A Quantitative Methodology for Security Risk Assessment of Enterprise Business Processes

Jaya Bhattacharjee, Anirban Sengupta, Chandan Mazumdar

Abstract

Business processes help to realize the business objectives of an enterprise. Security breach of business processes may lead to un-fulfillment of objectives, loss of revenue, and possible shutdown of the corresponding business venture. Hence, it is important to ensure that the security properties of critical business processes are protected from attacks and failures. Effective protection mechanisms can be designed only after identifying security risks to business processes. However, existing methodologies mostly focus on the detection of risks to individual hardware, software, network and information assets. They do not cater to risks that are specific to business processes. This paper attempts to address this gap in research by describing a technique for identifying the components of a business process and quantitatively assessing their security risks.

References

  1. Armando, A., Ponta, S. E., 2011. Model Checking of Security-Sensitive Business. In CRiSIS'11, 6th International Conference on Risks and Security of Internet and Systems. IEEE, pp. 66-80.
  2. Bhattacharjee, J., Sengupta, A., Mazumdar, C., 2013. A Formal Methodology for Enterprise Information Security Risk Assessment. In CRiSIS'13, 8th International Conference on Risks and Security of Internet and Systems. IEEE, pp. 1-9.
  3. Bhattacharjee, J., Sengupta, A., Mazumdar, C., 2014. A Formal Methodology for Modeling Threats to Enterprise Assets. In ICISS'14, 10th International Conference on Information Systems Security. Springer, pp. 149-166.
  4. Denning, D. E., 1976. A Lattice Model of Secure Information Flow. Communications of ACM, ACM. Vol. 19, No. 5, pp. 236-243.
  5. ENISA. 2015. Ebios. Available at: https://www.enisa.europa.eu/activities/riskmanagement/current-risk/risk-managementinventory/rm-ra-tools/t_ebios.html (Accessed: 5 June 2015).
  6. ISO/IEC JTC 1 IT SC 27, 2011. Information technology - Security techniques - Information security risk management, ISO/IEC 27005:2011, ISO/IEC. Geneva, 2nd Edition.
  7. ISO/IEC JTC 1 IT SC 27, 2014. Information technology - Security techniques - Information security management systems - Overview and vocabulary, ISO/IEC 27000:2014, ISO/IEC. Geneva, 3rd Edition.
  8. Jakoubi, S, Tjoa, S., Goluch, S., Kitzler, G., 2010. RiskAware Business Process Management-Establishing the Link Between Business and Security. Book of Complex Intelligent Systems and Their Applications, Springer Science+Business Media, LLC. Vol. 41, pp. 109-135.
  9. Khanmohammadi, K., Houmb, S. H., 2010. Business Process-based Information Security Risk Assessment. In 4th International Conference on Network and System Security, IEEE, pp. 199-206.
  10. Lowis, L., Accorsi, R., 2011. Vulnerability Analysis in SOA-Based Business Processes. IEEE Transactions On Services Computing, IEEE. Vol. 4, No. 3, pp. 230- 242.
  11. Marchesini, S., Viganò, L., 2011. A Hierarchy of Knowledge for the Formal Analysis of SecuritySensitive Business Processes. In CRiSIS'11, 6th International Conference on Risks and Security of Internet and Systems. IEEE, pp. 1-10.
  12. MEHARI, 2010. Risk analysis and treatment Guide. Available at: https://www.clusif.asso.fr/fr/production/ouvrages/pdf/ MEHARI-2010-Risk-Analysis-and-TreatmentGuide.pdf (Downloaded: 10 August 2015).
  13. OMG, 2011. Business Process Model and Notation, BPMN, Object Management Group. Massachusetts, 2nd edition.
  14. Peltier, T. R., 2010. Information Security Risk Analysis, CRC Press. Florida, 3rd Edition.
  15. Soanes, C., Stevenson, A. (ed.), 2011. Concise Oxford English Dictionary, Oxford University Press. New York, 12th Edition.
  16. Sun, S. X., Zhao, J. L., Nunamaker, J. F., Sheng, O. R. L., 2006. Formulating the Data-Flow Perspective for Business Process Management. Information Systems Research, INFORMS. Vol. 17, No. 4, pp. 374-391.
  17. Tjoa, S., et al., 2011. A Formal Approach Enabling RiskAware Business Process Modeling and Simulation. IEEE Transactions On Services Computing, IEEE. Vol. 4, No. 2, pp. 153-166.
Download


Paper Citation


in Harvard Style

Bhattacharjee J., Sengupta A. and Mazumdar C. (2016). A Quantitative Methodology for Security Risk Assessment of Enterprise Business Processes . In Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-167-0, pages 388-399. DOI: 10.5220/0005739703880399


in Bibtex Style

@conference{icissp16,
author={Jaya Bhattacharjee and Anirban Sengupta and Chandan Mazumdar},
title={A Quantitative Methodology for Security Risk Assessment of Enterprise Business Processes},
booktitle={Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2016},
pages={388-399},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0005739703880399},
isbn={978-989-758-167-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 2nd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - A Quantitative Methodology for Security Risk Assessment of Enterprise Business Processes
SN - 978-989-758-167-0
AU - Bhattacharjee J.
AU - Sengupta A.
AU - Mazumdar C.
PY - 2016
SP - 388
EP - 399
DO - 10.5220/0005739703880399