Top

Software and Systems Modeling

Published in:

13-02-2018 | Regular Paper

An integrated conceptual model for information system security risk management supported by enterprise architecture management

Authors: Nicolas Mayer, Jocelyn Aubert, Eric Grandry, Christophe Feltus, Elio Goettelmann, Roel Wieringa

Published in: Software and Systems Modeling | Issue 3/2019

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

Risk management is today a major steering tool for any organisation wanting to deal with information system (IS) security. However, IS security risk management (ISSRM) remains a difficult process to establish and maintain, mainly in a context of multi-regulations with complex and inter-connected IS. We claim that a connection with enterprise architecture management (EAM) contributes to deal with these issues. A first step towards a better integration of both domains is to define an integrated EAM-ISSRM conceptual model. This paper is about the elaboration and validation of this model. To do so, we improve an existing ISSRM domain model, i.e. a conceptual model depicting the domain of ISSRM, with the concepts of EAM. The validation of the EAM-ISSRM integrated model is then performed with the help of a validation group assessing the utility and usability of the model.

previous article Tradeoffs in modeling performance of highly configurable software systems

next article Execution of UML models: a systematic review of research and practice

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

Generalisation and Specialisation are opposite relations.

Assessment is defined in ArchiMate as the outcome of some analysis of some driver [20].

“The environment of a system includes developmental, technological, business, operational, organisational, political, economic, legal, regulatory, ecological and social influences” [25].

Symantec: Internet Security Threat Report, Volume 21 (2016)

PricewaterhouseCoopers: The Global State of Information Security Survey 2016 (2016)

Proper, H.A.: Enterprise Architecture—Informed steering of enterprises in motion. In: Proceedings of the 15th International Conference on Enterprise Information Systems (ICEIS) (2013)

Official Journal of the European Union: Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 (2009)

CSSF: Circulaire CSSF 12/544—Optimisation par une approche par les risques de la surveillance exercée sur les “PSF de support” (2012)

ISO/IEC 27001:2013: Information technology—Security techniques—Information security management systems—Requirements. International Organization for Standardization, Geneva (2013)

Mayer, N.: Model-based Management of Information System Security Risk, PhD Thesis, University of Namur, Namur, Belgium (2009)

ISO/IEC 27005:2011: Information technology—Security techniques—Information security risk management. International Organization for Standardization, Geneva (2011)

Zachman, J.A.: A framework for information systems architecture. IBM Syst. J. 26, 276–292 (1987)CrossRef

10.

Saha, P.: A Systemic Perspective to Managing Complexity with Enterprise Architecture. 1st edn. IGI Global (2013)

11.

Op ’t Land M., Proper E., Waage M., Cloo J., Steghuis C.: Positioning Enterprise Architecture. In: Enterprise Architecture, pp. 25–47. The Enterprise Engineering Series. Springer, Berlin, Heidelberg

12.

Dubois, E., Heymans, P., Mayer, N., Matulevičius, R.: A systematic approach to define the domain of information System Security Risk Management. In: Nurcan, S., Salinesi, C., Souveyet, C., Ralyté, J. (eds.) Int. Perspect. Inf. Syst. Eng., pp. 289–306. Springer, Berlin Heidelberg, Berlin, Heidelberg (2010)

13.

Mayer, N., Grandry, E., Feltus, C., Goettelmann, E.: Towards the ENTRI framework: Security Risk Management enhanced by the use of Enterprise Architectures. In: Advanced Information Systems Engineering Workshops. Springer, Berlin (2015)

14.

Wieringa, R.J.: Design Science Methodology for Information Systems and Software Engineering. Springer, GmbH & Co. K, Berlin and Heidelberg, New York (2014)CrossRef

15.

Chowdhury, M., Matulevičius, R., Sindre, G., Karpati, P.: Aligning mal-activity diagrams and security risk management for security requirements definitions. Requir. Eng. Found. Softw. Qual. 7195, 132–139 (2012)CrossRef

16.

Matulevičius, R., Mayer, N., Heymans, P.: Alignment of misuse cases with Security Risk Management. In: Proceedings of the 4th Symposium on Requirements Engineering for Information Security (SREIS’08), in Conjunction with the 3rd International Conference of Availability, Reliability and Security (ARES’08), pp. 1397–1404. IEEE Computer Society (2008)

17.

Matulevičius, R., Mayer, N., Mouratidis, H., Dubois, E., Heymans, P., Genon, N.: Adapting secure tropos for Security Risk Management during early phases of the information systems development. In: Proceedings of the 20th International Conference on Advanced Information Systems Engineering (CAiSE’08), pp. 541–555. Springer, Berlin (2008)

18.

Altuhhova, O., Matulevičius, R., Ahmed, N.: Towards definition of secure business processes. In: Bajec, M., Eder, J. (eds.) Advanced Information Systems Engineering Workshops, pp. 1–15. Springer, Berlin, Heidelberg (2012)

19.

