Conference PaperPDF Available

A Collaborative Risk Management Framework for Enterprise Architecture


Abstract and Figures

The occurrence of risks in an enterprise can result in differences between business goals and their realization. Risk management is a central activity in the design of an enterprise: risk assessments supports the identifications of problems that expose the enterprise to risk, while risk treatment plans are drivers for enterprise engineering. Risk treatment plans are typically created in isolation, and often informal. We deal with this problem by developing a collaborative risk management framework, that involves all levels of an organization in con-ducting risk assessments and formalizing the treatment plans. We propose procedures to perform an integrated risk analysis, as well as metrics to deal with the collaborative aspect of risk management.
Content may be subject to copyright.
A Collaborative Risk Management Framework for
Enterprise Architecture
Diana Marosin and Dirk van der Linden
CRP Henri Tudor, Luxembourg
Radboud University Nijmegen, the Netherlands
Email: {diana.marosin, dirk.vanderlinden}
Sergio Sousa
POST Technologies
Abstract—The occurrence of risks in an enterprise can result
in differences between business goals and their realization. Risk
management is a central activity in the design of an enterprise:
risk assessments supports the identifications of problems that
expose the enterprise to risk, while risk treatment plans are
drivers for enterprise engineering. Risk treatment plans are
typically created in isolation, and often informal. We deal with
this problem by developing a collaborative risk management
framework, that involves all levels of an organization in con-
ducting risk assessments and formalizing the treatment plans.
We propose procedures to perform an integrated risk analysis,
as well as metrics to deal with the collaborative aspect of risk
KeywordsEnterprise Architecture, Collaborative Risk Man-
agement, Risk Treatment Plan, Project Management
Enterprises seem to have a set of common drivers which
they apply in order to gain advantages from Enterprise En-
gineering (EE) approaches (e.g. business-IT alignment, cost
reduction, standardization, governance, agility, compliance
regulations, risk management). Risk management helps an
enterprise to achieve their objectives by taking decisions
about uncertain elements, caused both by internal and external
factors. Most risk management processes involve activities to
establish the context of the organization, clarify what criteria
should be used for establishing the significance of a risk,
assess risks, and treat them via the selection of risk treatment
options [1].
The focus of existing work is on providing tools and
techniques to support risk assessment: CORAS [2] is a model-
driven risk analysis approach that covers the whole risk man-
agement process and allows for the modelling of associated
concepts. Asnar et al. [3], [4] presented a modelling and
reasoning framework, the Tropos Goal-Risk Framework, which
considers risk at an organizational level. Other goal-oriented
modelling frameworks provide risk management capabilities,
such as KAOS and its security extension [5], Misuse cases
[6], Malactivity diagrams [7], BPMN [8], Secure-i* modelling
framework [9], and Secure Tropos [10], [11].
Although the preceding approaches deal with risk treatment
selection, their output remains a set of (generally disconnected)
requirements or countermeasures related to the risks. More-
over, the risk treatment’s plans, schedules, and costs are not
taken into account in the proposed formalisms. Our aim is
to provide a mechanism that involves more stakeholders in
the evaluation of risk and selections of treatment plans, as
different people might have different understandings about
specific risks.
A first step in formalizing risk treatment plans, in par-
ticular mitigation and avoidance was made by the authors
in [12]. They present a formal framework, eATO1, which
combines two methodologies (Attack-Defence-Trees from IT
security [13], [14] and goal-oriented modelling in order to aid
decision making, and to support a full analysis of enterprise
plans. Furthermore, the framework gives the option to model
and analyse multiple alternatives for the risk treatment plan.
Therefore, the eATO framework has provided a vocabulary
and formal procedures to represent risk assessments and risk
treatment plans in a coherent manner.
While eATO provides support for modelling a plan and the
associated risks (and in doing so adds value to the classical
quantitative/qualitative risk analysis and provides valuable
support for decision making [12]), the framework has some
problematic areas. Risk management should be performed at
all levels of an organization, starting from the strategic level
and refining the analysis to the implementation level [15], [1],
[16]. Information that is not properly or enough communicated
makes the traceability of decision taken at different levels of
an organisation hard to obtain. Furthermore, the assessment
and understanding of risks can differ as we sweep in between
different levels of the organisation. The occurrence and impact
of the same risk can differ from department to department,
based on the local available information or simply on the
experience of the stakeholders involved. This introduces a
coherency misalignment between the layers of the organi-
sation and influences negatively the power of reaction of
an organisation. The timely consistency of the organisation
is also affected. Therefore, by dealing with communication
and collaboration aspects we aim to create a truly integrated
tool, which will support enterprise risk management for all
enterprise activities, at different levels of abstraction. Col-
laborative risk management enhances and extends enterprise
risk management’s focus on the crucial interaction of cross-
functional and cross-organizational participation [17].
