Challenges for Risk and Security Modelling in Enterprise Architecture

  • Gudmund GrovEmail author
  • Federico Mancini
  • Elsie Margrethe Staff Mestl
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 369)


From our experience cooperating with the Norwegian Armed Forces, we outline two interconnected challenges for modelling risk and security in an enterprise architecture: (1) modelling what is protected and why it is protected with sufficient detail whilst being simple enough to facilitate analysis; and (2) establishing automated support for analysing and reasoning about the security models, something we deem crucial to exploit the full potential of an enterprise security architecture. In addition, we sketch out our approach to tackle these challenges and outline our future direction of work.


Enterprise security architecture Diagrammatic risk and security modelling Automated reasoning 


  1. 1.
    Abdo, H., Kaouk, M., Flaus, J.M., Masse, F.: A safety/security risk analysis approach of industrial control systems: a cyber bowtie-combining new version of attack tree with bowtie analysis. Comput. Secur. 72, 175–195 (2018)CrossRefGoogle Scholar
  2. 2.
    Band, I., et al.: How to Model Enterprise Risk Management and Security with the ArchiMate Language. The Open Group white paper no. W172 (2017)Google Scholar
  3. 3.
    Van den Bosch, S.: Designing secure enterprise architectures - a comprehensive approach: framework, method, and modelling language. Master’s thesis, University of Twente (2014)Google Scholar
  4. 4.
    Cook, B.: Formal Reasoning About the Security of Amazon Web Services. In: Chockler, H., Weissenbacher, G. (eds.) CAV 2018. LNCS, vol. 10981, pp. 38–47. Springer, Cham (2018). Scholar
  5. 5.
    de Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: Ramakrishnan, C.R., Rehof, J. (eds.) TACAS 2008. LNCS, vol. 4963, pp. 337–340. Springer, Heidelberg (2008). Scholar
  6. 6.
    Gay, S.: CIS security capability breakdown version 2.00, NATO NCIA Technical report 2017/NCB010400/13, NATO Unclassified (2017)Google Scholar
  7. 7.
    Grov, G., Mestl, E.M.S., Mancini, F., Nordbotten, N.A.: Kan resonnering rundt sikkerhetsarkitektur automatiseres? en studie i sikkerhetsattributter og automatisk resonnering, FFI-report 18–01982 (2019)Google Scholar
  8. 8.
    Jørgensen, H.D., Liland, T., Skogvold, S.: Aligning TOGAF and NAF - experiences from the Norwegian Armed Forces. In: Johannesson, P., Krogstie, J., Opdahl, A.L. (eds.) PoEM 2011. LNBIP, vol. 92, pp. 131–146. Springer, Heidelberg (2011). Scholar
  9. 9.
    Kordy, B., Mauw, S., Radomirović, S., Schweitzer, P.: Foundations of attack–defense trees. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 80–95. Springer, Heidelberg (2011). Scholar
  10. 10.
    Leveson, N.: Engineering a Safer World: Systems Thinking Applied to Safety. MIT Press, Cambridge (2011)Google Scholar
  11. 11.
    Lund, M.S., Solhaug, B., Stølen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Heidelberg (2010). Scholar
  12. 12.
    Mancini, F., et al.: Information security for unmanned and autonomous vehicles - main challenges and relevant operational concepts, FFI-report 19/00888 (exempt from public disclosure) (2019)Google Scholar
  13. 13.
    Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E., Wieringa, R.: An integrated conceptual model for information system security risk management supported by enterprise architecture management. Softw. Syst. Model. 18(3), 2285–2312 (2019)CrossRefGoogle Scholar
  14. 14.
    de Ruijter, A., Guldenmund, F.: The bowtie method: a review. Saf. Sci. 88, 211–218 (2016)CrossRefGoogle Scholar
  15. 15.
    Schneider, B.: Attack trees: modelling security threats. Dr. Dobb’s J. Softw. Tools 24(12), 21–29 (1999)Google Scholar
  16. 16.
    Sherwood, N.A.: Enterprise Security Architecture: A Business-Driven Approach. CRC Press, Boca Raton (2005)CrossRefGoogle Scholar
  17. 17.
    Sindre, G., Opdahl, A.L.: Eliciting security requirements with misuse cases. Requirements Eng. 10(1), 34–44 (2005)CrossRefGoogle Scholar
  18. 18.
    Sunkle, S., Kulkarni, V., Roychoudhury, S.: Analyzing enterprise models using enterprise architecture-based ontology. In: Moreira, A., Schätz, B., Gray, J., Vallecillo, A., Clarke, P. (eds.) MODELS 2013. LNCS, vol. 8107, pp. 622–638. Springer, Heidelberg (2013). Scholar
  19. 19.
    Weinstock, C.B., Lipson, H.F., Goodenough, J.B.: Arguing Security - Creating Security Assurance Cases, white paper by the Software Engineering Institute (Carnegie Mellom University) (2007)Google Scholar
  20. 20.
    Wenzel, M., Chaieb, A.: SML with antiquotations embedded into Isabelle/Isar. In: Workshop on Programming Languages for Mechanized Mathematics (2007)Google Scholar
  21. 21.
    Wierda, G.: Mastering ArchiMate Edition III: A Serious Introduction to the ArchiMate Enterprise Architecture Modeling Language. R&A (2017)Google Scholar
  22. 22.
    Yamamoto, S., Kobayashi, N.: Mobile security assurance through archimate. IT CoNverg. PRAct. (INPRA) 4(3), 1–8 (2016)Google Scholar
  23. 23.
    Young, W., Leveson, N.G.: An integrated approach to safety and security based on systems theory. Commun. ACM 57(2), 31–35 (2014)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2019

Authors and Affiliations

  • Gudmund Grov
    • 1
    Email author
  • Federico Mancini
    • 1
  • Elsie Margrethe Staff Mestl
    • 1
  1. 1.The Norwegian Defence Research Establishment (FFI)KjellerNorway

Personalised recommendations