Lankhorst, M. (ed.): Enterprise Architecture at Work: Modelling, Communication And Analysis. Springer, Berlin (2005)

20.

The Open Group: ArchiMate® 2.1 Specification (2013)

21.

The Open Group: TOGAF Version 9.1. Van Haren Publishing, The Netherlands (2011)

22.

Vernadat, F.: Enterprise modeling in the context of enterprise engineering: state of the art and outlook. Int. J. Prod. Manag. Eng. 2, 57 (2014)CrossRef

23.

Peffers, K., Tuunanen, T., Rothenberger, M., Chatterjee, S.: A design science research methodology for information systems research. J. Manag. Inf. Syst. 24, 45–77 (2007)CrossRef

24.

Zivkovic, S., Kuhn, H., Karagiannis, D.: Facilitate modelling using method integration: an approach using mappings and integration rules. In: Proceedings of the 15th European Conference on Information Systems (ECIS 2007) (2007)

25.

ISO/IEC/IEEE 42010:2011: Systems and software engineering—Recommended practice for architectural description of software-intensive systems. International Organization for Standardization, Geneva (2011)

26.

ISO/IEC/IEEE 15288:2015: Systems and software engineering - System life cycle processes. International Organization for Standardization, Geneva (2015)

27.

Buckl, S., Schweda, C.M.: On the State-of-the-Art in Enterprise Architecture Management Literature. Technische Universität München, München (2011)

28.

U.S. Department of Defense: The DoDAF Architecture Framework Version 2.02. http://dodcio.defense.gov/Library/DoDArchitectureFramework.aspx

29.

van’t Wout, J., Waage, M., Hartman, H., Stahlecker, M., Hofman, A.: The Integrated Architecture Framework Explained. Springer, Berlin, Heidelberg (2010)

30.

Wahe, S.: Open Enterprise Security Architecture (O-ESA): A Framework and Template for Policy-Driven Security. Van Haren Publishing, Zaltbommel (2011)

31.

IFIP-IFAC Task Force on Architectures for Enterprise Integration: GERAM: The Generalised Enterprise Reference Architecture and Methodology. In: Bernus, P., Nemes, L., Schmidt, G. (eds.) Handbook on Enterprise Architecture, pp. 21–63. Springer, Berlin, Heidelberg (2003)

32.

Raymond, K.: Reference model of open distributed processing (RM-ODP): introduction. In: Raymond, K., Armstrong, L. (eds.) Open Distributed Processing, pp. 3–14. Springer, New York (1995)CrossRef

33.

Kruchten, P.B.: The 4+1 view model of architecture. IEEE Softw. 12, 42–50 (1995)CrossRef

34.

Mayer, N., Aubert, J., Grandry, E., Feltus, C., Goettelmann, E.: An Integrated Conceptual Model for Information System Security Risk Management and Enterprise Architecture Management based on TOGAF, ArchiMate, IAF and DoDAF. Technical Report. http://arxiv.org/abs/1701.01664 (2016)

35.

Mayer, N., Aubert, J., Grandry, E., Feltus, C.: An integrated conceptual model for Information System Security Risk Management and Enterprise Architecture Management based on TOGAF. In: The Practice of Enterprise Modeling? 9th IFIP WG 8.1. Working Conference, PoEM 2016, Skövde, Sweden, pp. 353–361. Springer, Berlin (2016)

36.

Schwartz, L., Grandry, E., Aubert, J., Watrinet, M.-L., Cholez, H.: Participative design of a security risk reference model: an experience in the healthcare sector. In: Proceedings of Short and Doctoral Consortium Papers Presented at the 8th IFIP WG 8.1 Working Conference on the Practice of Enterprise Modelling (PoEM 2015), pp. 1–10. CEUR Workshop Proceedings, Valencia, Spain (2015)

37.

Mayer, N., Dubois, E., Matulevičius, R., Heymans, P.: Towards a measurement framework for Security Risk Management. In: Modeling Security Workshop (MODSEC ’08). 11th International Conference on Model Driven Engineering Languages and Systems (MODELS ’08), Toulouse, France (2008)

38.

Genon, N.: Modelling Security during Early Requirements: Contributions to and Usage of a Domain Model for Information System Security Risk Management (2007)

39.

Wynekoop, J.L., Russo, N.L.: Studying system development methodologies: an examination of research methods. Inf. Syst. J. 7, 47–65 (1997)CrossRef

40.

Brank, J., Grobelnik, M., Mladenić, D.: A survey of ontology evaluation techniques. In: Proceedings of the Conference on Data Mining and Data Warehouses (SiKDD) (2005)

41.

Recker, J.C.: Conceptual model evaluation. Towards more paradigmatic rigor. In: Castro, J., Teniente, E. (eds.) CAiSE’05 Workshops, pp. 569–580. Porto, Portugal (2005)

42.

Nielsen, J.: Usability Engineering. Morgan Kaufmann, Burlington (1994)MATH

43.

