Annotated Bib.: A reference model for process-oriented it risk management

[1] S. Sackmann. A reference model for process-oriented it risk management. In the 16th European Conference on Information Systems (ECIS’08), Galway, Irland, 2008.

This paper focuses on threats generated from IT and their influence on BPM, and relevance of IT risks resulting from flexible business processes and the integration of cause-effect relations into the typical risk management process and necessary extensions.

The paper defines “IT Risks” and that it should be seen as a section of “operational risks”, measuring the unanticipated losses, that are determined by “the frequency” and “amount of losses”. Then it shows the importance on IT in today’s organizations, and explains how that the increasing flexibility of business processes and their IT support challenges Traditional methods for risk management.

The paper proposes a “layer-based IT Risk Reference Model” that provides an approach for modeling IT risks. In Section 3 it went in to establishing the “IT Risk Reference Model”; Modeling the relations between the causes of IT risks and their effects on business processes, and explaining the four different layers:

Layer 4: Business Process (BP): On this layer, parts of the business process should be regarded as independent components that are defined as enclosed activities using at least one IT application for their realization.

Layer 3: IT Application / IT Infrastructure (AP): The assignment of protection goals to IT applications allows the bringing together of the economic handling of IT risks with the more technological.

Layer 2: Vulnerabilities (VN): the vulnerabilities identified are interpreted as independent “components” that can be associated to at least one IT application.

Layer 1: Threats (TH): This layer includes all known threats that are seen as causes of IT risks and, ideally, can be described with a probability of their occurrence.

Within these four layers, the relations between the causes and effects can be modeled addressing the needs of process-oriented IT risk management. Witch is done in the 4th section; “MODELING CAUSE & EFFECT RELATIONS FOR IT RISKS”.  Then in the 5th section the paper discussed some extensions, such as risk identification, risk quantification, risk treatment, and risk control.

This paper showed that the relations between the threats to IT (causes) and their implications on the business process activities (effects) have to be modeled in a standardized and formal way. The IT Risk Reference Model proposed in this contribution reduces the complexity of the modeling challenge by defining four layers. It also established the IT Risk Reference Model, which serves as a framework modeling the interdependent layers in the form of matrixes and allows a formal description of the interdependencies between the separated layers according to a company’s requirements.

Relation to research on hand, as our research is concerned with security-aware BPM, and risk is one of the security aspects. This paper focused more on the IT risks, and showed in details, how model both the risk causes, and effects. The reference model proposed in this paper is structured and well defined, and look at the problem from a different angle; considering the IT threats to be causes and that the effect will be on processes.