Quantifying Criticality of Dependability-Related IT Organization Processes in CobiT

With ever-growing complexity of computer and communication systems analytical methods do not scale, especially with respect to dependability assessment of information technology (IT) organization. Generic reference models can be used as an alternative to analytical approaches by focusing on transforming qualitative assessment into quantitative evaluation of IT organization. In this paper, we examine the reference models IT infrastructure library (ITIL) and the control objectives for information and related technology (CobiT) to derive a quantifiable concept for estimating the criticality of dependability-related IT organization processes in CobiT. After systematically analyzing ITIL processes and deriving properties that are relevant to dependability, those processes are mapped onto CobiT processes. Furthermore, we propose a process criticality index (PCI) which reflects the significance of each dependability-related process within a particular reference model. The PCI is based on the graph theory concept of betweenness centrality and uses a directed graph where nodes represent dependability-related processes and edges relations among them. Finally, using cycle and sequence analysis we are able to identify for every process which processes have to be implemented a priori. This provides an efficient strategy for implementing most significant processes first, according to the ranking based on the PCI.