Communication is the most essential part of effective
project management and risk management [18], [19]. Project
teams, upper management, and executives should communicate
1The name of the framework signifies the three independent abstraction
levels at which it operates: Actions, Threats and Opportunities, extended with
the risk treatment layer (counter-measures) layer.
in a crisp, concise, complete, correct, and timely fashion [20].
Collaboration itself is a joint effort of multiple individuals or
work groups used to accomplish a common task or project,
and deliver outcomes that are not easily or effectively achieved
by working alone. Collaborative relationships are attractive for
organisations because the synergies realised by combining ef-
fort and expertise produce benefits greater than those achieved
through individual effort [21], [22].
The rest of this paper is structured as follows. In Section II
we recall the foundations of eATO. We introduce the running
example in Section III. In Section IV we set the foundations
of a collaborative framework. We present a collaborative at-
tribute domains (metrics) for our framework and we introduce
procedures for task assignment and delegation in Section V.
Outputs of the framework are presented in Section VI. We
conclude and set lines for future work in Section VII.
The key starting point of our framework is Attack-Defence-
Trees (ADT), which have been successfully used in IS Security
to model an attacker’s actions and their possible counter
measures [14], [13]. On basis of the ADTs we introduced an it-
erative approach for decision making based on risk assessment.
An ADT models security attacks and countermeasures using
conjunctive, disjunctive and attack nodes. In our framework
trees represent the enterprises goals instead of attacks, and
we introduce two additional notions: opportunity nodes and
exclusive disjunctive nodes [12].
A plan of an enterprise architecture includes the stakehold-
ers’ (strategic) goals and the means to achieve them. Each
goal is depicted in sub-goals, the architectural principles the
company should follow in order to achieve the goals, and
the atomic actions that need to be taken. A plan can be
represented as a tree. A root node represents a strategic goal
of the stakeholders. The children nodes represent architectural
principles or sub-goals. Each child of the tree can be refined
as follows: A conjunctively refined node is satisfied if all
of its children are fulfilled. A disjunctively refined node is
satisfied if at least one of its children is fulfilled. An exclusive
disjunctively refined node is satisfied iff one of its children is
fulfilled. Note that an exclusive refinement of a node represents
a decision, since choosing one option automatically contradicts
the other. A non-refined node of the tree is called a leaf. A
leaf node represents one atomic phase of the planning. It can
be an atomic action or a whole project.
In order to evaluate an eATO we define metrics and rules
that are propagated from the evaluated nodes to the entire
tree. The metrics are added in form of attributes assigned to
the different nodes and the propagation rules are defined in
a so-called “attribute domain”. An attribute domain contains
functions to compute the different types of nodes, and also the
influence of risks over actions and countermeasures over risks.
The mathematics behind the attribute domains will be left out,
as this paper aims in introducing work in progress.
The running example we use is a case study of the fictional
company ArchiSurance [23], [24] and its plan of achieving
profitability [12]. ArchiSurance faces a number of challenges
regarding its business processes and information systems as
the result of a merger between three previously independent
insurance companies. The board’s main driver is simply to
increase the “Profit” (see Fig.1). After analysing the current
situation the board decided that, in order to increase the profit,
the company needs to work on “data consistency” and “cost
reduction”. These goals are further refined into three actions:
“create a single source of data”, “reduction of infrastructure
costs”, and “reduce personal costs”. The different tasks are
assigned to different departments that are responsible for their
implementation. This is illustrated in the top part of Fig. 1.
At this stage the board evaluated the expected benefits and
threats linked to these tasks, and ended up with the attributes
displayed on a white background. Our running example will be
motivated and developed step by step in the remaining sections
of this paper.
In order to define the cATO we will tackle three dimensions
of the problems detected in the eATO: information integration,
information propagation and incentives generation. Note, the
proposed cATO framework is a combination of individual
eATO running on different levels of the enterprise (or in
different departments).
Information integration: Standalone documentation has
the problem that it tends to be forgotten, inconsistent, outdated,
and never consulted. The cATO should be integrated with
existing tools (e.g. Wikis, task managers) in order to keep
information consistent across different tools and provide extra
incentives for members of a company to use and update the
framework on a regular basis.
Information propagation: The second shortcoming of
eATO that we will treat is the fact that information is stored
in isolation, and not easily communicated between different
levels of the organisation. Considering our running example
(see Fig. 1) using only eATOs the board would get to the
conclusion that “reducing the infrastructure costs” would bring
them a benefit of e550k and that there is a low risk of being
1 week delayed, whereas the IT Department would get to the
conclusion that the expected benefit is indeed e550k but that
there is a not negligible risk of being delayed of 2 weeks
due to the possibility of the main software developer leaving
the company. The eATO does not define an automatic way
to notify the stakeholders involved in upper layers from the
information gathered by the different departments (concretely
the information on a grey background wouldn’t be presented
to the board in an eATO). With the cATO we provide a mech-
anism to propagate the information gathered at the different
organisational levels to the upper levels.
