Business Process-Based Resource Importance Determination

  • Stefan Fenz
  • Andreas Ekelhart
  • Thomas Neubauer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5701)


Information security risk management (ISRM) heavily depends on realistic impact values representing the resources’ importance in the overall organizational context. Although a variety of ISRM approaches have been proposed, well-founded methods that provide an answer to the following question are still missing: How can business processes be used to determine resources’ importance in the overall organizational context? We answer this question by measuring the actual importance level of resources based on business processes. Therefore, this paper presents our novel business process-based resource importance determination method which provides ISRM with an efficient and powerful tool for deriving realistic resource importance figures solely from existing business processes. The conducted evaluation has shown that the calculation results of the developed method comply to the results gained in traditional workshop-based assessments.


Static process analysis 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Gerber, M., von Solms, R.: Management of risk in the information age. Computers & Security 24, 16–30 (2004)CrossRefGoogle Scholar
  2. 2.
    Commission of the European Communities: Communication from the Commission to the Council, The European Parliament, The European Economic and Social Committee and the Committee of the Regions ’A strategy for a Secure Information Society - Dialogue, partnership and empowerment”. COM (2006) 251 final (2006)Google Scholar
  3. 3.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9(1), 69–104 (2004)Google Scholar
  4. 4.
    Stoneburner, G., Goguen, A., Feringa, A.: Risk management guide for information technology systems. NIST Special Publication 800-30, National Institute of Standards and Technology (NIST), Gaithersburg, MD 20899-8930 (2002)Google Scholar
  5. 5.
    Voorhoeve, M., Van der Aalst, W.: Ad-hoc workflow: problems and solutions. In: Proceedings of the Eigth International Workshop on Database and Expert Systems Applications, pp. 36–40. IEEE Computer Society, Los Alamitos (1997)Google Scholar
  6. 6.
    van der Aalst, W.: Generic workflow models: How to handle dynamic change and capture management information? In: Conference on Cooperative Information Systems, pp. 115–126 (1999)Google Scholar
  7. 7.
    Mills, S.: The future of business - aligning business and it to create an enduring impact on industry. Technical report, IBM (2007)Google Scholar
  8. 8.
    Sackmann, S.: A reference model for process-oriented it risk management. In: 16th European Conference on Information Systems, ECIS 2008 (2008)Google Scholar
  9. 9.
    Al-Mashari, M.: Business process management - major challenges. Business Process Management Journal 8, 411–412 (2002)Google Scholar
  10. 10.
    Farquhar, B.: One approach to risk assessment. Computers and Security 10(10), 21–23 (1991)CrossRefGoogle Scholar
  11. 11.
    Fredriksen, R., Kristiansen, M., Gran, B.A., Stølen, K., Opperud, T.A., Dimitrakos, T.: The CORAS framework for a model-based risk management process. In: Anderson, S., Bologna, S., Felici, M. (eds.) SAFECOMP 2002. LNCS, vol. 2434, pp. 94–105. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Alberts, C., Dorofee, A., Stevens, J., Woody, C.: Introduction to the OCTAVE approach. Technical report, Carnegie Mellon - Software Engineering Institute, Pittsburgh, PA 15213-3890 (2003)Google Scholar
  13. 13.
    DCSSI: Expression des Besoins et Identification des Objectifs de Sécurité (EBIOS) - Section 2 - Approach. General Secretariat of National Defence Central Information Systems Security Division, DCSSI (2004)Google Scholar
  14. 14.
    ISO/IEC: ISO/IEC 27005:2007, Information technology - Security techniques - Information security risk management (2007)Google Scholar
  15. 15.
    Sackmann, S.: Assessing the effects of it changes on it risk - a business process-oriented view. In: Multikonferenz Wirtschaftsinformatik (MKWI 2008), pp. 1137–1148. GITO-Verlag, Berlin (2008)Google Scholar
  16. 16.
    Asnar, Y., Giorgini, P.: Analyzing business continuity through a multi-layers model. In: Dumas, M., Reichert, M., Shan, M.-C. (eds.) BPM 2008. LNCS, vol. 5240, pp. 212–227. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  17. 17.
    Reijers, H.A., Limam, S., van der Aalst, W.M.P.: Product-based workflow design. J. Manage. Inf. Syst. 20(1), 229–262 (2003)Google Scholar
  18. 18.
    Eom, J.-H., Park, S.-H., Han, Y.-J., Chung, T.-M.: Risk assessment method based on business process-oriented asset evaluation for information system security. In: Shi, Y., van Albada, G.D., Dongarra, J., Sloot, P.M.A. (eds.) ICCS 2007. LNCS, vol. 4489, pp. 1024–1031. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    van der Aalst, W., van Hee, K.: Business process redesign: a petri-net-based approach. Computers in Industry 29, 15–26 (1996)CrossRefGoogle Scholar
  20. 20.
    van der Aalst, W.: The application of Petri nets to workflow management. The Journal of Circuits, Systems and Computers 8(1), 21–66 (1998)CrossRefGoogle Scholar
  21. 21.
    van der Aalst, W.: Process-oriented architectures for electronic commerce and interorganizational workflow. Information Systems 24(8), 639–671 (1999)CrossRefGoogle Scholar
  22. 22.
    zur Muehlen, M., Rosemann, M.: Integrating risks in business process models. In: ACIS 2005 Proceedings (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Stefan Fenz
    • 1
  • Andreas Ekelhart
    • 2
  • Thomas Neubauer
    • 2
  1. 1.Institute of Software Technology and Interactive SystemsVienna University of TechnologyViennaAustria
  2. 2.Secure Business AustriaViennaAustria

Personalised recommendations