Towards an Automated Business Process Model Risk Assessment: A Process Mining Approach

Panagiotis Dedousis, Melina Raptaki, George Stergiopoulos, Dimitris Gritzalis

2022

Abstract

Cybersecurity Risk Assessment reports (RAs) on an organization’s information systems are fundamental to supporting its entire information security management. Proper assessments do not restrict their analysis only to tangible assets of an information system (e.g., servers, personal computers, databases) but also delve into the company’s day-to-day business flows that utilize its information system. Business processes, whether internal (i.e., payments) or external (i.e., paid services to customers or products), must also be analyzed in terms of impact and threat exposure, an approach often coined “process-based risk assessment.” Most modern ISO27000 methods and relevant tools include business flow models in their analysis, either as assets or as processes themselves. Process mining defines methods and techniques able to construct graphs that demonstrate the various business flows that are taking place in an information system. However, while process mining methods are of significant interest in general risk analysis, supply chain, and business restructuring, they seem to be neglected in cybersecurity risk assessments. In this paper, we propose an automated method for leveraging process mining to conduct faster and more thorough cybersecurity risk assessments. Our enhanced process mining creates graphs that incorporate weights from typical risk assessment methodologies and provide helpful information on risk and potential attack vectors on business-driven events by correlating and analyzing the steps of the business processes depicted in the graph to the assets used to complete each step. We evaluate our approach and proof-of-concept tool by modeling a real-world company’s business flows and incorporating them into a risk assessment model to detect and analyze potential attack sources and their respective impact on everyday business work.

Download


Paper Citation


in Harvard Style

Dedousis P., Raptaki M., Stergiopoulos G. and Gritzalis D. (2022). Towards an Automated Business Process Model Risk Assessment: A Process Mining Approach. In Proceedings of the 19th International Conference on Security and Cryptography - Volume 1: SECRYPT, ISBN 978-989-758-590-6, pages 35-46. DOI: 10.5220/0011135600003283


in Bibtex Style

@conference{secrypt22,
author={Panagiotis Dedousis and Melina Raptaki and George Stergiopoulos and Dimitris Gritzalis},
title={Towards an Automated Business Process Model Risk Assessment: A Process Mining Approach},
booktitle={Proceedings of the 19th International Conference on Security and Cryptography - Volume 1: SECRYPT,},
year={2022},
pages={35-46},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0011135600003283},
isbn={978-989-758-590-6},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 19th International Conference on Security and Cryptography - Volume 1: SECRYPT,
TI - Towards an Automated Business Process Model Risk Assessment: A Process Mining Approach
SN - 978-989-758-590-6
AU - Dedousis P.
AU - Raptaki M.
AU - Stergiopoulos G.
AU - Gritzalis D.
PY - 2022
SP - 35
EP - 46
DO - 10.5220/0011135600003283