Incentives generation: The final challenge we face is
to increase the motivation to use cATO by automatically
generating useful documentation based on the information
stored in its internal nodes. Users will be more motivated to
provide all available information on their projects if the output
of cATO in this regard will prove to be useful and time saving.
Integration with existing tools
Records management is a key driver in increasing orga-
nizational efficiency and offers significant business benefits.
B: 300k€
T: (3w, 4w, {create
common app})
Steering board + consultants
infrastructure costs (DL)
Create common
application (DL)
IT Department
B: 550k€
PD: (L, 1w)
B: 300k€
PB: (H,20k€)
B: 550k€
T: (7w, 10w, {create DB specs})
PD: (M, 2w)
PB: (H, 20 k€)
Main developer
leaves the team
PD: (M, 8w)
infrastructure costs (DL)
personal costs
Create single source
of data (DL)
B: 350k€
B: 120k€
B: 670k€
PD: (L, 1w)
B: 350k€
B: 1 020k€
PD: (L, 1w)
DB ready (DL) Develop app
Sell Server
Create single source
of data (DL)
Create DB
specifications (DL) Populate data
IT Department / Infrastructure
DB ready (DL)
IT Department /
Create DB
specifications (DL)
IT Department /
PB: (H,20k€)
B: 300k€
T: (2w, 3w, {create DB spec})
T: (1w, 2w, {create
common app})
T: (1w, 2w, {create
common app})
T: (3w,5w,
{create DB spec})
T: (3w, 5w,
{create DB spec})
Grey: Result from delegation
T: (3w, 4w, {create
common app})
B: 250k€
T: (5w, 10w, {})
PB: (H,20k€)
T: (4w, 10w,
{DB ready}) PD: (M, 5w)
PD: (M, 5w)
B: 550k€
T: (7w, 10w, {create
DB specs})
PD: (M, 2w)
PB: (H, 20 k€)
B: 670k€
T: (7w, 10w, {create
DB specs})
PD: (M, 2w)
PB: (H, 20 k€)
T: (7w, 10w, {create DB specs})
PD: (M, 2w)
B: 970k€
T: (10w, 10w, {})
PD: (M, 2w)
PB: (H, 20k€)
Bold: Computed values
Free server
White: Evaluated values
Values: Symbols: Abreviations:
B: Benefit
PB: Probable Benefit
T: (time investment, deadline,
PD: Probable Delay
DL: Deadlocked
B: 300k€
T: (3w, 4w, {create
common app})
Fig. 1: “ArchiSurance” - Running example
Records management means that not too much reliance is
placed on the memories of a few individuals [15]. Wikis and
Task managers are some of the tools widely used in different
organisations. Therefore, we propose to integrate these tools
into our framework by adding meta-information to each node
of a cATO.
A selected node automatically has its wiki pages associated
with itself. This page can then be filled by the task owner
with the different documents associated with that task (e.g.
simple analyses of the problem, specific implementation of
the considered node). The goal is to have direct access to all
the documentation available for a certain task without having
to search through the entire Wiki. We also propose to integrate
the cATO with a task manager, adding to each node the
information on which stage the task currently is. Updating the
status of a task is then possible through both the task manager
and cATO. This has the advantage that sharing all information
on a task can be done by simply giving different collaborators
access to the cATO.
Furthermore, the goal of a task manager is to keep track
of the task’s progress and their status. A task has a certain
life-cycle within which it evolves from stage to stage. The
selection of a proper life-cycle is out of the scope of this paper,
but in order to be fully integrated with the cATO the selected
life-cycle needs to have two key states of the analysed task.
Uncommitted states: An uncommitted or analysis stage is a
stage in which a task is placed when it is being analysed in
order to detect its impact on the organisation. It is possible
that a task in this stage will never be implemented depending
on the result of the analysis and choices of the decision takers.
Every uncommitted task should appear in the task manager of
the task owner as an analysis request. Committed states: A
task in a committed stage was selected for implementation. In
this case a plan is designed to fulfil the given task and actions
have to be performed accordingly to the committed plan. The
task should appear as a due work in the task manager of the
task owner.
In order to fully benefit from the cATO the companies
should define propagation rules for the task stages. The enter-
prise decides in which stage the parent and children are placed
depending on the stage towards where they are transited.
Defining these rules is company specific. An example could be:
“if all committed sub-tasks of a given task are set to completed,
set also the task itself to complete” or “if a task is aborted,
abort all sub-tasks”.
