Cloud-Based Business Process Security Risk Management: A Systematic Review, Taxonomy, and Future Directions

Computers ◽  
2021 ◽  
Vol 10 (12) ◽  
pp. 160
Author(s):  
Temitope Elizabeth Abioye ◽  
Oluwasefunmi Tale Arogundade ◽  
Sanjay Misra ◽  
Kayode Adesemowo ◽  
Robertas Damaševičius
Keyword(s):  
Risk Management ◽  
Risk Analysis ◽  
Business Process ◽  
Business Processes ◽  
Cloud Services ◽  
Assessment Model ◽  
Security Risk ◽  
Security Issues ◽  
Management Techniques ◽  
Security Risk Management

Despite the attractive benefits of cloud-based business processes, security issues, cloud attacks, and privacy are some of the challenges that prevent many organizations from using this technology. This review seeks to know the level of integration of security risk management process at each phase of the Business Process Life Cycle (BPLC) for securing cloud-based business processes; usage of an existing risk analysis technique as the basis of risk assessment model, usage of security risk standard, and the classification of cloud security risks in a cloud-based business process. In light of these objectives, this study presented an exhaustive review of the current state-of-the-art methodology for managing cloud-based business process security risk. Eleven electronic databases (ACM, IEEE, Science Direct, Google Scholar, Springer, Wiley, Taylor and Francis, IEEE cloud computing Conference, ICSE conference, COMPSAC conference, ICCSA conference, Computer Standards and Interfaces Journal) were used for the selected publications. A total of 1243 articles were found. After using the selection criteria, 93 articles were selected, while 17 articles were found eligible for in-depth evaluation. For the results of the business process lifecycle evaluation, 17% of the approaches integrated security risk management into one of the phases of the business process, while others did not. For the influence of the results of the domain assessment of risk management, three key indicators (domain applicability, use of existing risk management techniques, and integration of risk standards) were used to substantiate our findings. The evaluation result of domain applicability showed that 53% of the approaches had been testing run in real-time, thereby making these works reusable. The result of the usage of existing risk analysis showed that 52.9% of the authors implemented their work using existing risk analysis techniques while 29.4% of the authors partially integrated security risk standards into their work. Based on these findings and results, security risk management, the usage of existing security risk management techniques, and security risk standards should be integrated with business process phases to protect against security issues in cloud services.

An Extension of Business Process Model and Notation for Security Risk Management

2015 ◽  
pp. 897-919
Author(s):  
Olga Altuhhov ◽  
Raimundas Matulevičius ◽  
Naved Ahmed
Keyword(s):  
Risk Management ◽  
Business Process ◽  
Process Model ◽  
Business Processes ◽  
Domain Model ◽  
Security Model ◽  
Business Process Model ◽  
Security Risk ◽  
Secure Information ◽  
Security Risk Management

Business process modelling is one of the major aspects in the modern information system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Typically the BPMN notations are used to understand enterprise's business processes. However, limited work exists regarding how security concerns are addressed during the management of the business processes. This is a problem, since both business processes and security should be understood in parallel to support a development of the secure information systems. In the previous work we have analysed BPMN with respect to the domain model of the IS security risk management (ISSRM) and showed how the language constructs could be aligned to the concepts of the ISSRM domain model. In this paper the authors propose the BPMN extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We illustrate how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store regarding the asset confidentiality, integrity and availability. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. The paper opens the possibility for business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).

An Extension of Business Process Model and Notation for Security Risk Management

2013 ◽  
Vol 4 (4) ◽  
pp. 93-113 ◽  
Author(s):  
Olga Altuhhov ◽  
Raimundas Matulevičius ◽  
Naved Ahmed
Keyword(s):  
Risk Management ◽  
Business Process ◽  
Process Model ◽  
Business Processes ◽  
Domain Model ◽  
Security Requirements ◽  
Security Model ◽  
Business Process Model ◽  
Security Risk ◽  
Security Risk Management

Business process modelling is one of the major aspects in the modern information system development. Recently business process model and notation (BPMN) has become a standard technique to support this activity. Typically the BPMN notations are used to understand enterprise's business processes. However, limited work exists regarding how security concerns are addressed during the management of the business processes. This is a problem, since both business processes and security should be understood in parallel to support a development of the secure information systems. In the previous work we have analysed BPMN with respect to the domain model of the IS security risk management (ISSRM) and showed how the language constructs could be aligned to the concepts of the ISSRM domain model. In this paper the authors propose the BPMN extensions for security risk management based on the BPMN alignment to the ISSRM concepts. We illustrate how the extended BPMN could express assets, risks and risk treatment on few running examples related to the Internet store regarding the asset confidentiality, integrity and availability. Our proposal would allow system analysts to understand how to develop security requirements to secure important assets defined through business processes. The paper opens the possibility for business and security model interoperability and the model transformation between several modelling approaches (if these both are aligned to the ISSRM domain model).

