A Formal Approach Enabling Risk-Aware Business Process Modeling and Simulation

The effective, efficient and continuous execution of business processes is crucial for meeting entrepreneurial goals. Business process modeling and simulation are used to enable desired business process optimizations. However, current approaches mainly focus on economic aspects while security aspects are dealt with in separate initiatives. This missing interconnection may lead to significant differences in improvement suggestions, such as the differing valuation of security investments (e.g., redundancy of systems). The major contribution of this paper is the introduction of a formal model that is capable of expressing the relations between threats, detection mechanisms, safeguards, recovery measures and their effects on business processes. This novel business process simulation capability paves the way for the evaluation of security investments at process design stage by allowing the consideration of stochastic influences of the occurrence of threats on process activities and resources in a unified way. A stylized business case outlines how our method can be applied to real world scenarios.