Effective risk management depends to a high extent on
metrics [25] that give insight on the severity of risks. In this
section we present textually suggested metrics that support
the collaborative aspects of risk assessment and treatment. We
keep the mathematical formalism to the minimum, for the ease
of lecture. We also briefly introduce recommendations for task
delegation and assignment.
A. Metrics for collaborative risk assessment and treatment
Plans are often executed in multiple steps due to lack of
resources to perform every action in parallel or because certain
actions rely on the results of other actions. It is important to
introduce a notion of task dependencies in order to efficiently
represent the order in which tasks need to be performed and
to be able to analyse these dependencies and detect potential
threats resulting from these tight connections between tasks.
M1: (Task dependencies) The task dependencies of node
nare defined as a tuple Dn= ({n1, ..nd}), with n1, .., nd
being the tasks that need to be completed before ncan be
Situations can occur where different co-workers are waiting
for each others to complete their respective tasks in order to
progress with their own. Considering the running example (see
Fig. 1) on one hand, in order to “create a single source of data”
the infrastructure section decided to wait for the software team
to “create a common application” such that they know the exact
requirements of the database. On the other hand, the software
development section decided to wait for the completion of the
database before starting the development of the application.
The teams are in a “deadlock” situation where both wait for
each other and no real progress is made. Both teams seem
to have a valid reason for waiting. In a real situation such a
deadlock could be detected within a few days after the two
teams would communicate their respective plans. By using the
task dependency model we provide a way to detect possible
“deadlock” situations as early as possible, avoiding delays.
M2. (Task deadlock) A task dependency graph of a task n
can be obtained by recursively visiting all the nodes on which
ndepends (Fig.2). Task nis said to be in a potential deadlock
if it can find itself in its dependency graph. In such a case
nshould mark all the nodes on the path and itself as being
part of a potential deadlock (Fig.2.A). Furthermore if a node
depends directly on a deadlocked task, it should mark itself as
deadlocked too (Fig.2.B).
A. B.
Fig. 2: Task dependencies and deadlocks
Except deadlocks other risks can occur due to task de-
pendencies. Risk is also present whenever a project’s objec-
tives are unrealistic, such as short deadlines, or insufficient
resources [25]. Therefore, uncertainties can be associated with
the outcomes of the project as well as with the ability to
deliver the project on time, within budget and compliant to
the specifications [15].
M3. (Time dependency) The time dependencies of node
nare defined as a tuple Tn= (ti, d, Dn), with ti, the time
investment to complete task n, without considering any depen-
dencies, dthe targeted deadline and Dn, the task dependencies
of task n.
Using the given definition, we can perform a sanity check
and decide whether the given deadline for a task nis realistic
iff maxi∈Dn(di) + tindn. This means that a deadline is
realistic as long as the maximum deadline of the depended
tasks added up with the time to be invested on the task itself
is within the given deadline. An alarm can be triggered if a
task did not start before the deadline becomes unrealistic.
M4. (Total time investment) The total time investment
totalti(n)is the time needed for parent pto complete its child
nwithout taking into consideration external dependencies. Let
tinbe the time investment needed to complete solely nwithout
considering any dependencies and let Dibe the dependencies
of a node iand let Cbe the set of children of p, then
totalti(n) = tin+ maxj∈DiCtotalti (i).
Let us consider the node “create single source of data”
from our running example. In order to complete the action
“populate data” the action “create DB specification” needs to
be performed first. In this case the time investment to “populate
data” is 2 weeks and to complete“create DB” is 1 week, but
since “populate data” needs to be performed after “create DB
specification”, from the parent’s perspective the total amount
of time that needs to be invested in order to complete “populate
data” is the sum of both time investments, so 3 weeks.
M5. (Probable delay) A task is considered to be threatened
if in the worst case scenario (all threats occur) it is impossible
to complete the task before its deadline. The time to com-
plete nin the worst case scenario is computed as being the
maximum time needed to complete the children of n, summed
up with its own dependencies and delays introduced by threats
directly associated to it. If in the worst case scenario the time of
completion is longer than the imposed deadline, the probable
delay is computed as being the difference in between deadline
and completion time.
It can happen that some unexpected events could lead to
benefits for the organization, such positive risks are called
opportunities. From a time perspective an opportunity would
be an event that could lead to achieving objectives sooner than
M6. (Probable time gain) An opportunity that is success-
fully taken is always profitable to the node it is associated
with, since it reduces its time of execution. In order to know
how a parent-node is affected by opportunities that are taken
by its children, we compute the maximum total time invested
by the parent in order to complete the children in the best case
scenario and compare it with the total time investment in case
no opportunities are taken. The total time gain the parent node
will have is the difference in between the normal case and the
best case scenario summed with the time gained by taking its
own opportunities.
