Integration of an Ontological Information Security Concept in Risk Aware Business Process Management

The ability to prevent risks as well as to appropriately counteract occurring threats has increasingly become a crucial success factor. Traditional business process management provides concepts for the economical optimization of processes, while risk management focuses on the design of robust business processes. While aiming at the same goal, namely the improvement of business, the approaches how to reach this vary, due to a different understanding of improvement Following this, optimizing recommendations of business process management and risk management may be contradictory. Therefore, we proposed a unified method, integrating both points of views to enable risk-aware business process management and optimization. In this paper, we briefly describe the ROPE (risk-oriented process evaluation) methodology and the security ontology concept, which provides a solid knowledge base for an applicable and holistic company specific IT security approach. This heavy-weight ontology provides structured knowledge regarding the relations between threats, safeguards, and assets, which are crucial for modeling processes in ROPE. We show how the integration of the security ontology´s knowledge base enhances the applicability of the ROPE methodology leading to improved risk-aware business process management.