Cleeff, A.: Physical and Digital Security Mechanisms: Properties, Combinations and Trade-offs. University of Twente, Enschede (2015)CrossRef

44.

Brooke, J.: SUS-a quick and dirty usability scale. Usability Eval. Ind. 189, 4–7 (1996)

45.

Tullis, T.S., Stetson, J.N.: A comparison of Questionnaires for assessing Website usability. Presented at the Usability Professional Association Conference (2004)

46.

Mayer, N.: A cluster approach to security improvement according to ISO/IEC 27001. In: Software Process Improvement, 17th European Conference, EuroSPI 2010

47.

Mayer, N., Aubert, J.: Sector-specific tool for Information Security Risk Management in the Context of Telecommunications Regulation (Tool Demo). In: Proceedings of the 7th International Conference on Security of Information and Networks, pp 85–85. ACM, New York, NY, USA (2014)

48.

Lewis, J.R., Sauro, J.: The factor structure of the System Usability Scale. In: Kurosu, M. (ed.) Human Centered Design, pp. 94–103. Springer, Berlin, Heidelberg (2009)CrossRef

49.

Sauro, J.: A practical guide to the system usability scale: background, benchmarks & best practices. Measuring Usability LLC, Denver, CO (2011)

50.

Bangor, A., Kortum, P., Miller, J.: Determining what individual SUS scores mean: adding an adjective rating scale. J. Usability Stud. 4, 114–123 (2009)

51.

Band, I., Engelsman, W., Feltus, C., Paredes, S.G., Hietala, J., Jonkers, H., Massart, S.: Modeling Enterprise Risk Management and Security with the ArchiMate®. Language, The Open Group (2015)

52.

Barateiro, J., Antunes, G., Borbinha, J.: Manage Risks through the Enterprise Architecture. In: 45th Hawaii International Conference on System Science (HICSS), pp. 3297–3306 (2012)

53.

ISO 31000:2009: Risk management—Principles and guidelines. International Organization for Standardization, Geneva (2009)

54.

Innerhofer-Oberperfler, F., Breu, R.: Using an Enterprise Architecture for IT Risk Management. Presented at the Information Security South Africa 6th Annual Conference (2006)

55.

Ertaul, L., Sudarsanam, R.: Security planning using Zachman framework for enterprises. In: Proceedings of EURO mGOV 2005 (2005)

56.

Sherwood, J., Clark, A., Lynas, D.: SABSA ® Enterprise Security Architecture (2010)

57.

Goldstein, A., Frank, U.: A language for multi-perspective modelling of IT security: objectives and analysis of requirements. In: La Rosa, M., Soffer, P. (eds.) Business Process Management Workshops, pp. 636–648. Springer, Berlin, Heidelberg (2013)CrossRef

58.

Goldstein, A., Frank, U.: Components of a multi-perspective modeling method for designing and managing IT security systems. Inf. Syst. E-Bus. Manag. 14, 101–140 (2016)CrossRef

59.

Lund, M.S., Solhaug, B., Stolen, K.: Model-Driven Risk Analysis: The CORAS Approach. Springer, Berlin and Heidelberg; GmbH & Co. K, London, New York (2010)

60.

Solhaug, B., Stølen, K.: The CORAS language—Why it is designed the way it is. In: Safety, Reliability, Risk and Life-Cycle Performance of Structures and Infrastructures, pp. 3155–3162. CRC Press (2014)

61.

Grandry, E., Feltus, C., Dubois, E.: Conceptual integration of Enterprise Architecture Management and Security Risk Management. In: Enterprise Distributed Object Computing Conference Workshops (EDOCW), 17th IEEE International Enterprise Distributed Object Computing Conference, pp. 114–123 (2013)

62.

Obrst, L., Ceusters, W., Mani, I., Ray, S., Smith, B.: The Evaluation of Ontologies. In: Baker, C.J.O., Cheung, K.-H. (eds.) Semantic Web, pp. 139–158. Springer, US (2007)CrossRef

Title: An integrated conceptual model for information system security risk management supported by enterprise architecture management
Authors: Nicolas Mayer
Jocelyn Aubert
Eric Grandry
Christophe Feltus
Elio Goettelmann
Roel Wieringa
Publication date: 13-02-2018
Publisher: Springer Berlin Heidelberg
Published in: Software and Systems Modeling / Issue 3/2019
Print ISSN: 1619-1366
Electronic ISSN: 1619-1374
DOI: https://doi.org/10.1007/s10270-018-0661-x

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Springer Professional "Technik"

Other articles of this Issue 3/2019

Advanced prefetching and caching of models with PrefetchML

Handling index-out-of-bounds in safety-critical embedded C code using model-based development

Enforcing fine-grained access control for secure collaborative modelling using bidirectional transformations

Conceptual distance of models and languages

A model-driven framework for developing multi-agent systems in emergency response environments

Introducing probabilistic reasoning within Event-B

Premium Partner