B. Task delegation and assignment
The goals of the organisation are defined by the upper
management, refined and assigned down the hierarchy and
broken down in chunks that can be handled by individual
members of the company. Of course the upper management
can identify risks associated with their activities, but many
more can be detected at the different levels of the enterprise.
As already explained previously, even if eATO would be used
in the entire organisation, no mechanism exists to link the
different eATO models together and report relevant risks and
misalignments to the upper management. In order to overcome
this problem we introduce the notion of delegation of tasks in
the cATO.
Delegating a task in cATO (see Fig.3) consists of asso-
ciating a person with a node of the model. The assigned
employee then has the possibility to either accept, reject or
further delegate the task. Depending on the nature of the
delegated node (uncommitted or committed), the responsibility
of the assignee will either be to analyse or to implement the
given task. When accepting the task, a new cATO model is
automatically generated with a root node (goal) representing
the delegated node. The benefit of this approach is that the
results of the analysis can automatically be reported in form
of additional information to the upper management, where
different tasks have been assigned to different departments.
Considering the task “reduce infrastructure costs”, the up-
per management initially assessed the risk of a potential delay
to be low and evaluated it to 1 week, on the other hand the
IT department evaluated that there is a significant probability
of getting a 2 weeks delay (marked in grey) due to the main
developer leaving the company. Additional information on the
timing is also provided to the board which could initially not
be evaluated. This is only possible because there is now a
direct link in between the two cATO, the one managed by the
board and the one managed by the IT department.
Delegation should be a procedure that contains all the
information needed to complete a task. If a delegated node
has external dependencies associated with it, that are treated
by someone else than its newly designated owner, then the
delegated node appears as part of an and-relation whose root is
an assignment identifier. One of the children of this root-node
is the assigned task and the other children are its dependencies.
The latter appear as being delegated, since they are under the
responsibility of other members of the enterprise.
Reduce infrastructure
Create common
Create common
Task: Create common app...
Assigned to: Software team Accept Reject Delegate
{Create DB
Create DB
Grey: Result from delegation
White: Evaluated values
Fig. 3: Delegating a task with dependencies
The method we developed in this paper has the advantage
for project managers and for the board of an enterprise that
it automatically provides them with information from all
organisational levels, and with a single point of entry where
they can find all the documents related with the evolution of
their enterprise’s tasks. The next question that arises is how
to motivate employees to actually deliver this information.
Non-managerial staff might not have an interest in designing
their own cATO since they do not directly benefit from the
information they provide. In order to motivate them, we have
to be able to produce an output that is worth the amount of
effort they put into creating and maintaining the cATO.
One of the biggest burdens most workers suffer from is
documenting their work and keeping this documentation up-to-
date. By automatically generating documents from the cATO
we can compensate for the time consumed designing it. The
documents that can be automatically generated are as follows:
Risk Registry and Risk Matrix: One of the most
common methods for sharing and discussing an enterprise’s
risks is using Excel sheet based risk registries and matrices
(see Fig. 4). With the information provided in the cATO one
can easily generate such documents. The first step is to assign a
mapping from its quantitative value to a qualitative counterpart
for each risk metric. After this mapping is done, one can
automatically generate a risk registry, a risk matrix dealing
with threats, and a risk matrix showing the opportunities for
any of the nodes in the cATO. The person generating these
documents can have the choice to generate it for his own
projects, or to generate a full set of documentation, including
risks identified by those responsible for any delegated or
dependent tasks. It is important that the risk register should not
become a static document. It should be treated as a dynamic
element and considered to be the risk action plan for a unit
or the organization as a whole[15]. Generating it based on an
up-to-date cATO when needed ensures that risk analysis are
done on the latest available information.
Gantt Chart: By using cATO combined with the life-
cycle integration (Section IV.A) and time dependencies metrics
(Section V.A) we introduced, it is possible to always have an
up-to-date Gantt chart (see Fig. 5). Considering that all tasks
will be performed as soon as all the dependent tasks have
been fulfilled and considering the evaluated time of execution,
we can generate a Gantt chart associated with the normal
execution of a plan. The chart associated with the worst case
scenario is generated by assuming that all tasks will suffer from
their threats and will be delivered in the best case on the day
of their deadline. Finally, a chart for the best case scenario can
also be generated by assuming that all tasks will be completed
as soon as possible and that all opportunities will be taken.
Collaborative risk management is supposed to enable enter-
prises to conduct a more accurate risk analysis and implement
a more efficient risk treatment plan. Communication and
collaboration, on one hand, enables an early identification
of potential negative impacts of threats and, on the other
hand, creates transparency, common understanding and aware-
ness among stakeholders. In this paper we have extended
our previous work, eATO, in creating a collaborative risk
management framework. Our framework, the cATO, involves
all stakeholders in identifying risks and in evaluating and
finding solutions for the risk treatment plans. It encourages
to divide the analysis of the enterprise in sub-systems, where
planning and control is the responsibility of the risk owners.
