Tjoa received a master’s degree in business informatics fromthe University of Vienna. He is a research scientist at the St. PöltenUniversity of Applied Sciences. His current research interests includebusiness continuity management and business process security. He isa member of the IEEE and IEEE SMC.

Stefan Jakoubi received a master’s degree in business informatics fromthe University of Vienna. He is a researcher at the IT-Security compe-tence center Secure Business Austria. He is a member of the IEEE,ISACA, and associate member of the BCI. His research interests focuson business continuity management, business process managementand aspects of organizational security.

Gernot Goluch received the BSc and MSc degrees from Vienna Univer-sity of Technology. He is researcher at teh competence center SecureBusiness Austria. He is a member of the IEEE and his work focuseson the research area of risk with a focus on simulation approaches andformal modeling.

Gerhard Kitzler is currently working as researcher at the IT-Securitycompetence center Secure Business Austria. His research interestsinclude numerics of differential equations, modeling and simulation.

Sigrun Goluch is researcher at the IT-Security competence center Se-cure Business Austria. Her research focuses on graph theory, modelingand simulation.

Gerald Quirchmayr holds doctors degrees in computer science and lawfrom Johannes Kepler University in Linz and currently is Professor atthe Department of Distributed and Multimedia Systems at the Universityof Vienna. His research focus is on information systems in businessand government with a special interest in security, applications, formalrepresentations of decision making and legal issues. In 2002 he was ap-pointed as Adjunct Professor at the School of Computer and InformationScience of the University of South Australia.

IEEE TRANSACTIONS ON SERVICES COMPUTING 1 A ......S. Tjoa is with the St. Pölten University of...

Documents

Transcript of IEEE TRANSACTIONS ON SERVICES COMPUTING 1 A ......S. Tjoa is with the St. Pölten University of...