In many domains, companies model and optimize their business processes to better manage the external value that comes from these business processes. Supporting the execution of corporate business processes with an optimal set of IT-investments (such as IT-systems and corresponding safeguards for their protection) is crucial for a company’s success.
However, existing Business Process Management approaches barely consider security and dependability objectives. Business processes and security issues are developed separately and often do not follow the same strategy. Growing business integration and legal requirements raise the need for secure business processes as security problems negatively affect profit and reputation of companies and their stakeholders.
Furthermore, current Business Process Management approaches do not integrate methods for the valuation and selection of optimal IT-investments. Thus, companies spend considerable amounts of resources on minimizing security breaches but often neglect efficient security measures and/or are not aware whether their investments are effective. While security safeguards traditionally are evaluated through a single (aggregated) criterion such as the return on investment, this may not suffice any longer as economic and legal requirements force to management to pay more attention to security issues.
Our research focuses on the following issues:
- Developement of methods that allows an integrated view on business process management and security. This approach provides top management in process oriented enterprises with a stepwise methodology for the parallel and continuous development and improvement of business processes along with security issues over the whole business process life cycle.
- The extension of business process management methodologies with methods for the valuation, allocation, and selection of IT-investments (including IT-systems; Security safegaurds; Software components (COTS)) based on the requirements of the given corporate business processes and multiple objectives such as the minimization of resources and the maximization of business benefits. This extension allows decision makers in process oriented organizations to interactively determine and continually optimize IT-investments while improving the awareness of the efficiency of their investments.
- Interactive Support for decision makers in allocating security safeguards with respect to multiple objectives of the involved stakeholders with the tool “ATANA” (Alternative Analysis). This tool supported approach integrates ideas from multiobjective decision making in a workshop environment. The stepwise procedure for the assessment and interactive selection of sets of security safeguards improves security awareness of top management
while minimizing the resources required for implementing a proper security environment that meets a corporate’s needs.
Publications:
- Neubauer, Thomas.; Klemen, Markus. & Biffl, Stefan: Secure Business Process Management: A Roadmap; Proceedings of the International Conference on Availability, Reliability and Security (ARES’06); IEEE Computer Society; 2006.
- Neubauer, Thomas; Stummer, Christian & Weippl, Edgar: Workshop-based Multiobjective Security Safeguard Selection; Proceedings of the International Conference on Availability, Reliability and Security (ARES’06); IEEE Computer Society; 2006.
- Neubauer, Thomas & Stummer, Christian: Interactive Decision Support for multiobjective COTS Selection; Proceedings of the 40th Hawaii International Conference on Systems Science (HICSS’07); IEEE Computer Society; 2007.
- Neubauer, Thomas & Stummer, Christian: Entscheidungsunterstützung für die Auswahl von Softwarekomponenten bei mehrfachen Zielsetzungen; 8. Internationale Tagung Wirtschaftsinformatik; 2007.
- Neubauer, Thomas & Stummer, Christian: Extending Business Process Management to Determine Efficient IT Investments; Proceedings of the 22nd Annual ACM Symposium on Applied Computing (SAC’07); ACM Press; 2007.
Contact:
Thomas Neubauer – neubauer@securityresearch.at