In this paper, we avoided the mathematical formalism of the
introduced metrics.
There are two additional directions that were not elabo-
rated. Firstly, we will investigate how the data collected in a
cATO can be represented in order to enable pattern detection.
Doing so we intend to use historical data from cATO models
in order to detect similarities in past and present situations.
We could then suggest the current task owner to refer to the
documentation available from previous projects and one could
Risk Registry
Threats Warnings
Name Risk Owner Context Comments Likelihood Impact Countermeasure Comments Likelihood Impact Id Type Comment
IT / Software Team
Create Common
Our main developer
is thinking to take a
job at IBM
M 8 weeks delay Hire
We can launch a recruiting
process in order to anticipate
his departure
M 3 weeks delay
1 Deadlock
Name Risk Owner Context Impact Countermeasure Comments Likelihood Impact
Free Server IT / Infrastructure
H Sell Server
We can sell the server in
order to gain some money
out of it
A possible deadlock has been
detected involving following
- DB ready
Action Taken
By virtualizing the infrastructure
some servers might get unused
Fig. 4: “ArchiSurance” - generated risk registry and risk matrix
Fig. 5: “ArchiSurance” - generated Gantt chart
also enumerate the risks that have previously been identified
in similar tasks. Secondly, a Java based tool is currently under
development. We intend to use it to conduct a survey in the
industry. This will give insights about the usability and related
benefits of using the cATO in regard with the modelling effort.
We intend to extend the set of metrics with respect to the needs
of the industry (e.g. ROI, (probable) benefits and costs).
[1] ISO 31000, Risk management Principles and guidelines. Geneva:
International Organization for Standardization, 2009.
[2] M. S. Lund, B. Solhaug, and K. Stølen, Model-Driven Risk Analysis -
The CORAS Approach. Springer, 2011.
[3] Y. Asnar and P. Giorgini, “Modelling risk and identifying countermea-
sure in organizations,” in Proceedings of CRITIS ’06. Springer.
[4] Y. Asnar, R. Moretti, M. Sebastianis, and N. Zannone, “Risk as
dependability metrics for the evaluation of business solutions: A model-
driven approach,” in Proceedings of ARES ’08, 2008, pp. 1240–1247.
[5] N. Mayer, “Model-based management of information system security
risk,” Ph.D. dissertation, University of Namur, 2009.
[6] R. Matulevi˘
cius, N. Mayer, and P. Heymans, “Alignment of misuse
cases with security risk management,” in Proceedings of SREIS’08.
IEEE Computer Society, 2008, pp. 1397–1404.
[7] M. J. M. Chowdhury, R. Matulevicius, G. Sindre, and P. Karpati, “Align-
ing mal-activity diagrams and security risk management for security
requirements definitions,” in Requirements Engineering: Foundation for
Software Quality, ser. LNCS, B. Regnell and D. Damian, Eds. Springer,
Jan. 2012, no. 7195, pp. 132–139.
[8] O. Altuhhova and R. Matulevi˘
cius, “Security Risk Management using
Business Process Modelling Notations.”
[9] L. Lin, E. Yu, and J. Mylopoulos, “Secure-I*: Engineering Secure
Software Systems through Social Analysis,” Int. J. Software and In-
formatics, vol. 3, no. 1, pp. 89–120, 2009.
[10] R. Matulevi˘
cius, N. Mayer, H. Mouratidis, E. Dubois, P. Heymans, and
N. Genon, “Adapting Secure Tropos for Security Risk Management
during Early Phases of the Information Systems Development,” in
Proceedings of CAiSE’08. Springer, 2008, pp. 541–555.
[11] R. Matulevi˘
cius, H. Mouratidis, N. Mayer, E. Dubois, and P. Heymans,
“Syntactic and Semantic Extensions to Secure Tropos to Support
Security Risk Management,” vol. 18, no. 6, pp. 816–844, mar 2012.
[12] S. Sousa, D. Marosin, K. Gaaloul, and N. Mayer, “Assessing Risks
and Opportunities in Enterprise Architecture using an extended ADT
Approach,” in EDOC13, D. Gasevic, Ed. IEEE Computer Society,
September 2013, pp. 81–90.
[13] B. Kordy, S. Mauw, M. Melissen, and P. Schweitzer, “Attack-defense
trees and two-player binary zero-sum extensive form games are equiv-
alent,” in Proc. of, ser. GameSec’10. Springer, 2010, pp. 245–256.
[14] S. Mauw and M. Oostdijk, “Foundations of attack trees,” in ICISC 2005.
LNCS 3935. Springer, 2005, pp. 186–198.
[15] P. Hopkin, Fundamentals of risk management: understanding, evalu-
ating, and implementing effective risk management. The Institute of
Risk Management, 2012.
