Annotated Bib.: Integration of an Ontological Information Security Concept in Risk Aware Business Process Management

[1] G. Goluch, A. Ekelhart, S. Fenz, S. Jakoubi, S. Tjoa, and T. Mu ̈ck. Integration of an ontological information security concept in risk aware business process management. In HICSS, page 377. IEEE Computer Society, 2008.

This paper describes the ROPE (Risk-Oriented Process Evaluation) methodology and the Security Ontology concept; which companies the domains of BPM and Risk Management, and enables risk-aware business process management.

The paper started by showing how important are the two domains (BPM, and Risk management), and how the are grown separately. Then Briefly explained the Risk management stages, and the BPM life cycle; showing the strengths and benefits of each world. Finally it shows how ROPE combine the strengths and benefits of both worlds, as ROPE focuses on risk-aware business process modelling and simulation, and to get to the full potential, ROPE is combined with the Security Ontology that covers major aspects of the risk management domain.

In the second section, the Authors went in to explaining the need for a "conceptual schema" about security. Where section 3 was about explaining ROPE methodology. The methodology consists of four processes: "re-engineering process", "resource allocation process", "workflow execution process", and "performance evaluation process". 

This paper focuses on the modelling and simulation of risk-aware business process, which occurs in the first process (re-engineering process)_. This process consists of five stages to result in the targeted model: "criteria selection stage", "acquisition stage", "analysis stage", "evaluation stage". The methodology make use of two diagram techniques; first "CARE (Conditions, Actions, Resources and Environments)", which is used to refine business process activity in to those four essential element types; as the relation between Actions, Resources and Environments is articulated by Conditions. The other model "TIP (Threat Impact Process)" is used to model the information related to "behaviour of threats, countermeasures and recovery measures".

The final section is about a proof of concept prototype; where a proof of concept prototype was developed to demonstrate how ROPE concept could be realized by a toolset. It also shows the feasibility of ROPE and the added value when it is combined with the Security Ontology. The prototype was built using: "Security Ontology Web Service", "Business Process Modelling Tool ADONIS", "Risk-Aware Business Process Simulation Engine", and used XML-based exchange format.

The paper concludes that ROPE combines the benefits of both domains Risk management, and BPM, it listed some of the benefits of using ROPE to get to a risk-Aware BPM, the paper also stated that ROPE is a generic concept, and can be used for every type of BPM and security threat ("as long as it can be represented in a process-oriented way").

Relation to research in hand, this paper presented a generic methodology that can be used to model and simulate Risk in BPM. While our research is concerned with all security concepts, Risk could be out of our scope, as it seems to be solved using the ROPE methodology. The methodology might also further investigated, as it might be suitable to represent other security aspects in BPM models.