An Analytical Study of Methodologies and Tools for Enterprise Information Security Risk Management

2017 ◽  
pp. 1-20
Author(s):  
Jaya Bhattacharjee ◽  
Anirban Sengupta ◽  
Mridul Sankar Barik ◽  
Chandan Mazumdar
Keyword(s):  
Risk Analysis ◽  
Business Processes ◽  
Security Risk ◽  
Enterprise Information ◽  
Security Controls ◽  
Business Operations ◽  
Levels Of Detail ◽  
Information Security Risk ◽  
Ict Infrastructure ◽  
Security Risk Management

An enterprise is characterized by its business processes and supporting ICT infrastructure. Securing these entities is of utmost importance for the survival of an enterprise and continuity of its business operations. In order to secure them, it is important to first detect the risks that can be realized to cause harm to those entities. Over the years, several kinds of security risk analysis methodologies have been proposed. They cater to different categories of enterprise entities and consider varying levels of detail during risk analysis. An enterprise often finds it difficult to select a particular method that will best suit its purpose. This paper attempts to address this problem by presenting a detailed study of existing risk analysis methodologies. The study classifies them into specific categories and performs comparative analyses considering different parameters addressed by the methodologies, including asset type, vulnerabilities, threats, and security controls.

scholarly journals Security risk management for mass events

2019 ◽  
Vol 191 (1) ◽  
pp. 5-25
Author(s):  
Mariusz Falkowski Falkowski ◽  
Michal Liberek ◽  
Michal Liberek
Keyword(s):  
Risk Management ◽  
Terrorist Attacks ◽  
Modern World ◽  
Security Risk ◽  
Safety Issues ◽  
Sports Events ◽  
Management Techniques ◽  
Security Risk Management ◽  
Mass Events

The purpose of this article is to present selected aspects of risk management in the context of safety issues when organizing mass events. The article deals with the issue of terrorist attacks during sports events that have taken place in the modern world. Additionally, selected risk management techniques are discussed and examples of their application when organizing safe mass events are presented. The abovementioned techniques are characterized on the example of the organization of EURO 2012

An Analytical Study of Methodologies and Tools for Enterprise Information Security Risk Management

2018 ◽  
pp. 964-979
Author(s):  
Jaya Bhattacharjee ◽  
Anirban Sengupta ◽  
Mridul Sankar Barik ◽  
Chandan Mazumdar
Keyword(s):  
Risk Analysis ◽  
Business Processes ◽  
Security Risk ◽  
Enterprise Information ◽  
Security Controls ◽  
Business Operations ◽  
Levels Of Detail ◽  
Information Security Risk ◽  
Ict Infrastructure ◽  
Security Risk Management

An enterprise is characterized by its business processes and supporting ICT infrastructure. Securing these entities is of utmost importance for the survival of an enterprise and continuity of its business operations. In order to secure them, it is important to first detect the risks that can be realized to cause harm to those entities. Over the years, several kinds of security risk analysis methodologies have been proposed. They cater to different categories of enterprise entities and consider varying levels of detail during risk analysis. An enterprise often finds it difficult to select a particular method that will best suit its purpose. This paper attempts to address this problem by presenting a detailed study of existing risk analysis methodologies. The study classifies them into specific categories and performs comparative analyses considering different parameters addressed by the methodologies, including asset type, vulnerabilities, threats, and security controls.

Research on Method of Information System Information Security Risk Management

2014 ◽  
Vol 926-930 ◽  
pp. 4105-4109
Author(s):  
Xiao Li Cao
Keyword(s):  
Information System ◽  
Risk Management ◽  
Information Systems ◽  
Information Security ◽  
Risk Analysis ◽  
Management Approach ◽  
Security Risk ◽  
System Risk ◽  
Information Security Risk ◽  
Security Risk Management

With the popularity of the Internet and global information continues to advance organizational information systems have become an important strategic resource for the survival of the importance of information security to protect its widespread concern. Once the information security organization information system is destroyed, the Organization for Security attribute information would cause tremendous impact the organization's business operation, the losses include not only economic, but also likely to organize image, reputation is a strategic competitive advantage even fatal injuries. However, the existing information systems of information security risk management approach to information system risk analysis and assessment with specific organizational environment and business background with fragmentation, lack of risk analysis and description of the formation process, carried only consider "technical" factors security decisions, lack of full expression to achieve the desired goal of a number of decisions on organizational decision-making. Therefore, the information system to carry information security risk management is essential.

A Security Risk Management Metric for Cloud Computing Systems

2015 ◽  
pp. 788-808
Author(s):  
Mouna Jouini ◽  
Latifa Ben Arfa Rabai
Keyword(s):  
Cloud Computing ◽  
Risk Management ◽  
Cyber Security ◽  
Computing System ◽  
Cloud Provider ◽  
Security Model ◽  
Security Risk ◽  
Security Breaches ◽  
Security Issues ◽  
Security Risk Management

Cloud computing is a growing technology used by several organizations because it presents a cost effective policy to manage and control Information Technology (IT). It delivers computing services as a public utility rather than a personal one. However, despite these benefits, it presents many challenges including access control and security problems. In order to assess security risks, the paper gives an overview of security risk management metrics. Then, it illustrates the use of a cyber security measure to describe an economic security model for cloud computing system. Moreover, it proposes a cloud provider business model for security issues. Finally, the paper shows a solution related to the vulnerabilities in cloud systems using a new quantitative metric to reduce the probability that an architectural components fails. The main aim of this article is to quantify security threats in cloud computing environments due to security breaches using a new security metric.

Strategic Dimensions of Information Security Risk Management

2019 ◽  
Vol 6 (2) ◽  
pp. 1-9 ◽  
Author(s):  
Ayush Gupta
Keyword(s):  
Risk Management ◽  
Information Security ◽  
Business Models ◽  
Business Processes ◽  
Management Model ◽  
Security Risk ◽  
Best Value ◽  
Information Security Risk ◽  
Security Risk Management ◽  
Flow Of Information

Information security is thus a big threat to the survival of enterprises. In all context and forms, it is an imperative to provide adequate safeguards and measures to management the risk arising from flow of information and data. The business models of organizations are highly dependent on flow of information during the business processes.  The management of information security has several perspectives. In this paper, the legal, quality and human resource perspectives have been discussed. The Information Security Risk Management Model must balance these perspectives to optimize for best value derived out of it.

Sign in / Sign up

Export Citation Format

Share Document