[16] ISO 31010, Risk management Risk assessment techniques. Geneva:
International Organization for Standardization, 2009.
[17] A. J. Gallagher, “Collaborative Risk Management: “Risk management”
vs. “Managening risk”,” 2013.
[18] Washington State Department of Transportation, “Project Risk Manage-
ment Guidance for WSDOT Projects,” Tech. Rep., July 2010.
[19] G. Westerman, “IT Risk as a Language for Alignment,MIS Quarterly
Executive, vol. 8, no. 3, 2009.
[20] British Standards Institute, “The British Code of Practice for Risk
Management and Guidance for ISO31000,” 2011.
[21] A. T. Himmelman, “Collaboration for a Change: Definitions, decision-
making roles, and collaboration process guide,” 2002.
[22] R. Keast and M. P. Mandell, “What is collaboration?” 2009.
[23] J. Cummins and N. Doherty, “The economics of insurance intermedi-
aries,” The Journal of Risk and Insurance, vol. 73, no. 3, 2006.
[24] H. Jonkers, I. Band, and D. Quartel, “The ArchiSurance Case Study,”
The Open Group, White Paper, Spring 2012.
[25] T. Kendrik, “Defining and Implementing Metrics for Project Risk
Reduction,” 2005.
Conference Paper
Organizations are faced with an increased number of security-related challenges. Our research interest is on information security matters with our proposition being that enterprise architecture management (EAM) can support risk management (RM) and information security management (ISM) for instance by providing a plethora of information about an organization’s information assets. We conducted a literature review, which underlines our proposition. The pivotal question we aim to answer is how EAM, RM and ISM efforts can be integrated for “the greater good”, i.e., to achieve a facilitation of RM and ISM through the adoption of EAM. As a result, we present an integrated conceptual model which places our findings in the context of the well-established concepts defined in ISO-27001, ISO-31000 and ISO-42010.
Full-text available
Purpose: The purpose of this paper is to identify and analyse collaborative risk management (CRM) literature to establish its current position in supply chain risk management (SCRM) and propose an agenda for future research. Design/methodology/approach: A systematic literature review of 101 peer-reviewed articles over a 21-year period was employed to analyse literature and synthesise findings to clarify terminology, definitions, CRM capabilities, and underlying theory. Findings: CRM as a field of research is in its infancy and suffers from imprecise definitions, fragmented application of capabilities, and diverse theoretical foundations. The term CRM is identified as a more representative description of relational risk management arrangements. Six capabilities relevant to CRM are identified: risk information sharing, standardisation of procedures, joint decision making, risk and benefit sharing, process integration, and collaborative performance systems. Originality/value: The paper provides a new definition for CRM; proposes a holistic approach in extending collaboration to SCRM; identifies a new capability; and provides a range of theories to broaden the theoretical scope for future research on CRM.
Full-text available
Business process modelling is one of the major aspects in the modern information system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Typically the BPMN notations are used to understand enterprise's business processes. However, limited work exists regarding how security concerns are addressed during the management of the business processes. This is a problem, since both business processes and security should be understood in parallel to support a development of the secure information systems. In the previous work we have analysed BPMN with respect to the domain model of the IS security risk management (ISSRM) and showed how the language constructs could be aligned to the concepts of the ISSRM domain model. In this paper the authors propose the BPMN extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We illustrate how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store regarding the asset confdentiality, integrity and availability. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defned through business processes. The paper opens the possibility for business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).
Full-text available
The need to consider security from the early stages of the development pro-cess of information systems has been argued by academics and industrialists alike, and security risk management has been recognised as one of the most prominent techniques for eliciting security requirements. However, although existing security modelling lan-guages provide some means to model security aspects, they do not contain concrete constructs to address vulnerable system assets, their risks, and risk treatments. Fur-thermore, security languages do not provide a crosscutting viewpoint relating all three – assets, risks and risk treatments – together. This is problematic since, for a security analyst, it is difficult to detect what the potential security flaws could be, and how they need to be fixed. In this paper, we extend the Secure Tropos language, an agent-and goal-oriented security modelling language to support modelling of security risks. Based on previous work, where we had observed some inadequacies of this language to model security risks, this paper suggests improvements of Secure Tropos semantics and syntax. On the syntax level we extend the concrete and abstract syntax of the lan-guage, so that it covers the security risk management domain. On the semantic level, we illustrate how language constructs need to be improved to address the three dif-ferent levels of security risk management. The suggested improvements are illustrated with the aid of a running example, called eSAP, from the healthcare domain.
Conference Paper
Full-text available
Attack-defense trees are used to describe security weaknesses of a system and possible countermeasures. In this paper, the connection between attack-defense trees and game theory is made explicit. We show that attack-defense trees and binary zero-sum two-player extensive form games have equivalent expressive power when considering satisfiability, in the sense that they can be converted into each other while preserving their outcome and their internal structure.
Conference Paper
Full-text available
[Context and motivation] Security engineering is one of the important concerns during system development. It should be addressed throughout the whole system development process. There are several languages for security modelling that help dealing with security risk management at the requirements stage. [Question/problem] In this paper, we are focusing on Mal-activity diagrams that are used from requirement engineering to system design stage. More specifically we investigate how this language supports information systems security risks management (ISSRM). [Principal ideas/results] The outcome of this work is an alignment table between the Mal-activity diagrams language constructs to the ISSRM domain model concepts. [Contribution] This result may help developers understand how to model security risks at the system requirement and design stages. Also, it paves the way for interoperability between the modelling languages that are analysed using the same conceptual framework, thus facilitating transformation between these modelling approaches.
Conference Paper
Full-text available
At every step in creating an enterprise design, architects encounter risks and opportunities. In most cases, risk assessment and treatment is done using the company's internal methodology or based on some best-practices known by the architect. We propose a method that can combine both qualitative and quantitative risk analysis and also incorporate risk mitigation solutions. In IT security, attack-defence trees (ADT) were used successfully to represent attacks and counter-measures. The goal of this paper is to leverage the ADT approach in order to assess risks and opportunities in enterprise architecture. To that end, we elaborate a framework to identify the best ways to mitigate risks and increase an enterprise's profitability based on architectural principles. This framework will be validated with a practical case study from the insurance sector.
Conference Paper
Full-text available
Security is a major target for today’s information systems (IS) designers. Security modelling languages exist to reason on security in the early phases of IS development, when the most crucial design decisions are made. Reasoning on security involves analysing risk, and effectively communicating risk-related information. However, we think that current languages can be improved in this respect. In this paper, we discuss this issue for Secure Tropos, the language supporting the eponymous agent-based IS development. We analyse it and suggest improvements in the light of an existing reference model for IS security risk management. This allows for checking Secure Tropos concepts and terminology against those of current risk management standards, thereby improving the conceptual appropriateness of the language. The paper follows a running example, called eSAP, located in the healthcare domain.
Conference Paper
Full-text available
Attack trees have found their way to practice because they have proved to be an intuitive aid in threat analysis. Despite, or perhaps thanks to, their apparent simplicity, they have not yet been provided with an unambiguous semantics. We argue that such a formal interpretation is indispensable to precisely understand how attack trees can be manipulated during construction and analysis. We provide a denotational semantics, based on a mapping to attack suites, which abstracts from the internal structure of an attack tree, we study transformations between attack trees, and we study the attribution and projection of an attack tree. Keywordsattack trees-semantics-threat analysis
Conference Paper
Full-text available
The analysis of business solutions is one of critical is- sues in industry. Risk is one of the most preeminent and accepted metrics for the evaluation of business solutions. Not surprisingly, many research efforts have been devoted to develop risk management frameworks. Among them, Tro- pos Goal-Risk offers a formal framework for assessing and treating risks on the basis of the likelihood and severity of failures. In this paper, we extend the Tropos Goal-Risk to assess and treat risks by considering the interdependency among actors within an organization. To make the discus- sion more concrete, we apply the proposed framework for analysis of the risks within manufacturing organizations.
The term "risk" is known from many fields, and we are used to references to contractual risk, economic risk, operational risk, legal risk, security risk, and so forth. We conduct risk analysis, using either offensive or defensive approaches to identify and assess risk. Offensive approaches are concerned with balancing potential gain against risk of investment loss, while defensive approaches are concerned with protecting assets that already exist. In this book, Lund, Solhaug and Stolen focus on defensive risk analysis, and more explicitly on a particular approach called CORAS. CORAS is a model-driven method for defensive risk analysis featuring a tool-supported modelling language specially designed to model risks. Their book serves as an introduction to risk analysis in general, including the central concepts and notions in risk analysis and their relations. The authors' aim is to support risk analysts in conducting structured and stepwise risk analysis. To this end, the book is divided into three main parts. Part I of the book introduces and demonstrates the central concepts and notation used in CORAS, and is largely example-driven. Part II gives a thorough description of the CORAS method and modelling language. After having completed this part of the book, the reader should know enough to use the method in practice. Finally, Part III addresses issues that require special attention and treatment, but still are often encountered in real-life risk analysis and for which CORAS offers helpful advice and assistance. This part also includes a short presentation of the CORAS tool support. The main target groups of the book are IT practitioners and students at graduate or undergraduate level. They will appreciate a concise introduction into the emerging field of risk analysis, supported by a sound methodology, and completed with numerous examples and detailed guidelines. © Springer-Verlag Berlin Heidelberg 2011. All rights are reserved.